On November 30, 2021, the Office for Civil Rights (“OCR”) at the United States Department of Health and Human Services (“HHS”) announced the resolution of five investigations in its Health Insurance Portability and Accountability Act (“HIPAA”) Right of Access Initiative. This brings the total number of this type of enforcement action to 25 since the initiative began. OCR originally launched this initiative in an effort to support individuals’ right to timely access their health records at a reasonable cost under the HIPAA Privacy Rule.
HIPAA grants people the right to see and obtain copies of their health information from their healthcare providers and health plans. Once a HIPAA-regulated entity receives a request, it has 30 days to provide an individual or their representative with their records in a timely manner. If HIPAA-regulated entities need more time to comply with timely requests, they may obtain an additional 30-day extension of time to do this by providing written notice to the individual who made the request, including the reasons for the delay and the expected date by which the entity will complete the action on the request.
Newly-appointed OCR Director, Lisa J. Pino, has said that timely access to health records is a powerful tool for people to stay healthy, protect their privacy as patients, and is a right under the law. She has gone on to say that OCR will continue its enforcement actions to hold covered entities responsible for their HIPAA compliance and pursue civil monetary penalties for violations that go unaddressed.
For example, OCR has taken enforcement actions that underscore the importance and necessity of compliance with the HIPAA Right of Access, such as the enforcement action against Dr. Robert Glaser, a cardiovascular disease and internal medicine doctor in New Hyde Park, New York, who allegedly did not cooperate with OCR’s investigation or respond to OCR’s data requests after a hearing. He also did not contest the findings of OCR’s Notice of Proposed Determination. Consequently, OCR closed this matter out by issuing a civil monetary penalty of $100,000. Moreover, a licensed provider of residential eating disorder treatment services in Eugene, Oregon, Rainrock Treatment Center, LLC, doing business aa Monte Nido Rainrock (“Monte Nido”), has taken corrective actions including one year of monitoring and a $160,000 settlement payment to HHS for the alleged violation of the HIPAA Privacy Rule’s Right to Access. In the Monte Nido action, the patient requested records on two occasions—on October 1, 2019 and then again on November 21, 2019. Monte Nido complied with the request for access but not until May 22, 2020, more than six months after the initial request was made. Even still, OCR moved to enforce.
These are just two examples of enforcement actions taken by OCR for violations of the HIPAA Privacy Rule’s Right to Access. In order to avoid an investigation and potential enforcement action such as the ones noted above, it is imperative to determine first whether you are subject to HIPAA’s Privacy Rule as a covered entity, and if so, to handle any requests for access to health information with requisite haste and attention so as to avoid costly and time-consuming regulatory enforcement actions.
Krishna A. Jani, CIPP/US, is a member of Flaster Greenberg’s Litigation Department focusing her practice on complex commercial litigation. She is also a member of the firm’s cybersecurity and data privacy law practice groups. She can be reached at 215.279.9907 or krishna.jani@flastergreenberg.com.
