In its first enforcement action of 2021, on January 12th, the United States Department of Health and Human Services (“HHS”), Office for Civil Rights (“OCR”) announced it settled with Banner Health its fourteenth enforcement action as part of its HIPAA Right of Access Initiative (the “Initiative”). OCR announced the Initiative in 2019 to ensure individuals can easily and timely access their health information at a reasonable cost under the Health Insurance Portability and Accountability Act (“HIPAA”) Privacy Rule. In 2020, OCR announced eleven settlements as part of the Initiative including most recently against a primary care provider. The Initiative has resulted in settlements with all sizes of providers.

Banner Health, on behalf of itself and the Banner Health affiliated covered entities (collectively referred to here as “Banner Health”), operates thirty hospitals and many primary care, urgent care, and specialty care facilities. As part of the settlement and without admitting liability, Banner Health agreed to implement a corrective action plan (“CAP”).

This settlement results from two different complaints filed with OCR against Banner Health. The first complainant alleged that she requested access to her medical records in December 2017 and did not receive those records until May 2018. Separately, OCR received a complaint that an individual requested an electronic copy of his medical records in July and September 2019 and the records were not received until February 2020. OCR conducted an investigation and determined that Banner Health’s failure to provide timely access to the requested medical records resulted in a potential violation of the HIPAA right of access standard. The OCR settlement does not explain the reason for Banner Health’s delay in processing the complainants’ requests – it only stated the respective timelines.

Under the CAP, Banner Health will be subject to two (2) years of monitoring by HHS and agreed to do each of the following:

• Review and revise its written access policies, procedures, and other written communication related to the provision of medical records, subject to HHS review and approval;
• Ensure such policies and procedures include minimum content detailed in the CAP;
• Distribute the HHS-approved right of access policies and procedures to members of its workforce;
• Provide training materials to HHS for review and, upon receiving HHS’ approval, train workforce members on the updated policies and procedures; and
• Report to HHS any workforce member who materially fails to comply with the revised policies and procedures described above.

This enforcement action, along with the previous Initiative settlements, demonstrate the importance of timely complying with the HIPAA regulations. OCR Director Roger Severino stated, “This first resolution of the year signals that [OCR’s] Right of Access Initiative is still going strong and that providers of all sizes need to respect the right of patients to have timely access to their medical records.” The Initiative remains a priority for OCR and should be a priority for all HIPAA-covered entities as well. Covered entities should review their HIPAA policies and procedures to ensure they are complying with HIPAA and providing patients with timely copies of medical records upon request at a reasonable cost. It is not known if the Biden administration will continue the Initiative or otherwise modify or redirect HHS OCR resources with respect to ensuring HIPAA compliance by covered entities and business associates.