HHS Settlement Is Agency’s 45th HIPAA ‘Right of Access’ Enforcement Action
Four years ago, federal regulators started sending a message to healthcare entities about the need to give patients timely access to their health information. Insurer UnitedHealthcare, the 45th firm penalized for potential “right to access” violations, agreed to an $80,000 fine and corrective action.
The U.S. Department of Health and Human Services’ Office for Civil Rights on Thursday said UnitedHealthcare, which provides healthcare insurance to millions across the U.S., had agreed to settle a case involving potential HIPAA violations related to allegations that the company took six months to fulfill a health plan member’s request to access his protected health information.
In a statement, HHS OCR said that it had received three complaints in 2021 from the same individual alleging that UnitedHealthcare’s employer and individual business subsidiary, UHIC, did not respond to the health plan member’s request for a copy of his medical records, which was received by the insurer via mail at a post office box located in Utah.
HHS OCR said the individual had first requested his records in January 2021 but did not receive the documents until more than six months later, in July 2021, after the agency had initiated its investigation into the matter.
Once UHIC became aware of the issue through the OCR complaint, the insurer had immediately investigated, concluded that the oversight had been a result of employee error, and promptly had sent all requested records to the health plan member, HHS OCR said.
Nevertheless, OCR’s investigation determined that UHIC’s failure to provide timely access to the requested medical records had been a potential violation of the HIPAA “right of access” provision.
“Timely access to health information is one of the cornerstones of HIPAA. OCR will continue to ensure that covered entities with a record of delaying or denying access requests will be subject to enforcement,” said HHS OCR Director Melanie Fontes Rainer in a statement.
“Health insurers are not exempt from the right of access and must ensure that they are taking steps to train their workforce to ensure that they are doing all they can to help members’ access to health information,” she said.
In addition to the financial payment, under UnitedHealthcare’s resolution agreement with HHS OCR, the insurer is implementing a correction action plan.
Under the plan, UHIC must review and revise as needed its policies and procedures related to the HIPAA right of access to protected health information and distribute those policies and procedures to its workforce.
UnitedHealthcare in a statement provided to Information Security Media Group said, “We have long supported members’ timely access to their health information. We have addressed the cause of this issue and are sorry for any inconvenience it may have caused.”
HHS OCR has issued 44 other enforcement actions in “right of access” disputes since launching that HIPAA compliance initiative in April 2019.