On June 2, 2021, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services announced another settlement of an enforcement action in its Health Insurance Portability and Accountability Act (HIPAA) Right of Access Initiative. This is the nineteenth settlement so far under the initiative.

This most recent settlement arose from a patient complaint filed in August 2019, alleging that a West Virginia provider failed to provide a copy of a minor child’s protected health information (PHI) in a designated record set to the child’s parent.  Following the complaint, the OCR initiated an investigation and determined that the provider potentially violated HIPAA’s right of access standard. 

The HIPAA right of access standard can be found at 45 CFR §164.524, and generally provides that a HIPAA covered entity must provide individuals, upon request, with access to PHI about the individual maintained by the covered entity in one or more designated record sets.  An individual’s personal representative (which would be any person with authority under state law to make health care decisions for the individual, like the parent of a minor), also has the right to access an individual’s PHI, upon request, consistent with the scope of such representation (see 45 CFR §164.502(g)).

As a result of the OCR investigation, the provider agreed to pay $5,000 to settle a potential violation of HIPAA’s right of access standard.  In addition to the penalty, the provider agreed to take corrective actions including two years of monitoring. The provider ultimately provided a copy of the child’s records in May 2021, nearly two years after the parent’s initial request.  

Key Takeaways:

  • Do not underestimate frustrated patients.
    • Patients do not have a private right of action under HIPAA.  However, they can and will file a complaint with the OCR, and the OCR can and will take action on legitimate complaints. The HIPAA right of access standard is currently a key enforcement priority.
  • Make sure staff is familiar with HIPAA rights regarding access to health records, not just requirements restricting disclosure of PHI.
    • Provider staff often understand the restrictive components of HIPAA very well, but sometimes may take HIPAA too far. Staff should have a deep understanding of the statute’s full requirements, including certain rights patients have to access records timely and at a reasonable cost.  And in cases where the staff may have questions, they should know to reach out to the provider’s active and trained HIPAA compliance officer.   
  • It is far more affordable to implement an effective HIPAA compliance program and to train and support a HIPAA compliance officer than to put an effective HIPAA compliance program in place retroactively.
    • While the cost of the settlement may seem small in this case, the overall cost of the HIPAA complaint is not limited to the assessed penalty.  An investigation can result in legal fees in navigating the investigation, disruptions to the provider’s operations during the investigation, and the cost of implementing a corrective action plan (including monitoring for two years) after the settlement. 

The attorneys at Chilivis Grubman represent healthcare providers and businesses in connection with HIPAA compliance concerns and investigations.  If you need assistance with such matters, please contact us today.