Last week, HHS’ Office for Civil Rights (OCR) announced the settlement of its latest HIPAA right of access investigation – the 45th such settlement since the agency commenced its right of access enforcement initiative in April 2019.
On this occasion, the covered entity under investigation was the UnitedHealthcare Insurance Company (UHIC) who, it was alleged, failed to respond to an individual’s January 2021 request for a copy of their medical record until July 2021 – four months after OCR had received a complaint from the individual and initiated an investigation into the allegation.
The investigation identified that the failure to respond to the request was found to be attributable to an employee error. Nonetheless, OCR determined that UHIC’s failure to provide timely access to the requested medical records had been a potential violation of 45 CFR §164.524 – Access of Individuals to Protected Health Information – and fined the company $80,000.
In addition to agreeing to pay $80,000 to settle the potential violation, UHIC will have to comply with a monitored Corrective Action Plan over the next year which involves reviewing and revising where necessary all policies and procedures relating to patient access requests, distributing the revised policies to members of the workforce, and providing training on the policies.
Each ninety days, UHIC will also have to provide HHS with a list of access requests received by the company together with the dates they were received, the dates the requests were responded to, the format requested, the format provided, the number of pages (if PHI is provided to individuals on paper), and the fee charged to the individual.
Speaking about the settlement, OCR Director Melanie Fontes Rainer said: “Timely access to health information is one of the cornerstones of HIPAA. OCR will continue to ensure that covered entities with a record of delaying or denying access requests will be subject to enforcement. Health insurers are not exempt from the right of access and must ensure that they are taking steps to train their workforce to ensure that they are doing all they can to help members’ access to health information.”