On March 24th and March 26th, the United States Department of Health and Human Services (“HHS”), Office for Civil Rights
(“OCR”) announced it settled its respective seventeenth and eighteenth enforcement actions as part of its HIPAA Right of Access Initiative (the “Initiative”).
OCR announced the Initiative to support individuals’ right to easily and timely access their health information at a reasonable cost under the Health Insurance Portability and Accountability Act (“HIPAA”) Privacy Rule’s right of access standard. The right of access standard requires a HIPAA-covered entity to take action on a records request within thirty days of receipt (or sixty days under an applicable extension).
Seventeenth Enforcement Action: Arbour Hospital
In the seventeenth enforcement action, Arbour Hospital (“Arbour”) agreed to pay $65,000 and implement a corrective action plan (“CAP”) to settle a potential violation of the HIPAA Privacy Rule’s right of access standard. Arbour is a Massachusetts behavioral health services provider.
This settlement began with a July 2019 complaint filed with OCR alleging that Arbour failed to timely respond to a patient’s May 2019 records request. OCR supported Arbour with technical assistance on the HIPAA right of access requirements. OCR received a second complaint later in July 2019 alleging that Arbour still had not responded to initial complainant’s request. OCR investigated and found the complainant sent a signed, written request to Arbour for his medical records and that Arbour did not respond in a timely manner, which was a potential violation of the HIPAA right of access standard. Arbour ultimately provided the requested records in November
2019, more than five months after the initial request.
Arbour entered into a CAP, which did not result in an admission of liability, and Arbour will be subject to two (2) years of monitoring by HHS and agreed to do each of the following:
- Develop, maintain and revise Arbour’s written access policies and procedures; subject to HHS review and approval;
- Ensure the revised policies and procedures include minimum content set forth in the CAP;
- Distribute the HHS-approved access policies and procedures to all workforce members within thirty days of HHS approval;
- Provide HHS with a list of Arbour’s business associates accessing the PHI of Arbour’s patients and copies of all related business associate agreements;
- Train workforce members utilizing the updated and HHS-approved policies and procedures; and
- Report to HHS any workforce member who materially fails to comply with the revised policies and procedures described above.
Eighteenth Enforcement Action: Village Plastic Surgery
In its eighteenth enforcement action, Village Plastic Surgery (“Village”) agreed to pay $30,000 and implement a CAP to settle a potential violation of the right of access standard. Village is a cosmetic plastic surgery practice in New Jersey.
In September 2019, a complaint was filed with OCR alleging that Village failed to timely respond to a patient’s records access request made in August 2019. OCR investigated and determined Village’s failure to respond to the records request was a potential violation of HIPAA. As a result of the OCR investigation, Village sent the patient the requested records.
Village entered into a CAP that did not result in an admission of liability. The CAP subjected Village to two (2) years of monitoring by HHS, and Village has agreed to do each of the following:
- Review and revise Village’s written access policies and procedures; subject to HHS review and approval;
- Distribute the HHS-approved access policies and procedures to all workforce members and require every individual to sign a compliance certification;
- Train workforce members on the right of access standard and provide training materials to HHS for approval;
- Submit to HHS a list of requests for access to PHI received by Village, including the date the request was received, the date completed, the format requested, format provided, number of pages, and cost; and
- Report to HHS any workforce member who materially fails to comply with the revised policies and procedures described above.
OCR’s continued attention to the Initiative demonstrates the continued importance of timely complying with the right of access standard. Acting OCR Director Robinsue Frohboese stated in the press release announcing the Arbour settlement, “Health care providers have a duty to provide their patients with timely access to their own health records, and OCR will hold providers accountable to this obligation so that patients can exercise their rights and get needed health information to be active participants in their health care.” Covered entities should review their HIPAA policies and procedures to ensure they are complying with HIPAA and responding
to right of access requests appropriately and timely.