Starting in 2019, the Department of Health and Human Services Office for Civil Rights (“OCR”) has taken an increased interest in protecting patients’ right of access to protected health information (“PHI”) under the Health Insurance Portability and Accountability Act (“HIPAA”). Over the past twenty months, OCR has announced nineteen settlements under its Right of Access Initiative (“Initiative”), demonstrating OCR’s continued commitment to enforcing patients’ rights. Reed Smith has closely tracked this Initiative. Additional commentary on the Initiative and the associated settlements can be found here, and here.

Under HIPAA, “an individual has a right of access to inspect and obtain a copy of protected health information about the individual in a designated record set, for as long as the protected health information is maintained in the designated record set, except for: (i) psychotherapy notes; and (ii) information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding.” Once a request for access has been made, the covered entity must act on the request “no later than 30 days after receipt of the request….” The Initiative focuses on enforcement of these duties under HIPAA and hold to account those who fail to comply.

The first settlement, which was announced on September 9, 2019, arose from a mother’s complaint alleging that Bayfront Health St. Petersburg (“Bayfront”) failed to provide timely access to her child’s prenatal medical records. Bayfront paid $85,000 to OCR and agreed to one year of monitoring to settle the potential violation of the right of access provision of HIPAA. At the time, then-OCR Director Roger Severino stated, “Providing patients with their health information not only lowers costs and leads to better health outcomes, it’s the law. We aim to hold the health care industry accountable for ignoring peoples’ rights to access their medical records and those of their kids.” This statement and settlement demonstrates that OCR views the Initiative as central in furthering not only the agency’s directive in protecting patient’s rights, but also in making healthcare more affordable and keeping patients informed about their health.

The organizations that have be subject to OCR scrutiny under this initiative vary widely. Since the inception of the Initiative, OCR has taken action against a range of regulated entities, from private practitioners to one of the largest health care systems in the United States. The nineteen settlements targeted covered entities located across a dozen states, and involved varied medical specialties, including, but not limited to, mental health, plastic surgery, pain management, and endocrinology. The complainants that initiated these investigations also reflect the varied contexts in which requests for access are made, such as patients seeking their own PHI, parents requesting their child’s records, and a child asking for her father’s medical records. Although the settlements varied widely under the Initiative (ranging from $3,500 to $200,000), most settlements have been within a range of tens of thousands of dollars. Additionally, all of the nineteen settlements include corrective action plans, which mandate OCR monitoring for a period of one or two years.

In determining the payment of civil monetary penalties (in the event the regulated entity and OCR cannot not come to a settlement), OCR is directed to consider multiple factors including (i) the nature and extent of the HIPAA violation; (ii) the harm resulting from the violation; (iii) the regulated entity’s history with respect to compliance with the HIPAA rules; (iv) the financial condition of the regulated entity, including its size, and (v) recognized security practices.

Noticeably, in many of these cases, the payment of a settlement amount came after OCR provided technical assistance to the regulated entity regarding how to comply with HIPAA right of access requirements in response to a patient complaint. In these instances, the regulated entity’s continued failure to address the request for access resulted in a second complaint, an investigation by OCR, and, ultimately, a financial settlement and additional monitoring.

For example, in March 2021, OCR announced a settlement with The Arbour, Inc (“Arbour”), a Massachusetts-based covered entity provider of behavioral health services. After a patient filed an initial complaint alleging that Arbour failed to take timely action in response to a record request, OCR provided Arbour with technical assistance regarding its right of access duties under HIPAA. Following OCR’s provision of technical assistance, the patient filed a second complaint with OCR claiming that Arbour continued to fail to respond to the patient’s request. In the settlement, Arbour agreed to pay $65,000 and undertake a corrective action plan that included one year of monitoring. At the time the settlement was announced, Acting OCR Director Robinsue Frohboese said, “Health care providers have a duty to provide their patients with timely access to their own health records, and OCR will hold providers accountable to this obligation so that patients can exercise their rights and get needed health information to be active participants in their health care.” In nine of the nineteen settlements under the Initiative, OCR has reported providing technical assistance before enforcement action was taken in response to a second complaint.

An important lesson to the industry is that it is crucial that regulated entities promptly provide patients with requested PHI and respond to OCR if the agency reaches out to provide technical assistance.