OCR Kicks off its 2021 HIPAA Enforcement Year with Another Right of Access Settlement

The Department of Health and Human Services’ Office for Civil Rights (OCR) announced its first HIPAA enforcement action resolution of 2021.  Not surprisingly, the subject of its first resolution of the year is the same as its most cited enforcement topic in 2020 – Right of Access.  And the settlement amount is the highest yet for a Right of Access issue.   Banner Health, a large non-profit health system in Arizona, agreed to take corrective actions and pay $200,000 on behalf of its affiliated covered entities to settle two potential Right of Access violations under the HIPAA Privacy Rule.

According to the resolution agreement, OCR received two complaints filed against different Banner Health affiliated covered entities (ACEs) alleging violations of the HIPAA Right of Access standard.  A lawyer filed the first complaint in August 2018 on behalf of a client alleging that his client requested medical records from a Banner entity in December 2017 and did not receive them until May 2018.  A law firm filed the second complaint involving a different ACE in January 2020.     The law firm alleged that its client requested an electronic copy of his medical records from the Banner entity in July and September of 2019 but did not receive the records until February 2020. 

After an investigation of the incidents, OCR determined that both ACE’s failures to provide timely access to the requested medical records were potential violations of the HIPAA Right of Access standard.

There are two notable facts here.  First, in both cases, the complaint was filed after the records had been received.  In the other 13 Right of Access enforcement actions to date, the patients’ records had not yet been provided when the patient filed the complaint.  This makes clear that providers cannot cure a Right of Access failure by simply providing late or delayed access. 

Second, Banner’s ACEs were treated as a single entity for enforcement purposes.  HIPAA permits legally separate covered entities to designate themselves as a single covered entity if they are under common ownership and control.  While there are operational benefits to this model, those functioning as an ACE must be aware that the failures of its different affiliated entities will be considered multiple failures by a single covered entity.  This may increase settlement or penalty amounts.  As noted above, the Banner settlement is the highest Right of Access settlement since the enforcement initiative began in 2019.    

For those of you keeping score, this settlement is the 14th Right of Access enforcement action resolution since 2019 (two in 2019 and 12 in 2020).  Expect many more in 2021.