Right of Access Initiative
The Office for Civil Rights (“OCR”) continues to vigorously enforce an individual’s right to access their medical records. OCR recently announced the nineteenth settlement as part of their Right of Access Initiative.
In 2019 OCR announced that it planned to focus its enforcement efforts on ensuring that patients receive their medical records in a timely manner consistent with the format and fee requirements set forth under the HIPAA Privacy Rule. Since that time, OCR has entered into nineteen settlements ranging from $5,000 to $200,000, including several settlements involving solo providers, to address entities’ failure to provide patients access to their medical records. OCR has announced five of those settlements since January, despite the change in administration, which typically results in a pause in settlement cases for at least a few months until the new leadership is brought up to speed.
As part of the most recent settlement, the Diabetes, Endocrinology & Lipidology Center, Inc. (“DELC”), a West Virginia-based practice providing treatment for endocrine disorders, agreed to take corrective actions and pay $5,000 after failing to provide a mother access to her minor child’s medical records. According to OCR, the mother requested the records in July 2019, but DELC did not provide them until May 2021, almost two years after the mother made the initial request and well beyond the 30-day period required under HIPAA. Similar to other settlements under the Right of Access Initiative, DELC also agreed to a Corrective Action Plan (“CAP”) with a two-year monitoring period that requires it to take the following actions:
- Review and revise its policies and procedures related to an individual’s access to PHI;
- Provide annual training and training materials to all workforce members concerning an individual’s access to PHI; and
- Submit a list of requests for access to PHI received by DELC every ninety days during the term of the CAP.
Based on OCR’s continued focus on enforcement of an individual’s right of access, entities should prioritize responding to access requests in a compliant manner and address any access-related issues that are brought to their attention immediately.
Recent Security Rule Settlements
In addition to the Right of Access Initiative settlements, OCR has entered into two additional settlements to resolve potential violations of the HIPAA Security Rule during the past several months. In May, OCR announced that Peachstate Health Management, LLC, dba AEON Clinical Laboratories (“Peachstate”), a Georgia lab certified under the Clinical Laboratory Improvement Amendments of 1988 (“CLIA”), agreed to pay $25,000 to OCR. OCR initiated a review of Peachstate’s HIPAA compliance in December 2017 as a result of OCR’s review of Peachstate’s parent company, related to a breach experienced by the parent company. OCR’s investigation of Peachstate found systemic noncompliance with the HIPAA Security Rule, including failures to conduct an enterprise-wide risk analysis, implement risk management and audit controls, and document HIPAA Security Rule policies and procedures. In addition to paying $25,000 to settle the case, Peachstate agreed to a relatively robust CAP, which included engaging an independent monitor and a three-year monitoring period.
In January, Excellus Health Plan, Inc. (“Excellus”), a health plan based in New York, agreed to pay $5.1 million related to a breach affecting over 9.3 million people. Excellus reported that cyber-attackers gained access to its information systems on or before December 23, 2013 until May 11, 2015. OCR’s investigation determined that Excellus failed to conduct an enterprise-wide risk analysis, and implement risk management, information system activity review and access controls.
In addition to the HIPAA Security Rule’s risk analysis and risk management implementation specifications, entities continue to struggle with information system activity review. We recommend ensuring that your organization regularly reviews records of information system activity, such as audit logs and access reports, for any unusual activity that may identify security incidents.
Recognized Security Practices
At the beginning of January 2021, the previous administration signed into law H.R. 7898, which amends the Health Information Technology for Economic and Clinical Health (“HITECH”) Act to require HHS to consider covered entities’ and business associates’ implementation of “recognized security practices,” when imposing fines or penalties under the HIPAA Security Rule.
Although HHS has not undertaken a formal rulemaking process, and the statute has not yet been implemented, OCR has begun requesting the following evidence of entities’ implementation of “recognized security practices” as part of ongoing investigations:
- Policies and procedures related to the implementation of “recognized security practices”;
- Completed project plans or similar documentation showing the dates of implementation of “recognized security practices”;
- Documentation explaining how “recognized security practices” are implemented (e.g., the scope of implementation throughout the entity);
- Names of any individual responsible for ensuring “recognized security practices” are implemented by the entity’s workforce members;
- Training materials provided to workforce members regarding “recognized security practices” and the dates of such training; and
- Documentation showing whether the “recognized security practices” were developed under:
- Section 2(c)(15) of the National Institute of Standards and Technology (“NIST”) Act;
- Section 405(d) of the Cybersecurity Act of 2015; and/or
- Other programs and processes addressing cybersecurity that are developed, recognized, or promulgated through regulations under other statutory authorities.
While it is still unclear what HHS considers “recognized security practices,” it seems likely that implementation of any of the following security standards would arguably satisfy the Act’s documentation requirements: NIST Special Publications Guidance, Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients Guidance, and any additional programs that address specific legal requirements.
Abby E. Bonjean