Here it is! My annual summary of HIPAA enforcement action resolutions. I know you all have been eagerly awaiting its arrival. No plot twists or surprises this year – the enforcement themes are much the same as those in 2020. As I explain below, Right of Access was again the star.
In 2021, the Department of Health and Human Services’ Office for Civil Rights (OCR) announced the resolution of 14 enforcement actions totaling $5,982,150 in settlement or penalty amounts. OCR announced five Right of Access enforcement actions resolutions in November, ending the year with a total of twelve Right of Access matters. The remaining two actions involved alleged HIPAA Security Rule violations that account for 85% of the total settlement and penalty amounts for the year. This is consistent with previous OCR enforcement as alleged HIPAA Security Rule violations often result in seven figure resolution amounts.
Although total settlement and civil money penalty (CMP) amounts were much lower than in previous years, the shift in focus to Right of Access, which typically generates low resolution amounts, is likely the reason. While generally lower in amount, the Right of Access settlement amounts were higher on average in 2021 – $68,800 in 2021 as compared to $48,800 in 2020. Further, 2021 saw the highest Right of Access settlement amount thus far at $200,000 as well as the first Right of Access CMP. Finally, no enforcement year would be complete without a seven-figure resolution for HIPAA Security issues – $5,100,000 to be exact.
Here is a comparison of the last three enforcement years:
| 2021 | 2020 | 2019 | |
| Announced Resolutions | 14 | 19 | 10 |
| Amount collected | $5,982,150 | $13,554,900 | $12,274,000 |
| CMPs v. Settlements | 1 CMP; 13 settlements | All settlements | 2 CMPs; 8 settlements |
| Most common issue | Right of Access (12) | Right of Access (11) | Risk Analysis (6) |
| Right of Access | $857,150 (12) | $537,500 (11) | $170,000 (2) |
| Risk Analysis | $5,125,000 (2) | $10,977,400 (6) | $8,365,500 (6) |
Right of Access:
Under the HIPAA Privacy Rule, a patient has the right to access his or her own records.[1] Over the past few years, emphasis on this provision and its enforcement has grown as the government believes that better access to records will help with coordination of care and reduce healthcare costs.[2]
In 2019, OCR announced that it would prioritize claims involving individuals’ right to receive timely access to their health records at a reasonable cost under the HIPAA Privacy Rule. Since then, OCR has publicized the resolution of a total of 25 Right of Access claims – more than any other category of HIPAA enforcement over that same period.
Below is a summary of the 12 Right of Access actions that OCR resolved in 2021.
| Date | Entity | Amount | Facts |
| 1/12/2021 | Banner Health (AZ) | $200,000 | OCR received two complaints filed against different Banner Health ACE entities for failing to timely provide records requested by separate legal counsel. Highest Right of Access settlement. |
| 2/10/2021 | Renown Health, PC (NV) | $75,000 | Patient filed complaint that provider failed to act on request to send electronic copies of records to the patient’s attorney. Provider took almost a year to fulfill request. |
| 2/12/2021 | Sharp HealthCare (CA) | $70,000 | A patient complained to OCR after getting no response to an April 2019 request to send an electronic copy of records to a third party. OCR sent a technical assistance letter in June 2019. The patient filed a second complaint in August 2019. The records were provided in October 2019. |
| 3/24/2021 | Arbour Hospital (MA) | $65,000 | Patient complained to OCR two months after not receiving requested records. OCR provided a technical assistance letter. The patient filed a second complaint. |
| 3/26/2021 | Village Plastic Surgery (NJ) | $30,000 | A patient complained to OCR that the provider failed to timely provide copies of records. OCR alleges that the provider failed to provide the records during the OCR investigation. |
| 6/2/2021 | The Diabetes, Endocrinology & Lipidology Center, Inc. (W VA) | $5,000 | The parent of a minor patient complained to OCR that the provider failed to timely respond to her records access request. |
| 9/10/2021 | Children’s Hospital & Medical Center (NE) | $80,000 | A parent filed a complaint with OCR alleging that the provider failed to provide her with timely access to all her minor deceased daughter’s medical records. The provider claimed that the delay was due to a portion of the records being at another division of the provider. |
| 11/30/2021 | Advanced Spine & Pain Management (OH) | $32,150 | Patient complained to OCR that provider failed to provide him with timely access to his records |
| 11/30/2021 | Denver Retina Center (CO) | $30,000 | A patient complained to OCR that the provider had not responded to her request for medical records. OCR sent a technical assistance letter. The patient complained again, which prompted an OCR investigation. OCR concluded that the provider did not have proper right of access policies. |
| 11/30/2021 | Dr. Robert Glaser (NY) | $100,000 | A patient complained to OCR that the provider failed to respond to several written and verbal requests for access to his medical records from 2013 to 2014. In 2017, OCR closed the complaint and advised the provider to provide the records. The patient complained again in 2018. OCR investigated. The provider ignored OCR’s letters and failed to cooperate. OCR issued a CMP. |
| 11/30/2021 | Rainrock Treatment Center, LLC (FL) | $160,000 | A patient filed two complaints over the period of two months alleging that the provider failed to provide copies of requested medical records. |
| 11/30/2021 | Wake Health Medical Group (NC) | $10,000 | A patient complained to OCR that the provider had not provided a copy of her medical records despite making a request and paying a flat fee of $25. OCR investigated. |
The major theme of increased focus on Right of Access enforcement continues from 2020. There are, however, a couple of notable differences in the Right of Access enforcement action resolutions between the 2020 and 2021 enforcement years. These differences signal a slight shift in OCR’s enforcement strategy.
First, in 2020, OCR issued a technical assistance letter in more than 50% of the Right of Access enforcement actions (6 of 11). A technical assistance letter lays out the patient’s claim, gives the provider information on how to comply with HIPAA and, in most cases, administratively closes the matter. As I noted last year, these letters are gifts. I flagged this last year because it appeared that many providers were getting at least one “get out of jail free” card in the form of a technical assistance letter (especially smaller providers).
In 2021, OCR issued a technical assistance letter in just 25% of the cases (3 of 12). In other words, OCR is being less generous with “get out of jail free” cards. This means it is more important than before to ensure that providers are getting Right of Access compliance right the first time.
Second, in 2021 OCR issued its first CMP in a Right of Access case. Importantly, the facts in this matter show the provider’s total and utter disregard for OCR, its investigation and its communications. If you are reading this article, I have no concerns that you need to worry about a CMP for a Right of Access violation. Bottom line – when OCR calls or writes, you MUST respond and do so quickly. While OCR’s response timeframes may seem tight, OCR regularly grants extensions of time so long as a provider is cooperating and acting in good faith.
As I highlighted last year, OCR’s investigation of a Right of Access issue can lead to compliance inquiries in other areas including the HIPAA Security Rule. Anything OCR uncovers in its investigation is fair game for an enforcement action. Therefore, avoiding findings of non-compliance with the Right of Access requirements, which typically arise from a single individual’s complaint, will help to prevent inquiries into compliance in other areas that could lead to more involved and expensive enforcement.
The following are best practices to avoid Right of Access Claims:
- Timely respond to all patient records requests and communicate with patients when there is a delay. Silence from a provider is one of the best ways to ensure that a patient will file a complaint. If for some reason, you cannot respond timely (within 30 days under HIPAA[3], although state law may require a quicker response), communicate with the patient. Unless applicable state law requires a more expeditious response, HIPAA also allows for a one-time 30-day extension if you notify the patient within the initial 30-day period and explain why additional time is needed.[4] Also, if you deny access for a permissible reason under HIPAA or state law, you must provide a written explanation and must turn over all records not subject to the denial.[5]
- Take all communications received from OCR seriously. If OCR sends a technical assistance letter, pay attention to it. Act on the letter. Perform an investigation and document the action taken, even if you conclude that no additional action is necessary. If OCR leaves a message, return the call. Ensure that staff receiving mail and phone messages understand the importance of communications from OCR.
- Treat personal representatives of patients appropriately. A few of the Right of Access matters in 2021 involved a personal representative (as in 2020) requesting access to a patient’s records. Under HIPAA, a lawful healthcare decision maker for the patient must be treated as the patient with respect to access to records, subject to some limited exceptions.[6]
- Be sure that you are not overcharging for copies of medical records. There is a common misconception that it is always appropriate to charge the per page maximum fee set by state law for copies. That is incorrect. When the patient requests copies, state law takes a backseat to the rules under HIPAA. Those rules limit the fees that a provider can charge a patient for copies, regardless of state law, to a reasonable, cost-based fee.
- Avoid a defensive reaction to requests to send records to legal counsel. When there is concern that a records request could have legal implications, providers should have an internal process for reviewing the records to identify any potential issues. If issues are identified, providers should notify the insurance carrier. This review process, however, cannot interfere with a patient’s right to timely access to his or her records.
- Review all policies and procedures related to the Right of Access requirements and ensure that staff are trained to address requests appropriately. Just as delays without communicating with the patient will lead to complaints, inappropriate responses to patient requests similarly will lead to complaints. Now is the perfect time to dust off your Right of Access policies, make changes where necessary and retrain on those policies.
HIPAA Security Rule
For HIPAA enforcement years as far back as I can remember, HIPAA Security Rule failures result in the largest resolution amounts – often six, seven, or even eight figure settlements or penalties. While there were only two HIPAA Security enforcement action resolutions in 2021, one carried a settlement amount of over $5 million and both involved the most common alleged HIPAA Security Rule violation: failure to conduct an adequate risk analysis.
In the first matter, Excellus Health Plan, a New York based insurance provider, reported that a cyber-attack caused the impermissible disclosure of PHI including names, addresses, birth dates, email addresses, Social Security numbers, bank account information, health plan claims, and clinical treatment information. During its investigation, the OCR found potential HIPAA violations including failure to conduct an enterprise-wide risk analysis, and failures to implement risk management, information system activity review, and access controls. This hacking incident also went undetected for over a year. As a result, Excellus Health Plan agreed to pay a sizeable $5.1 million settlement for potential violations of the HIPAA Privacy and Security Rules.
The second matter, which resulted in a much smaller settlement of $25,000, involved a contractor of the US Department of Veterans Affairs (VA), Authentidate Holding Corporation (AHC). After the VA reported a breach related to its telehealth service managed by AHC, OCR initiated a compliance review of AHC as a business associate. OCR found systemic noncompliance with the HIPAA Security Rule, including failures to conduct an enterprise-wide risk analysis, implement risk management and audit controls, and maintain documentation of HIPAA Security Rule policies and procedures. This is an important reminder that business associates are not immune from OCR enforcement.
Compliance with the HIPAA Security Rule remains a significant challenge for providers. However, it is critically important both in terms of avoiding OCR enforcement as well as staving off cyber-attacks. If your organization has not done a comprehensive HIPAA risk analysis in a while, it should do so. When there is a cyber incident resulting in a breach (not if, because it will happen), on the breach report, you must disclose whether the organization has performed a risk analysis. If the answer is no, count on an OCR investigation.
Conclusion
Like my predictions last year for future enforcement, I expect a continued focus on the Right of Access with increased intensity, higher settlement amounts, and more penalties for providers that do not cooperate. The best way to avoid Right of Access issues is to follow the best practices outlined above. Additionally, because cybersecurity issues are not going away, HIPAA Security Rule compliance will also remain a top enforcement priority. Without doubt, OCR will continue to assess massive settlements and penalties for failing to comply. These consistently steep settlements and penalties along with increasing frequency of cyber-attacks should motivate provider organizations to devote the time, effort and resources necessary to ensure HIPAA Security Rule compliance. As Benjamin Franklin said “an ounce of prevention is worth a pound of cure.”
[1] 45 CFR § 164.524.
[2] This concept is part of the broad theme of newly proposed changes to the HIPAA Privacy Rule. See 86 FR 6446 (Jan. 21, 2021).
[3] 45 CFR §164.524(b)(2)(i).
[4] 45 CFR § 164.524(b)(2)(ii). Note that OCR has proposed changes to both the initial 30-day window and the 30-day extension in the new proposed changes to the HIPAA Privacy Rule seek to reduce the response window to 15 days.
[5] 45 CFR § 164.524(d).
[6] 45 CFR § 164.502(g).