OCR Announces 20th Settlement Under HIPAA Individual Access Initiative

HHS’s Office for Civil Rights (OCR) has announced the 20th settlement under its initiative to enforce the HIPAA provisions giving individuals the right to access their protected health information (PHI). According to OCR’s summary, a parent filed a complaint with the agency alleging that a health care provider (a HIPAA covered entity) had failed to provide her with timely access to her deceased minor daughter’s medical records. The provider furnished some of the requested records, but the remainder—which had to be collected from another division of the covered entity—were not provided, notwithstanding the parent’s multiple follow-up requests. OCR initiated an investigation and determined that the covered entity’s failure to provide timely access to the requested medical records was a potential violation of the HIPAA right of access standard, which requires a covered entity to act on an access request within 30 days of receipt (or within 60 days if an extension is applicable). OCR indicates that, because of its investigation, the parent ultimately received all the requested records.

In addition to an $80,000 settlement payment, the covered entity agreed to a corrective action plan (CAP). The CAP requires the covered entity to review and revise its policies and procedures related to the right to access PHI, subject to HHS’s review and approval, with distribution of the approved policies and procedures to workforce members. The revised policies and procedures must address timely and comprehensive responses to record requests, including requests to transmit PHI to third parties, and training protocols for workforce members. Revised training materials must be submitted to HHS for approval and used to train all workforce members whose job duties include receiving, reviewing, processing, or fulfilling individual requests to access PHI. The covered entity must submit an implementation report and one annual report to HHS attesting to compliance with the CAP.

EBIA Comment: OCR has emphasized enforcement of the individual access right for several years, primarily against health care providers. However, health plans, as covered entities, are also subject to this requirement, and business associates have access obligations as set forth in their business associate contracts. This resolution agreement is noteworthy because it highlights some important HIPAA fundamentals. First, HIPAA privacy protections continue to apply to PHI after an individual’s death. Second, an individual’s personal representative generally stands in the individual’s shoes when invoking the individual’s access right, even if the individual is deceased. And third, when HIPAA applies to a covered entity, it generally applies across the entire enterprise. For more information, see EBIA’s HIPAA Portability, Privacy & Security manual at Sections XX.D (“Resolution Agreements”), XXII.A (“What Information Is Protected?”), XXVI.G (“Personal Representatives, Minors, and Spouses”), and XXVII.B (“Right to Access PHI in Designated Record Set”). You may also be interested in our webinar “Practical Application of HIPAA Use and Disclosure Rules for Group Health Plans” (recorded on 8/12/21).

Contributing Editors: EBIA Staff.