Publication

Locke Lord QuickStudy: ‎2021 HIPAA Enforcement Update – OCR Focus on Rights of Access Continues

Locke Lord LLP
May 13, 2021

From January 2021 through April 2021, the Department of Health and Human Services, Office for Civil Rights (OCR) announced six settlement agreements to resolve allegations of Health Insurance Portability and Accountability Act ‎‎(HIPAA) violations. Five of these settlements were in relation to OCR’s HIPAA Right of Access Initiative. One settlement thus far in 2021 centers around risks resulting from cybersecurity incidents and improper internal processes.

Settlement Following Data Breach

On January 15, 2021, HHS announced a $5.1 million settlement with Excellus Health Plan, Inc. for potential violations of the HIPAA Privacy and Security Rules related to a breach affecting over 9.3 million people. In September 2015, Excellus Health Plan filed a breach report stating that cyber-attackers had gained unauthorized access to its information technology systems. Excellus Health Plan reported that the breach began on or before December 23, 2013 and ended on May 11, 2015. The hackers installed malware and conducted reconnaissance activities that ultimately resulted in the impermissible disclosure of the protected health information of more than 9.3 million individuals, including their names, addresses, dates of birth, email addresses, social security numbers, bank account information, health plan claims, and clinical treatment information.  OCR’s investigation found potential violations of the HIPAA Rules including failure to conduct an enterprise-wide risk analysis and failures to implement risk management, information system activity review, and access controls.

In its press release announcing the settlement, OCR expressed particular concern with its finding that hackers roamed inside the Excellus health record system undetected for over a year.  OCR emphasized that “[h]acking continues to be the greatest threat to the privacy and security of individuals’ health information” and covered entities must “step up their game” to protect the privacy of people’s health information from sophisticated hackers.

Settlements for Rights of Access Violations

In 2019, OCR ‎announced the creation of its Right of Access Initiative, intended to support individuals’ right of ‎timely access to their health records. OCR has settled 18 ‎investigations related to its Right of Access Initiative. Since the beginning of 2021 through the ‎end of April 2021, five of the six OCR announced settlements have been in relation to the ‎HIPAA Right of Access Initiative, and include as follows: ‎

  • On January 12, 2021, Banner Health, on behalf of the Banner Health affiliated covered entities (Banner Health ACE), agreed to take corrective actions and pay $200,000 to settle potential violations of the HIPAA Privacy Rule’s right of access standard.  OCR received two complaints filed against Banner Health ACE entities. The first complaint alleged that the individual requested access to her medical records in December 2017, and did not receive the records until May 2018. The second complaint alleged that the individual requested access to an electronic copy of his records in September 2019, and the records were not sent until February 2020. OCR's investigation determined that Banner Health ACE entities' failure to provide timely access to the requested medical records were potential violations of the HIPAA right of access standard.
  • On February 10, 2021, OCR announced that Renown Health, P.C., a private, not-for-profit health system in Nevada, agreed to take corrective actions and pay $75,000 to settle a potential violation of the HIPAA Privacy Rule’s right of access standard. In February 2019, OCR received a complaint alleging that Renown Health failed to timely respond to a patient’s request that an electronic copy of her protected health information, including billing records, be sent to a third party. 
  • On February 12, 2021, OCR announced that Sharp Rees-Stealy Medical Centers (“SRMC”) agreed to take corrective actions and pay $70,000 to settle a potential violation of the HIPAA Privacy Rule’s right of access standard. In June 2019, a complaint was filed with OCR alleging that SRMC failed to take timely action in response to a patient's records access request directing that an electronic copy of protected health information in an electronic health record be sent to a third party. OCR provided SRMC with technical assistance on the HIPAA Right of Access requirements. In August 2019, OCR received a second complaint alleging that SRMC still had not responded to the patient's records access request. OCR initiated an investigation and determined that SRMC's failure to provide timely access to the requested medical records was a potential violation of the HIPAA right of access standard.
  • On March 24, 2012, OCR announced that Arbour Hospital ("Arbour") agreed to take corrective actions ‎and pay $65,000 to settle a potential violation of the HIPAA Privacy Rule's right of access standard. In ‎July 2019, a complaint was filed with OCR alleging that Arbour failed to take timely action in response to ‎a patient's records access request made in May 2019. OCR provided Arbour with technical assistance ‎on the HIPAA Right of Access requirements. Later, in July 2019, OCR received a second complaint ‎alleging that Arbour still had not responded to the same patient's records access request. OCR initiated ‎an investigation and determined that Arbour's failure to provide timely access to the requested medical ‎records was a potential violation of the HIPAA right of access standard.‎
  • On March 26, 2021, OCR announced that Village Plastic Surgery ("VPS") agreed to take corrective ‎actions and pay $30,000 to settle a potential violation of the HIPAA Privacy Rule's right of access ‎standard. In September 2019, a complaint was filed with OCR alleging that VPS failed to take timely ‎action in response to a patient's records access request made in August 2019. ‎

On January 21, 2021, HHS released ‎proposed modifications to the HIPAA Privacy Rule that, if passed, will impact an individual’s ‎right of access. The proposed rule would shorten a covered ‎entity’s response time for right of access requests to no later than 15 calendar days (with the ‎possibility of a one-time 15 calendar day extension). HHS is also proposing to expressly prohibit ‎a covered entity from imposing unreasonable measures on an individual exercising the right of ‎access that create a barrier of access or unreasonable delay. The comment period for these rules closed on May 6, 2021.  
AUTHORS
RELATED SERVICES
INDUSTRIES
RELATED NEWS & EVENTS