The HIPAA Right of Access Initiative by the U.S. Department of Health and Human Services’(HHS) Office of Civil Rights (OCR) was first announced in 2019. Under the initiative, OCR is committed to vigorously enforce the HIPAA rules that allow patients to access their protected health information, as delineated in 45 C.F.R. § 165.524. Since the initiative’s announcement, there have been eighteen settlements related to patients’ right of access enforcement actions.
In February, CG attorneys wrote about the fifteenth and sixteenth settlements associated with the HIPAA Right of Access Initiative. Within the first six weeks of 2021, OCR secured three published HIPAA Right of Access Initiative settlements totaling nearly $350,000. Add two more to the list – OCR announced its seventeenth settlement on March 24, 2021, and its eighteenth settlement on March 26, 2021.
OCR’s Seventeenth Right of Access Initiative Settlement
On July 5, 2019, OCR received a complaint alleging that Arbour Hospital did not timely respond to a record request made on May 7, 2019. OCR provided technical assistance to Arbour on the HIPAA right of access requirements. On July 22, 2019, the patient filed a second complaint with OCR alleging that Arbour had yet to provide the requested records.
OCR initiated an investigation and noted that Arbour provided the patient with a copy of the requested records in November 2019, six months after the original request and four months after the first complaint. OCR determined that Arbour potentially violated HIPAA’s right of access rules. Arbour agreed to pay $65,000 to settle the potential violation. Arbour also agreed to a corrective action plan with a one-year term. The settlement was not an admission of wrongdoing by Arbour, nor a concession by HHS that Arbour did not violate HIPAA.
OCR’s Eighteenth Right of Access Initiative Settlement
On September 7, 2019, OCR received a complaint filed by a patient of Village Plastic Surgery (VPS). The patient alleged that VPS did not provide the patient a copy of his/her medical records, despite the patient requesting the records in August 2019. OCR initiated an investigation and determined that VPS did not timely provide the records, potentially violating HIPAA’s right of access requirements. Covered entities are generally required to act on an access request within 30 days of receiving the request, and within 60 days under certain circumstances. Ultimately, the patient’s records were sent to the patient because of OCR’s investigation.
VPS agreed to pay $30,000 to settle the potential violation and agreed to a corrective action plan with a two-year term. The settlement was not an admission of wrongdoing by VPS, nor a concession by HHS that VPS did not violate HIPAA.
In many of the HIPAA Right of Access Initiative settlements, OCR initially provides technical assistance and does not initiate a formal investigation until there is a second complaint against the covered entity related to that technical assistance. However, the VPS settlement appears to mark the second HIPAA Right of Access Initiative enforcement action resulting in a settlement without OCR providing prior technical assistance or subsequent to a second complaint. Neither the press release nor corrective action plan indicates whether technical assistance or a second complaint was made before OCR’s investigation.
OCR has secured five settlements in the first three months of 2021, totaling nearly $450,000. The HIPAA Right of Access Initiative shows no signs of slowing and enforcement actions likely will continue. Similar to his predecessor, Acting OCR Director Robinsue Frohboese’s stance on OCR enforcement actions related to HIPAA right of access is clear: “[c]overed entities must comply with their HIPAA obligations and OCR will take appropriate remedial actions if they do not.”
Covered entities should ensure familiarity and compliance with HIPAA requirements, including a patient’s right to access protected health information. Patients’ rights under HIPAA to access protected health information are located at 45 C.F.R. § 165.524 and there is HHS guidance on the topic. As demonstrated in VPS’ settlement, OCR may not always provide technical assistance or a second opportunity to comply with HIPAA’s right of access standards and covered entities should not expect nor rely upon OCR providing such opportunities.
Chilivis Grubman partner Randy Dalbey joined Donna Grindle of Kardon to present a FREE one-hour webinar entitled HIPAA 2021 – A KINDLER, GENTLER HIPAA? You can watch the webinar for FREE on-demand here. Other HIPAA-related matters are available here. CG attorneys have also written about the tenth, eleventh, twelfth, thirteenth, fourteenth, fifteenth, and sixteenth HIPAA Right of Access Initiative settlements.
The attorneys at Chilivis Grubman assist businesses of all types and sizes in connection with HIPAA-related matters, including breach response, breach notification, OCR investigations, and resulting civil litigation. If you need assistance with such a matter, please contact us today.