Skip to main content

Nixon Peabody LLP

  • People
  • Capabilities
  • Insights
  • About
Trending Topics
    • People
    • Capabilities
    • Insights
    • About
    • Locations
    • Events
    • Careers
    • Alumni
    Practices

    View All

    • Affordable Housing
    • Community Development Finance
    • Corporate & Finance
    • Cybersecurity & Privacy
    • Entertainment & Media
    • Environmental
    • Franchising & Distribution
    • Government Investigations & White Collar Defense
    • Healthcare
    • Intellectual Property
    • International Services
    • Labor, Employment, and Benefits
    • Litigation
    • Private Wealth & Advisory
    • Project Finance
    • Public Finance
    • Real Estate
    • Regulatory & Government Relations
    Industries

    View All

    • Aviation
    • Cannabis
    • Consumer
    • Energy
    • Financial Services
    • Healthcare
    • Higher Education
    • Infrastructure
    • Manufacturing
    • Nonprofit Organizations
    • Real Estate
    • Sports & Stadiums
    • Technology
    Value-Added Services

    View All

    • Alternative Fee Arrangements

      Developing innovative pricing structures and alternative fee agreement models that deliver additional value for our clients.

    • Continuing Education

      Advancing professional knowledge and offering credits for attorneys, staff and other professionals.

    • Crisis Advisory

      Helping clients respond correctly when a crisis occurs.

    • DEI Strategic Services

      Providing our clients with legal, strategic, and practical advice to make transformational changes in their organizations.

    • eDiscovery

      Leveraging law and technology to deliver sound solutions.

    • Environmental, Social, and Governance (ESG)

      We help clients create positive return on investments in people, products, and the planet.

    • Global Services

      Delivering seamless service through partnerships across the globe.

    • Innovation

      Leveraging leading-edge technology to guide change and create seamless, collaborative experiences for clients and attorneys.

    • IPED

      Industry-leading conferences focused on affordable housing, tax credits, and more.

    • Legal Project Management

      Providing actionable information to support strategic decision-making.

    • Legally Green

      Teaming with clients to advance sustainable projects, mitigate the effects of climate change, and protect our planet.

    • Nixon Peabody Trust Company

      Offering a range of investment management and fiduciary services.

    • NP Capital Connector

      Bringing together companies and investors for tomorrow’s new deals.

    • NP Second Opinion

      Offering fresh insights on cases that are delayed, over budget, or off-target from the desired resolution.

    • NP Trial

      Courtroom-ready lawyers who can resolve disputes early on clients’ terms or prevail at trial before a judge or jury.

    • Social Impact

      Creating positive impact in our communities through increasing equity, access, and opportunity.

    • Women in Dealmaking

      We provide strategic counsel on complex corporate transactions and unite dynamic women in the dealmaking arena.

    1. Home
    2. Insights
    3. Alerts
    4. CMP and financial settlement are the latest results of OCR's HIPAA Right of Access Initiative enforcement

      Alerts

    Alert / Healthcare

    CMP and financial settlement are the latest results of OCR's HIPAA Right of Access Initiative enforcement

    April 8, 2024

    LinkedInX (Twitter)EmailCopy URL

    By Valerie Montague and Meredith LaMasterGrace Connelly, a legal intern in Nixon Peabody’s Healthcare practice and a 2024 J.D. candidate at Loyola University Chicago School of Law and assisted with the preparation of this alert.

    OCR’s 47th and 48th Right of Access Initiative enforcement actions remind healthcare providers to provide personal representatives with timely access to requested PHI.

    What’s the impact?

    • OCR continues to enforce scenarios where healthcare providers fail to provide timely access to protected health information (PHI), imposing a $100,000 civil monetary penalty (CMP) against one healthcare provider and entering into a $35,000 financial settlement with another.
    • While organizations can verify the authority of personal representatives requesting access to PHI, this process cannot be used to delay access.
    • Healthcare providers are not permitted to withhold access to PHI due to nonpayment of fees.

    DOWNLOAD

    Right of access enforcement actions (PDF)

    On March 29, 2024, and April 1, 2024, respectively, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced enforcement actions against an Oklahoma multi-facility organization specializing in nursing care and a New Jersey skilled nursing facility for alleged violations of the HIPAA Privacy Rule. In both instances, the facilities failed to provide requesting individuals with timely access to PHI.

    Background

    The HIPAA Privacy Rule sets standards to protect individuals’ health information, establishes parameters and conditions on the uses and disclosures of PHI, and grants certain rights to individuals, including the right to access and obtain a copy of their information in a timely manner. Specifically, healthcare facilities and other covered entities are required to provide access to PHI maintained in a designated record set within 30 days of receiving a request from an individual or their personal representative. OCR clearly articulates in prior guidance that this 30-day timeframe is an outer limit, encouraging covered entities to provide access as soon as possible (supported further by the information blocking rule under the 21st Century Cures Act). In 2019, OCR launched its Right of Access Initiative, which focuses enforcement efforts on the provision of access in a timely manner and at a reasonable cost. The Right to Access Initiative remains an active enforcement area for OCR, and these recent examples serve to remind healthcare providers of the need for compliant processes for the provision of PHI access to personal representatives.

    Phoenix Healthcare Enforcement Action

    Phoenix Healthcare, LLC d/b/a Green Country Care Center (Phoenix Healthcare), an Oklahoma multi-facility nursing care organization, reached a settlement agreement with OCR on September 22, 2023, for an alleged violation of the HIPAA Privacy Rule after the daughter of a resident, who served as her mother’s personal representative, was not provided with access to her mother’s PHI for close to a year, despite making numerous requests.

    The daughter filed a complaint with OCR in April 2019, alleging that Phoenix Healthcare would not provide her with a copy of her mother’s medical records. After OCR’s attempts to provide technical assistance to the organization and to obtain the records, Phoenix Healthcare provided the records to the daughter 323 days after the initial request.

    The OCR enforcement process against Phoenix Healthcare appears to have been more involved than most Right of Access Initiative enforcement efforts. While the OCR announcement does not explain why OCR moved from technical assistance to pursuing a CMP, the settlement agreement describes that, on March 30, 2021, OCR notified Phoenix Healthcare of its intent to impose a $250,000 CMP for failure to provide timely access to PHI; failure to impose a reasonable, cost-based fee in providing access to records; and failure to maintain satisfactory assurances before disclosing PHI to business associates. In response, on June 25, 2021, Phoenix Healthcare requested a hearing before an Administrative Law Judge (ALJ). On February 16, 2023, the ALJ upheld the HIPAA Privacy Rule violations referenced by OCR and agreed with OCR that Phoenix Healthcare acted with willful neglect. However, the ALJ reduced the CMP to $75,000.

    On April 17, 2023, Phoenix Healthcare filed a notice of appeal and supporting written brief to contest the willful neglect determination and the CMP amount. On August 4, 2023, the HHS Departmental Appeals Board affirmed the decision to uphold the willful neglect determination and imposition of the CMP. After that decision, OCR and Phoenix Healthcare negotiated a settlement, with OCR agreeing, based on the financial hardship cited by Phoenix Healthcare, to accept a $35,000 financial settlement instead of the $75,000 CMP. The settlement agreement contains some of the terms typically included in corrective action plans with OCR, requiring Phoenix Healthcare to revise its HIPAA policies and procedures and provide signed attestations and training materials as proof that it distributed the updated policies and trained its workforce, among other actions.

    Hackensack Meridian Health Enforcement Action

    On April 1, 2024, OCR announced a $100,000 CMP against Essex Residential Care, LLC, d/b/a Hackensack Meridian Health, West Caldwell Care Center (Hackensack Meridian Health), a New Jersey skilled nursing facility. OCR investigated Hackensack Meridian Health after receiving a complaint in May 2020 alleging that Hackensack Meridian Health failed to provide a son, serving as his mother’s personal representative, access to his mother’s medical records even after the son provided the facility with documentation describing his authority as the personal representative. After OCR opened an investigation, Hackensack Meridian Health provided the requested records to the son 161 days after the initial request, a period that OCR refers to as “a significant period of time.”

    OCR attempted to work with Hackensack Meridian Health to resolve the matter through a settlement and, while the Notice of Proposed Determination does not explain why that process was not successful, OCR ultimately notified the facility of its intent to impose a CMP. Hackensack Meridian Health, in a response to OCR, explained that the resident and the personal representative were parties to litigation with Hackensack Meridian Health; it is not clear if that was a reason why the facility did not provide access to the records, but that is not a permissible basis for a covered entity to deny access to PHI.

    Hackensack Meridian Health waived its right to a hearing before an ALJ and did not challenge OCR’s findings. Consequently, OCR issued a Notice of Final Determination on January 12, 2024, imposing the $100,000 CMP.

    Takeaways

    Four years after its inception, the Right to Access Initiative remains an active area of enforcement for OCR, and OCR indicates that it will continue to enforce delays in providing access. While the vast majority of Right of Access Initiative enforcement to date involve financial settlements and corresponding corrective action plans, these two recent enforcement actions illustrate that OCR will pursue CMPs if the circumstances warrant. While Phoenix Healthcare was successful in lowering the amount paid to OCR, organizations contesting a proposed CMP and moving through the administrative hearing process likely spend significant personnel and legal resources during that process. Covered entities and business associates faced with an OCR investigation may be better served by devoting time and resources in responding to OCR at the outset and working with OCR’s technical assistance process to correct any identified noncompliant conduct, as that may preclude OCR’s pursuit of a CMP or other financial settlement.

    Similar to previous Right of Access Initiative enforcement efforts, the alleged access delays by Phoenix Healthcare and Hackensack Meridian Health both involved requests for PHI by personal representatives. Such requests can be tricky for health care providers and other HIPAA covered entities to navigate, as the authority of a personal representative is dictated by state law. However, while OCR is clear that a healthcare provider may request documentation to verify a personal representative’s authority, as Hackensack Meridian Health did, the healthcare provider or other covered entity must not use the verification process to evade the Privacy Rule’s requirement to provide timely access. Covered entities should continue to emphasize to administrative and support staff handling medical records that time is of the essence when requests are received, both from personal representatives and directly from individuals. Workforce members should be trained on how they respond to requests from personal representatives, as well as the reasonable cost requirements imposed by the HIPAA Privacy Rule and any corresponding cost limitations under state law.

    Finally, while Phoenix Healthcare was successful in lowering the amount it ultimately paid to OCR, organizations contesting a proposed CMP and moving through the administrative hearing process likely spend significant personnel and legal resources to do so. Covered entities and business associates faced with an OCR investigation may be better served in devoting time and resources in responding to OCR at the outset and working with OCR’s technical assistance process to correct the conduct, as that may preclude OCR’s pursuit of a CMP or other financial settlement.

    OCR Action

    Practices

    HealthcareCybersecurity & PrivacyHealth Information - Privacy, Security & Data Sharing

    Industries

    Healthcare

    Insights And Happenings

    • Alert

      BIPA Reform Bill addressing One-Time Claim Accrual and Electronic Signature passes Illinois Legislature

      May 20, 2024
    • Alert

      Select highlights from New York State Health and Mental Hygiene Bill

      May 14, 2024
    • Alert

      OCR releases final HIPAA Privacy Rule to Support Reproductive Health Care Privacy

      April 24, 2024
    The foregoing has been prepared for the general information of clients and friends of the firm. It is not meant to provide legal advice with respect to any specific matter and should not be acted upon without professional counsel. If you have any questions or require any further information regarding these or other related matters, please contact your regular Nixon Peabody LLP representative. This material may be considered advertising under certain rules of professional conduct.

    Subscribe to stay informed of the latest legal news, alerts, and business trends.Subscribe

    • People
    • Capabilities
    • Insights
    • About
    • Locations
    • Events
    • Careers
    • Alumni
    • Cookie Preferences
    • Privacy Policy
    • Terms of Use
    • Accessibility Statement
    • Statement of Client Rights
    • Purchase Order Terms & Conditions
    • Nixon Peabody International LLC
    • PAL
    © 2025 Nixon Peabody. All rights reserved