HHS Resolution Agreements: NY Spine Med. (Sept. 29, 2020); St. Joseph’s Hosp. and Med. Ctr. (Sept. 25, 2020); Wise Psychiatry, PC (Aug. 21, 2020); Patricia King MD & Assocs. (Aug. 20, 2020); Beth Israel Lahey Health Behavioral Services (Aug. 7, 2020); All Inclusive Med.l Servs, Inc. (July 15,2020); Housing Works, Inc. (June 22, 2020); HHS News Releases: OCR Settles Ninth Investigation in HIPAA Right of Access Initiative (Oct. 9, 2020); OCR Settles Eighth Investigation in HIPAA Right of Access Initiative (Oct. 7, 2020); OCR Settles Five More Investigations in HIPAA Right of Access Initiative (Sept. 15, 2020)
HHS’s Office for Civil Rights (OCR) has announced seven more settlements resolving alleged violations of HIPAA provisions giving individuals the right to access their protected health information (PHI). With these settlements, OCR has completed a total of nine enforcement actions under an initiative announced in 2019 to emphasize individual access rights (see our Checkpoint article). Each of the seven latest settlements involves the failure of a HIPAA covered entity to provide access to an individual’s medical records. (In three cases, the request was made by the individual’s personal representative.) In addition to settlement payments ranging from $3,500 to $160,000, each covered entity agreed to a corrective action plan (CAP) that requires revisions to policies and procedures related to individuals’ right to access their PHI (and, in some cases, other privacy rule provisions), subject to OCR approval. Other CAP provisions require incorporating the revised policies and procedures into HIPAA training materials (again subject to OCR approval); providing annual training to workforce members; and, for a specified future period, furnishing OCR with information about individual access requests and notifying OCR if any request is denied. The CAP associated with the largest settlement also requires the covered entity to review and update its policy for designated record sets to ensure comprehensive responses to record requests.
The September 2020 news release indicates that OCR’s enforcement actions are designed to send a message about the importance and necessity of HIPAA compliance. OCR noted that it considers a variety of factors in determining the amount of a settlement, including the nature and extent of the potential HIPAA violation and resulting harm; the entity’s HIPAA compliance history; the financial condition of the entity (including its size and the impact of the COVID-19 public health emergency); and other matters as justice may require.
EBIA Comment: Because each resolution agreement involved a single individual’s access rights, the wide variation in settlement payments likely can be explained by the factors listed in the September 2020 news release. Apart from those factors, penalties can increase rapidly when multiple individuals are affected or when additional HIPAA provisions are violated. Perhaps because of their familiarity with ERISA disclosure rules, group health plan sponsors and administrators seem more attuned to individuals’ access rights than many health care providers. Plans should consider ERISA and HIPAA together when responding to requests for information. A good starting point is to have clear policies and procedures for identifying “designated record sets,” which are the HIPAA-defined health records that must be accessible to individuals under the privacy rule. For more information, see EBIA’s HIPAA Portability, Privacy & Security manual at Sections XX.D (“Resolution Agreements”), XX.E (“Civil Monetary Penalties”), and XXVII.B (“Right to Access PHI in Designated Record Set”). See also EBIA’s ERISA Compliance manual at Section XXXIV.L (“Some Implications of HIPAA Privacy and Security Rules for ERISA Claims Processing”). You may also be interested in our webinar “Learning the Ropes: An Introduction to HIPAA Privacy & Security” (recorded on 5/14/20).
Contributing Editors: EBIA Staff.