HIPAA’S Right of Access is No Joke, and the Holidays are No Excuse for Noncompliance

Flaster Greenberg PC
Contact

On November 30, 2021, the Office for Civil Rights (“OCR”) at the United States Department of Health and Human Services (“HHS”) announced the resolution of five investigations in its Health Insurance Portability and Accountability Act (“HIPAA”) Right of Access Initiative. This brings the total number of this type of enforcement action to 25 since the initiative began. OCR originally launched this initiative in an effort to support individuals’ right to timely access their health records at a reasonable cost under the HIPAA Privacy Rule.

HIPAA grants people the right to see and obtain copies of their health information from their healthcare providers and health plans. Once a HIPAA-regulated entity receives a request, it has 30 days to provide an individual or their representative with their records in a timely manner. If HIPAA-regulated entities need more time to comply with timely requests, they may obtain an additional 30-day extension of time to do this by providing written notice to the individual who made the request, including the reasons for the delay and the expected date by which the entity will complete the action on the request.

Newly-appointed OCR Director, Lisa J. Pino, has said that timely access to health records is a powerful tool for people to stay healthy, protect their privacy as patients, and is a right under the law. She has gone on to say that OCR will continue its enforcement actions to hold covered entities responsible for their HIPAA compliance and pursue civil monetary penalties for violations that go unaddressed.

For example, OCR has taken enforcement actions that underscore the importance and necessity of compliance with the HIPAA Right of Access, such as the enforcement action against Dr. Robert Glaser, a cardiovascular disease and internal medicine doctor in New Hyde Park, New York, who allegedly did not cooperate with OCR’s investigation or respond to OCR’s data requests after a hearing. He also did not contest the findings of OCR’s Notice of Proposed Determination. Consequently, OCR closed this matter out by issuing a civil monetary penalty of $100,000. Moreover, a licensed provider of residential eating disorder treatment services in Eugene, Oregon, Rainrock Treatment Center, LLC, doing business aa Monte Nido Rainrock (“Monte Nido”), has taken corrective actions including one year of monitoring and a $160,000 settlement payment to HHS for the alleged violation of the HIPAA Privacy Rule’s Right to Access. In the Monte Nido action, the patient requested records on two occasions—on October 1, 2019 and then again on November 21, 2019. Monte Nido complied with the request for access but not until May 22, 2020, more than six months after the initial request was made. Even still, OCR moved to enforce.

These are just two examples of enforcement actions taken by OCR for violations of the HIPAA Privacy Rule’s Right to Access. In order to avoid an investigation and potential enforcement action such as the ones noted above, it is imperative to determine first whether you are subject to HIPAA’s Privacy Rule as a covered entity, and if so, to handle any requests for access to health information with requisite haste and attention so as to avoid costly and time-consuming regulatory enforcement actions.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Flaster Greenberg PC | Attorney Advertising

Written by:

Flaster Greenberg PC
Contact
more
less

Flaster Greenberg PC on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.