OCR: UHC Admitted Worker ‘Error’ Left Records Request Languishing in the Mail, Pays $80,000

Health Care Compliance Association (HCCA)

Health Care Compliance Association (HCCA)

Report on Patient Privacy Volume 23, no. 9 (September 2023)

Start with a records request. Add a seven months’ wait. Stir in the chaos of the pandemic, with most employees working from home. Blend in a perhaps-neglected post office box. Bake for two-and-a-half years.

The result of this recipe? A settlement between the HHS Office for Civil Rights (OCR) and the nation’s largest health insurance firm, which includes an $80,000 penalty and a one-year corrective action plan (CAP). OCR’s agreement with UnitedHealthcare (UHC) marks the 45th enforcement action in its right of access initiative, which then-Director Roger Severino launched in 2019. OCR made the settlement public Aug. 24, about three weeks after it was signed.[1]

One of the CAP requirements is for UHC to submit an accounting to OCR every 90 days of how it fulfilled all requests for records received at what it called the insurer’s “regional mail operations post office box” in Salt Lake City, Utah.[2]

In announcing the settlement, OCR Director Melanie Fontes Rainer noted that “health insurers are not exempt from the right of access and must ensure that they are taking steps to train their workforce to ensure that they are doing all they can to help members’ access to health information.” Although the agency called this the 45th settlement, it is not. Several cases were concluded with OCR imposing penalties in court against uncooperative covered entities (CEs).

OCR provided salient—but scant—details about what led to the agreement and left some blanks. It received a complaint on March 25, 2021, alleging UHC had not responded to a records request that OCR said was first submitted on Jan. 7, 2021. The request was “received via mail at a post office box located in Utah,” the agency said.

The complaint, OCR said, was the third from the same individual about UHC but gave no specifics as to when the individual initially contacted OCR nor the nature of the agency’s contacts with UHC. OCR described UHC’s quick response to its entreaties, however. “Upon becoming aware of the issue through the OCR complaint, [UHC] immediately investigated and concluded the oversight had been a result of employee error. [UHC] also promptly sent all requested records to the member,” OCR said.

The patient received the requested records in July 2021, “after OCR initiated its investigation,” the agency said in the settlement documents posted online. Often, OCR resorts to formal enforcement actions against a CE or business associate after it continues to engage in a presumed violation after the agency provides what it calls technical assistance. This settlement makes no mention of OCR intervening in any way in this case beyond contacting UHC. The agency did not respond to questions submitted by RPP.

“Timely access to health information is one of the cornerstones of HIPAA,” Fontes Rainer said. “OCR will continue to ensure that covered entities with a record of delaying or denying access requests will be subject to enforcement.”

RPP also did not hear back from three UHC individuals contacted for comment on the settlement, including Richard Ramsay, vice president and chief compliance officer for the employer and individual line of business for UHC; Ramsay is listed in the settlement as the “authorized representative and contact person regarding the implementation of this CAP and for receipt and submission of notifications and reports.”

The access report called for in the CAP must include the date a request was received, when it was fulfilled, “the format requested, the format provided, the number of pages (if provided in paper format), and the fee charged (if any), excluding postage.” UHC is required to submit documentation to OCR describing the basis for any requests for access that it has denied.

Also under the CAP, UHC must review and revise, if necessary, its policies and procedures regarding records access, specifically focusing on:

  • Right of Access – 45 C.F.R. § 164.524(a)(1)

  • Timely Action by the Covered Entity – 45 C.F.R. § 164.524(b)(2)

  • Form of access requested, including form and format – 45 C.F.R. § 164.524(c)(2)

  • Method for calculating reasonable, cost-based fees – 45 C.F.R. § 164.524(c)(4)

[View source.]

Written by:

Health Care Compliance Association (HCCA)

Health Care Compliance Association (HCCA) on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide