The Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) has announced a settlement with UnitedHealthcare Insurance Company (UHIC), a health insurer that provides insurance coverage to millions of individuals across the U.S., concerning a potential violation of the HIPAA Privacy Rule’s right of access provision.
Right of Access is Still a Top Enforcement Priority
The rule requires that patients be able to access their health information in a timely manner. This investigation marks the 45th Right of Access case to be resolved via voluntary settlement. UHIC agreed to implement a corrective action plan and pay $80,000 to resolve the investigation.
“Timely access to health information is one of the cornerstones of HIPAA. OCR will continue to ensure that covered entities with a record of delaying or denying access requests will be subject to enforcement,” said OCR Director, Melanie Fontes Rainer. “Health insurers are not exempt from the right of access and must ensure that they are taking steps to train their workforce to ensure that they are doing all they can to help members’ access to health information.”
In March 2021, OCR received a complaint alleging that UHIC did not respond to an individual’s request for a copy of their medical record. The individual first requested a copy of their records on January 7, 2021, but did not receive the records until July 2021, after OCR initiated its investigation. This was the third complaint OCR received from the complainant against UHIC alleging failures to respond to his right of access. OCR’s investigation determined that UHIC’s failure to provide timely access to the requested medical records was a potential violation of the HIPAA right of access provision.
In addition to the monetary settlement, UHIC also agreed to implement a corrective action plan that includes one year of monitoring by OCR. A copy of the resolution agreement and corrective action plan may be found here.
Right of Access Rule Review
- Patient may choose the form and format of the records – paper or electronic and delivered by mail or email.
- Produce the records promptly, but take no longer than 30 days unless there is a good reason for more time. If so, notify the patient that another 30 days will be needed. NOTE: if State law is stricter than HIPAA, follow the State. California, for example, requires copies to be provided within 15 days, or access to view them during business hours within five days
- Fees, if any, should be minimal. NOTE: due to a 2020 lawsuit (Ciox Health vs. Alex Azar), a higher fee may be charged when a patient requests records be sent to a third party.
- Don’t confuse the right of access (for the individual) with a required HIPAA authorization (a third party)