On March 28, 2022, the Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) announced the resolution of two more complaints under its Right of Access Initiative. This brings the total number of cases to 27 since the initiative was first announced in 2019, with financial liability imposed on covered entities ranging from $3,500 to $200,000. OCR began this initiative “to support individuals’ right to timely access their health records at a reasonable cost under the HIPAA Privacy Rule.” As the third most common issue raised in complaints to OCR regarding noncompliance with the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), the individual’s right of access continues to pose a challenge to HIPAA covered entities resulting in significant financial and organizational risk for noncompliance.
Dentist Agrees to $30,000 Settlement for Failure to Provide Entire Copy of Designated Record Set
While there is little detail surrounding the facts giving rise to the complaint, this resolution arose from a solo dental practitioner’s failure to provide a single patient with a complete copy of their designated record set when requested. In 2019, OCR provided the dentist with preliminary indications of noncompliance and an opportunity to submit written evidence of any mitigating factors or in support of a waiver of a civil monetary penalty (“CMP”). When the dentist failed to provide any response to OCR, OCR issued a Notice of Proposed Determination imposing a $104,000 CMP for failure to comply with HIPAA’s right of access provisions. The dentist then requested a hearing before an Administrative Law Judge (“ALJ”) to contest HHS’s imposition of the CMP. Before the ALJ made a determination on the issue, the parties resolved the litigation. In the Settlement Agreement, the dentist agreed to instead pay $30,000 and take corrective actions to comply with the HIPAA right of access standard, including implementing and distributing compliant policies and procedures, training its workforce on such polices and procedures and providing the individual with an entire copy of her designated record set.
Psychiatric Provider Faces $28,000 Resolution Agreement for Failure to Provide Timely Access and Charging Improper Fee
In 2018, OCR received a complaint from a patient that the psychiatric medical services provider had failed to provide a response to letters mailed on July 1 of each year from 2013 to 2018 requesting access to a copy of her medical records. The patient resubmitted her request via fax to the provider subsequent to her July 1, 2018 written request and received a complete copy of her medical records on May 16, 2019, by electronic mail, as requested. However, the provider first required her to travel to its office to complete its standard form to exercise her right to access, imposed a $25 flat fee, and initially provided an incomplete, single page paper copy of the requested records. As part of its investigation, HHS found that the provider “failed to provide timely access, in the form and manner requested, to protected health information about the individual in a designated record set; imposed an unreasonable fee that was not cost-based; and failed to implement policies and procedures regarding the right of access to protected health information.” HHS also determined that the provider had not designated a privacy official and that its Notice of Privacy Practices lacked required content.
To resolve the complaint and potential violations of the HIPAA Privacy Rule, including the right of access standard, the provider agreed in the Resolution Agreement to pay OCR $28,000 and institute a two-year corrective action plan, including implementing appropriate policies and procedures and related training materials to be updated annually (subject to ongoing review and approval by HHS), annually distributing and providing training on such policies and procedures to its workforce and relevant business associates, and annually obtaining certification from workforce members and business associates as to their review and compliance with such policies and procedures and completion of training. Policies and procedures subject to the Resolution Agreement included those regarding the designated record set and individual’s right of access. The provider was also required to establish protocols for training workforce members and business associates who assist in responding to such requests on compliance with such policies and for implementing appropriate sanctions for noncompliance. The provider additionally was required to update its Notice of Privacy Practices to include content consistent with the right of access standard and to designate a privacy officer. Finally, the provider was required to report any noncompliance with the right of access requirements by workforce members or relevant business associates to HHS at the time of noncompliance and in an annual report to HHS. Failure to comply with the corrective action plan could result in the imposition of a CMP for noncompliance with HIPAA, including the right of access standard.
Practical Takeaways
Notably, nearly all of the Right of Access Initiative enforcement actions involve a single individual unable to obtain some or all of their protected health information within the time or at a fee permitted by HIPAA. Providers will want to take note of the following common themes that continue to appear in the resolution announcements issued under OCR’s Right of Access Initiative:
- Not providing access to the entirety of the designated record set continues to be a noncompliance trend under right of access enforcement. However, compliance with this requirement is challenged by difficulty within the health care industry ascertaining the scope of information falling within the definition of a designated record set, particularly given the new Information Blocking Rule implications.
- HIPAA currently requires access to be provided within thirty days of receipt of an individual’s request with only one 30-day extension permitted in certain circumstances if the individual is notified of the reasons for the delay and date by which access will be provided. Failure to timely respond to the individual is common grounds for finding noncompliance. Note that the most recent proposed changes to the HIPAA regulations discussed shortening this timeframe to 15 days with one 15-day extension, though such a change has not yet been finalized.
- Imposition of flat rate or per page fees, even if permitted under applicable state law, that are not appropriately “cost-based” as required by the HIPAA regulations are a common ground for noncompliance. OCR has highlighted in guidance its preference that individuals receive free or low-cost copies of their health information in order to promote access in a non-discriminatory manner. Costly fees are therefore subject to increased scrutiny.
- Failure to timely respond to or comply with OCR correspondence and technical guidance on compliance with HIPAA requirements will likely increase the risk of financial liability to the covered entity.
- A complaint by an individual under the right of access can open the door to broader investigation by OCR into a covered entity’s HIPAA policies, procedures and practices, increasing the risk that noncompliance will be identified. Note that many of the resolution, penalty and settlement amounts assessed under the Right of Access Initiative include liability for additional issues identified during investigation, such as failure to have a designated privacy officer, failure to conduct a risk analysis or have appropriate policies and procedures, failure to conduct appropriate HIPAA training or deficiencies with the Notice of Privacy Practices.
Want more information on HIPAA’s right of access? Please join us for “Access Denied? Navigating HIPAA’s Right of Access,” an informational webinar on May 19. For more information or to register, click here.
If you have any questions or would like additional information about this topic, please contact:
- Mark Swearingen at (317) 977-1458 or mswearingen@wp.hallrender.com;
- Stephane Fabus at (414) 721-0904 or sfabus@wp.hallrender.com;
- Patricia Connelly at (317) 429-3654 or pconnelly@wp.hallrender.com; or
- Your regular Hall Render attorney.
Hall Render blog posts and articles are intended for informational purposes only. For ethical reasons, Hall Render attorneys cannot—outside of an attorney-client relationship—answer specific questions that would be legal advice.
