07.28.22
12.30.21
On November 30, 2021, the Office for Civil Rights (OCR) of the U.S. Department of Health and Human Services released five more enforcement actions under its HIPAA Right of Access Initiative (the Initiative). The Initiative is intended to ensure that individuals receive timely access to their health information at a reasonable cost. Since the Initiative was announced in 2019, these settlements — which involve healthcare providers of all types and sizes — bring the total number of Initiative enforcement actions to 25.
Subject to limited exceptions, the HIPAA Privacy Rule requires that a covered entity afford a patient, or the patient’s personal representative, access to inspect and obtain a copy of the patient’s protected health information (PHI). The covered entity must act on a request for access no later than 30 days after its receipt of the request, with the ability to extend its response time for up to 30 days with notification to the individual. The covered entity is limited to charging only a reasonable, cost-based fee for the copy of the PHI, and any fee also must comply with applicable state law requirements.
The recent enforcement efforts include two of the higher financial penalties of the Initiative’s enforcement actions: a financial settlement of $160,000 with Rainrock Treatment Center, LLC (d/b/a Monte Nido Rainrock) and a civil money penalty of $100,000 with Dr. Robert Glaser. Three of the enforcement actions require the covered entities to adhere to two-year corrective action plans (CAPs) and one requires a one-year CAP.
These enforcement actions also continue trends seen in the Initiative’s prior enforcement. For example:
These recent enforcement actions emphasize not only that covered entities should have a process in place to respond to access requests in a compliant manner, but it is also important to ensure that their workforces are trained to understand patients’ access rights and the covered entity’s obligations for the same.
These latest five enforcement actions under the Initiative also emphasize that healthcare providers must continue to take their obligations to provide patients with timely access to PHI and limit costs for such access as required by HIPAA and state law.