OCR Announces More Settlements Under HIPAA Individual Access Initiative

HHS’s Office for Civil Rights (OCR) has announced three more settlements, bringing the total to 41, under its initiative to enforce the HIPAA privacy rule’s provisions giving individuals the right to access their protected health information (PHI). The three latest settlements involve dental practices that are HIPAA covered entities and failed to provide individuals with access to their medical records. In addition to making settlement payments ranging from $30,000 to $80,000, each covered entity agreed to a corrective action plan (CAP) that requires revisions to policies and procedures related to individuals’ right to access their PHI, subject to OCR approval. Other CAP provisions require incorporating the revised policies and procedures into HIPAA training materials (also subject to OCR approval) and providing annual training to workforce members. The news release indicates that OCR’s enforcement actions are part of a collective effort designed to send a message about the importance of compliance with HIPAA’s requirements.

EBIA Comment: OCR’s enforcement of the individual access right has primarily focused on health care providers—in these cases dental practices. As covered entities, health plans are also subject to this requirement, and business associates have access obligations as set forth in their business associate contracts. OCR’s most recent Report to Congress on HIPAA compliance and breach notifications lists access rights as one of the top five violations alleged in complaints resolved by OCR in 2020 (see our Checkpoint article). For more information, see EBIA’s HIPAA Portability, Privacy & Security manual at Sections XX.D (“Resolution Agreements”), XXII.A (“What Information Is Protected?”), and XXVII.B (“Right to Access PHI in Designated Record Set”).

Contributing Editors: EBIA Staff.