On March 24 and 26, 2021, the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) announced two settlements, its seventeenth and eighteenth in its HIPAA Right of Access Initiative.
In the first, OCR detailed how, in mid-2019, it received a complaint from an individual regarding a delay receiving records from The Arbour, Inc. d/b/a Arbour Hospital, a Massachusetts behavioral health hospital (“The Arbour”). The HIPAA regulations require covered entities to respond to requests for access to protected health information (PHI) within 30 days (60 days if the facts permit an extension). OCR provided technical assistance to The Arbour regarding the HIPAA requirements governing an individual’s right to access their PHI and closed the matter. However, OCR received a second complaint from the same individual a week later, detailing that The Arbour still had not provided access, prompting OCR to investigate.
The OCR Resolution Agreement with The Arbour stated that it found that The Arbour failed to provide an individual with timely access to their PHI, explaining that it took the facility nearly five months to provide the requested access. The Arbour agreed to pay $65,000 to OCR and enter into a Corrective Action Plan.
In the second settlement, Village Plastic Surgery (“VPS”), a New Jersey cosmetic plastic surgery practice, also was the subject of a 2019 complaint to OCR regarding the failure to provide access to PHI in a timely manner. OCR investigated and determined that the access failure was a potential violation of the HIPAA regulations. While the patient ultimately received their PHI, OCR entered into a settlement whereby VPS agreed to pay $30,000 and enter into a corrective action plan.
These settlements highlight OCR’s continued emphasis on a patient’s right to access their PHI in a timely manner, which also may overlap with the health care provider’s obligations under the Information Blocking Rule. Unlike other HIPAA enforcement actions, enforcement under the Right of Access Initiative show that OCR is willing to impose penalties for just one alleged HIPAA violation, rather than limiting its enforcement to entities engaged in systemic noncompliance.
In addition, OCR’s settlement with The Arbour illustrates for HIPAA covered entities and business associates that they should take advantage of an opportunity presented by OCR for technical assistance on compliance with the HIPAA regulations; complying with OCR’s instructions may have avoided The Arbour’s financial settlement and corrective action plan.
As an entity is only as strong as its workforce, HIPAA covered entities also should ensure that personnel responding to access requests understand the HIPAA requirements, including the timeframes for providing access or a denial of access. Workforce members must understand the covered entity’s process for addressing any issues that arise in the access request process, and doing so in a timeframe that keeps the entity compliant.