Potential HIPAA Right of Access Violation Settled for $80,000
The UnitedHealthcare Insurance Company (UHIC) has agreed to settle an alleged failure to provide timely access to Protected Health Information for $80,000. The voluntary resolution agreement also requires the company to comply with a Corrective Action Plan for a minimum of a year.
In 2019, the Department of Health and Human Services’ Office for Civil Rights (OCR) launched an enforcement initiative in response to an increasing number of complaints alleging violations of 45 CFR §164.524 – the access of individuals to Protected Health Information (PHI). To date, the agency has investigated hundreds of complaints and reached settlement agreements in forty-five cases.
The latest settlement agreement relates to a complaint made against UHIC by a customer who had requested a copy of their PHI in January 2021. When the request was not responded to within the allowed time, the customer complained to OCR. The agency initiated an investigation in April 2021, but it was not until July that the customer received the PHI they had requested six months earlier.
According to the resolution agreement, when UHIC was made aware of the issue by OCR, the company conducted its own internal investigation and determined that the compliance failure was attributable to an employee oversight. Despite the company’s cooperation during the investigation, OCR concluded UHIC had failed to provide timely access to PHI in violation of 45 CFR §164.524.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
In addition to settling the alleged violation for $80,000, UHIC has agreed to comply with a Corrective Action Plan for a minimum of a year. The Plan requires UHIC to revise where appropriate its policies and procedures relating to customer access requests, distribute revised policies to its workforce, and provide material change training to members of the workforce affected by the change.
The Corrective Action Plan also requires UHIC to submit quarterly reports to OCR listing the dates when access requests are received, the dates they are responded to and the fees charged to individuals. The reports will also have to provide OCR with information relating to the format of access requested, the format provided, and – if requested on paper – the number of pages provided.
In the press release accompanying the announcement of the settlement, OCR Director Melanie Fontes Rainer said:
“Timely access to health information is one of the cornerstones of HIPAA. OCR will continue to ensure that covered entities with a record of delaying or denying access requests will be subject to enforcement. Health insurers are not exempt from the right of access and must ensure that they are taking steps to train their workforce to ensure that they are doing all they can to help members’ access to health information.”