Last week, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) continued in its recent trend of rapid settlement agreement announcements. With two more settlements announced in quick succession, that brought the total to 10 in the last month and 13 for the year, quickly raising 2020 up the list for years with the highest number of settlements. Notably, more than half of this year’s settlements have been pursuant to the HIPAA Right of Access Initiative (the “Initiative”), most of which have been with relatively small providers. The Initiative was quietly announced by OCR in 2019 (see our prior article here), and appears to have been a focus of OCR enforcement attention since. The two latest settlements under the Initiative and key compliance takeaways are further discussed below.

Dignity Health

Dignity Health, doing business as St. Joseph’s Hospital and Medical Center (“SJHMC”) paid $160,000 to OCR and adopted a corrective action plan to settle a potential violation of HIPAA’s right of access provision. SJHMC, based in Phoenix, Arizona, is a large, acute care hospital with several hospital-based clinics that provide a wide range of health, social, and support services.

OCR received a complaint on April 25, 2018 from a mother alleging that she made multiple requests to SJHMC beginning in January 2018 for a copy of her son’s medical records as his personal representative. SJHMC provided only some of the requested records despite the mother’s follow up requests in March, April, and May 2018. OCR determined that SJHMC failed to provide the mother timely access to her son’s medical records in violation of the HIPAA right of access standard. As a result of OCR’s investigation, SJHMC provided all of the requested medical records to the mother on December 19, 2019, more than 22 months after her initial request.

In addition to the monetary settlement, SJHMC will undertake a corrective action plan that includes two years of monitoring. SJHMC is also required to develop, maintain, or revise its written policies and procedures governing compliance with the HIPAA Privacy Rule. The resolution agreement and corrective action plan may be found here.

NY Spine

Prompted by OCR’s ninth investigation under the Initiative, NY Spine Medicine (NY Spine) has agreed to take corrective actions and pay $100,000 to settle a potential violation of HIPAA’s right of access standard. NY Spine is a private medical practice specializing in neurology and pain management with offices in New York, NY, and Miami Beach, FL.

OCR received a complaint in July 2019 from an individual alleging that beginning in June 2019, she made multiple requests to NY Spine for a copy of her medical records. NY Spine provided some of the records, but failed to provide diagnostic films that the individual specifically requested. OCR initiated an investigation and determined that NY Spine’s failure to provide timely access to all of the requested medical records was a potential violation of the right of access standard. The complainant received all of the requested medical records in October 2020 as a result of OCR’s investigation.

In addition to the monetary settlement, NY Spine will undertake a corrective action plan that includes two years of monitoring. NY Spine is also required to develop, maintain, or revise its written policies and procedures governing compliance with HIPAA’s right of access standard. The resolution agreement and corrective action plan may be found here.

Insights into the Initiative

A review of the settlements announced thus far under the Initiative reveals some key insights into how OCR appears to be approaching the Initiative and enforcing the right of access:

• Patient complaints can lead to investigations. One notable aspect of each of the above settlements is that they were prompted by patient complaints. Thus, OCR is evidently monitoring and reacting to patient complaints, especially as they relate to the patient right of access.

• OCR expects compliance for all patient requests, not just the easy ones. The nine settlements reached thus far suggest that OCR is including in its investigations complaints related to what are likely more complicated requests (e.g., mother as personal representative, daughter as executor, behavioral health/mental health records). These are areas that are less straightforward under HIPAA than the basic patient request, but nonetheless demand full HIPAA compliance.

• Prompt responses are critical. A review of the nine settlement agreements announced thus far in the Initiative indicates that OCR is initiating investigations into providers’ responses to record requests delayed as little as one month and with no indication of further follow-ups by the patient. Although some response failures are more egregious, covered entities should know that OCR seems inclined to enforce the patient right of access closely.

• OCR is acting swiftly. The conduct at issue in the Initiative settlements thus far has occurred largely in recent years (e.g., 2018 and 2019). Thus, OCR appears to be responding swiftly pursuant to its Initiative by citing recent conduct.

• OCR responses under the Initiative do appear tailored to the right of access. Although any OCR investigation can result in a sweeping review of a covered entity’s entire HIPAA compliance program, OCR generally seems to be self-limiting its focus under the Initiative to the patient right of access. There is some indication that OCR may have looked at other particularly relevant or fundamental issues during its investigations (e.g., reviewing NY Spine’s business associate relationships and requiring appointment of a Privacy Officer), but the agreements generally seem to indicate that the review was more tailored. This is in contrast to certain prior resolution agreements that took a much broader approach (generally following an investigation triggered by a breach).

Compliance Tips

The insights above can inform covered entities’ access request responses and HIPAA compliance programs:

• Review and update policies, including more nuanced ones. Covered entities, regardless of size, should review their HIPAA Right of Access and related policies, and tailor them to the practice area(s), to ensure that they adequately safeguard the patient right of access. Additional policies that should be included in the scope of review include policies related to the Designated Record Set and Personal Representatives.

• Train workforce and applicable business associates. Covered entities should refresh the training of workforce members involved in receiving and responding to record requests. They should also check in with any business associates who will assist with these efforts, including return of information (ROI) vendors.

• Communicate quickly and clearly with patients. If the covered entity identifies an issue with a certain request (e.g., the requested records are voluminous, difficult to produce, or difficult to locate), the entity should consider communicating such to patients quickly while striving to meet the 30-day deadline. A covered entity may also utilize one 30-day extension, if needed, but this also must be communicated to the requestor within 30 days of the initial request. This does not take the place of effective compliance with the HIPAA requirements, but may help minimize patient complaints. One caveat to the foregoing is that Covered entities should also be mindful of state law requirements, which may be shorter than HIPAA.

Conclusion

OCR has noted that it “has many right of access investigations open across the country, and will continue to vigorously enforce this right to better empower patients.” OCR’s nod to numerous open investigations and the quick succession of settlements underscore OCR’s serious and continuing enforcement of the patient right of access. OCR has indicated that it views failure to provide patients with access to their medical records as evidence that providers “don’t take their HIPAA obligations seriously.”