Start with a records request. Add a seven months’ wait. Stir in the chaos of the pandemic, with most employees working from home. Blend in a perhaps-neglected post office box. Bake for two-and-a-half years.
The result of this recipe? A settlement between the HHS Office for Civil Rights (OCR) and the nation’s largest health insurance firm, which includes an $80,000 penalty and a one-year corrective action plan (CAP). OCR’s agreement with UnitedHealthcare (UHC) marks the 45th enforcement action in its right of access initiative, which then-Director Roger Severino launched in 2019. OCR made the settlement public Aug. 24, about three weeks after it was signed.
One of the CAP requirements is for UHC to submit an accounting to OCR every 90 days of how it fulfilled all requests for records received at what it called the insurer’s “regional mail operations post office box” in Salt Lake City, Utah.
In announcing the settlement, OCR Director Melanie Fontes Rainer noted that “health insurers are not exempt from the right of access and must ensure that they are taking steps to train their workforce to ensure that they are doing all they can to help members’ access to health information.” Although the agency called this the 45th settlement, it is not. Several cases were concluded with OCR imposing penalties in court against uncooperative covered entities (CEs).
OCR provided salient—but scant—details about what led to the agreement and left some blanks. It received a complaint on March 25, 2021, alleging UHC had not responded to a records request that OCR said was first submitted on Jan. 7, 2021. The request was “received via mail at a post office box located in Utah,” the agency said.
The complaint, OCR said, was the third from the same individual about UHC but gave no specifics as to when the individual initially contacted OCR nor the nature of the agency’s contacts with UHC. OCR described UHC’s quick response to its entreaties, however. “Upon becoming aware of the issue through the OCR complaint, [UHC] immediately investigated and concluded the oversight had been a result of employee error. [UHC] also promptly sent all requested records to the member,” OCR said.
The patient received the requested records in July 2021, “after OCR initiated its investigation,” the agency said in the settlement documents posted online. Often, OCR resorts to formal enforcement actions against a CE or business associate after it continues to engage in a presumed violation after the agency provides what it calls technical assistance. This settlement makes no mention of OCR intervening in any way in this case beyond contacting UHC. The agency did not respond to questions submitted by RPP.
“Timely access to health information is one of the cornerstones of HIPAA,” Fontes Rainer said. “OCR will continue to ensure that covered entities with a record of delaying or denying access requests will be subject to enforcement.”
RPP also did not hear back from three UHC individuals contacted for comment on the settlement, including Richard Ramsay, vice president and chief compliance officer for the employer and individual line of business for UHC; Ramsay is listed in the settlement as the “authorized representative and contact person regarding the implementation of this CAP and for receipt and submission of notifications and reports.”
The access report called for in the CAP must include the date a request was received, when it was fulfilled, “the format requested, the format provided, the number of pages (if provided in paper format), and the fee charged (if any), excluding postage.” UHC is required to submit documentation to OCR describing the basis for any requests for access that it has denied.
Also under the CAP, UHC must review and revise, if necessary, its policies and procedures regarding records access, specifically focusing on:
Right of Access – 45 C.F.R. § 164.524(a)(1)
Timely Action by the Covered Entity – 45 C.F.R. § 164.524(b)(2)
Form of access requested, including form and format – 45 C.F.R. § 164.524(c)(2)
Method for calculating reasonable, cost-based fees – 45 C.F.R. § 164.524(c)(4)
Requesters Must Consent to Longer Process
As OCR explained in guidance on records access posted online, “a covered entity must provide access to the PHI [protected health information] requested, in whole, or in part (if certain access may be denied as explained below), no later than 30 calendar days from receiving the individual’s request. See 45 CFR 164.524(b)(2).”
OCR emphasized that the 30 calendar days “is an outer limit and covered entities are encouraged to respond as soon as possible. Indeed, a covered entity may have the capacity to provide individuals with almost instantaneous or very prompt electronic access to the PHI requested through personal health records, web portals, or similar electronic means. Further, individuals may reasonably expect a covered entity to be able to respond in a much faster timeframe when the covered entity is using health information technology in its day to day operations.”
Should more time be needed—“for example, where the information is archived offsite and not readily accessible—the covered entity may extend the time by no more than an additional 30 days. To extend the time, the covered entity must, within the initial 30 days, inform the individual in writing of the reasons for the delay and the date by which the covered entity will provide access,” the guidance states. “Only one extension is permitted per access request.”
Dental Chain, Children’s Hospital Also Paid $80K
UHC’s is the third of the 45 access cases with an $80,000 payment, though it shares little in common with the other two. Overall, payments in such enforcement actions have ranged from $3,500 involving a Virginia psychiatrist with a solo practice to $245,000 with Memorial Hermann Health System, a large nonprofit in southeast Texas.
Unlike settlements it has issued in past years, OCR typically provides no rationale for the amounts it collects in access cases. Under law, fines are based on levels of culpability.
Details of the two other $80,000 settlements are as follows:
On Sept. 10, 2021, OCR announced an agreement with Children’s Hospital & Medical Center of Omaha, Nebraska. OCR’s 20th right-of-access case was its first—and to date only—involving a children’s hospital. A mother of a deceased minor child waited seven months, from January to July 2020, for a complete copy of the records she requested. OCR said the records came from more than one division, a fact that may have slowed the hospital’s response. Like UHC, its CAP was for one year.
Great Expressions Dental Care of Georgia is part of a national chain; officials told RPP the company eliminated all records fees after it faced enforcement action related to an attempt to charge a patient $170. According to OCR, the patient waited from November 2019 to February 2021 to receive her records. Great Expressions’ CAP was for two years.
1 U.S. Department of Health & Human Services, “UnitedHealthcare Pays $80,000 Settlement to HHS to Resolve HIPAA Matter over Patient Medical Records Request,” news release, August 24, 2023, https://bit.ly/3P4XirF.
2 U.S. Department of Health & Human Services, “Voluntary Resolution Agreement Between The United States Department of Health and Human Services, Office for Civil Rights (`HHS’) and UnitedHealthcare Insurance Company,” content last reviewed August 15, 2023, https://bit.ly/3r1cyxF.
3 U.S. Department of Health & Human Services, “Individuals’ Right under HIPAA to Access their Health Information 45 CFR § 164.524,” content last reviewed October 20, 2022. https://bit.ly/47UN3P8.
4 Theresa Defino, “First Children’s Hospital Gets Caught In Access Initiative; Cases Reach 20,” Report on Patient Privacy 21, no. 10 (October 2021), https://bit.ly/45BvC4v.
5 Theresa Defino, “OCR Announces Trio of Access Cases; Already Stung, One Dental Chain Eliminates All Fees,” Report on Patient Privacy 22, no. 10 (October 2022), https://bit.ly/44z7fU0.