In recent weeks, the U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) has announced 12 resolution agreements settling alleged violations of the HIPAA rules. Covered entities and business associates should take note of these resolutions; they point to OCR enforcement priorities and can provide guideposts for covered entities and their business associates to identify areas of focus for their compliance initiatives.
HIPAA Right of Access
On July 15, 2022, OCR announced the resolution of 11 investigations in its HIPAA Right of Access Initiative. OCR has brought 38 Right of Access enforcement actions since the initiative began three years ago in an effort to support individuals’ right to timely access their health records at a reasonable cost under the HIPAA Privacy Rule.
In these most recent enforcement actions, the penalties ranged from $3,500 for a psychiatry practice’s failure to provide timely access to a patient’s medical record upon request, to $240,000 for a health system’s failure to provide a patient timely access to a copy of her itemized billing records for 564 days after the patient made five separate requests. Most of the enforcement actions involved situations where a healthcare provider failed to provide access to requested documents until several months after the request was received (HIPAA requires that access be given no later than 30 days after receipt of the request, with limited exceptions). While each resolution agreement gives insight into OCR’s enforcement priorities, several of the recent settlements highlighted notable points:
- The enforcement action against Danbury Psychiatric Consultants involved withholding a patient’s access request on the basis that the patient had an outstanding balance and required an authorization request; OCR has previously issued guidance against refusal on such grounds or requiring an authorization to exercise an individual access request.
- The enforcement action against Erie County Medical Center Corporation involved a failure to provide a complete copy of the medical records requested, reiterating the need to respond fully to access requests and coordinate with patients and their authorized representatives if the request cannot be filled.
- The enforcement action against Fallbrook Family Health Center involved an employee who misunderstood the right of access required by HIPAA and failed to provide timely access. As with many of the Right of Access enforcement initiatives, this again highlights the importance of training for those staff responsible for responding to access requests.
- The enforcement action against MelroseWakefield Healthcare involved a provider who mistakenly concluded that the durable power of attorney used by the requestor to request her mother’s records did not allow for the provision of medical records. This resolution agreement reminds providers that right of access decisions under HIPAA must be made in concert with an understanding of state law, which may require the review and advice of qualified counsel.
Breach Settlement With Oklahoma State University
On July 14, 2022, OCR announced that Oklahoma State University – Center for Health Sciences (“OSU-CHS”) has paid $875,000 in civil penalties and agreed to a corrective action plan to settle potential HIPAA violations arising from a data breach. According to the resolution agreement, in 2017 an unauthorized third party gained access to a web server that contained ePHI and installed malware that resulted in the disclosure of the ePHI of 279,865 individuals — including their names, Medicaid numbers, healthcare provider names, dates of service, dates of birth, addresses, and treatment information. Through the investigation of the 2017 incident, OSU-CHS discovered that some of its workforce members stored folders on the web server that contained PHI. This discovery led OSU-CHS to re-evaluate — and report as a breach — a prior 2016 incident involving access to the same server. At the time of the 2016 incident, OSU-CHS reported that it was not aware that there was electronic PHI stored on that server.
OCR’s investigation found various HIPAA violations including impermissible uses and disclosures of PHI, failure to conduct an accurate and thorough risk analysis, failure to perform an evaluation, failure to implement audit controls, failure to implement security incident response and reporting, and failure to provide timely breach notification to affected individuals and HHS. This resolution agreement not only underscores OCR’s continued emphasis on conducting accurate and thorough risk analyses, but also the related issues of monitoring and training to ensure that a covered entity knows all the locations where PHI is stored on its systems and that its workforce understands the protocols to ensure that PHI remains adequately protected.
Together, the recent enforcement actions highlight the importance OCR places on protecting both the rights of individuals under the HIPAA rules and the privacy and security of the PHI itself. Clear policies, routine training, and internal auditing are all elements of a functioning HIPAA compliance program. Covered entities and their business associates should review their own approaches to patient access and information security to identify any gaps that may exist in their organizations. To the extent such are identified, organizations should take corrective actions and implement mitigation measures. For more information, or for assistance evaluating your organization’s HIPAA compliance or responding to incidents that may arise, please contact Madison M. Pool or Erin E. Doyle.