HHS Office for Civil Rights Enforcement Update

Right of Access Initiative

The Office for Civil Rights (“OCR”) continues to vigorously enforce an individual’s right to access their medical records.  OCR recently announced the nineteenth settlement as part of their Right of Access Initiative.

In 2019 OCR announced that it planned to focus its enforcement efforts on ensuring that patients receive their medical records in a timely manner consistent with the format and fee requirements set forth under the HIPAA Privacy Rule.  Since that time, OCR has entered into nineteen settlements ranging from $5,000 to $200,000, including several settlements involving solo providers, to address entities’ failure to provide patients access to their medical records.  OCR has announced five of those settlements since January, despite the change in administration, which typically results in a pause in settlement cases for at least a few months until the new leadership is brought up to speed.

As part of the most recent settlement, the Diabetes, Endocrinology & Lipidology Center, Inc. (“DELC”), a West Virginia-based practice providing treatment for endocrine disorders, agreed to take corrective actions and pay $5,000 after failing to provide a mother access to her minor child’s medical records.  According to OCR, the mother requested the records in July 2019, but DELC did not provide them until May 2021, almost two years after the mother made the initial request and well beyond the 30-day period required under HIPAA.  Similar to other settlements under the Right of Access Initiative, DELC also agreed to a Corrective Action Plan (“CAP”) with a two-year monitoring period that requires it to take the following actions:

  • Review and revise its policies and procedures related to an individual’s access to PHI;
  • Provide annual training and training materials to all workforce members concerning an individual’s access to PHI; and
  • Submit a list of requests for access to PHI received by DELC every ninety days during the term of the CAP.

Based on OCR’s continued focus on enforcement of an individual’s right of access, entities should prioritize responding to access requests in a compliant manner and address any access-related issues that are brought to their attention immediately.

Recent Security Rule Settlements

In addition to the Right of Access Initiative settlements, OCR has entered into two additional settlements to resolve potential violations of the HIPAA Security Rule during the past several months.  In May, OCR announced that Peachstate Health Management, LLC, dba AEON Clinical Laboratories (“Peachstate”), a Georgia lab certified under the Clinical Laboratory Improvement Amendments of 1988 (“CLIA”), agreed to pay $25,000 to OCR.  OCR initiated a review of Peachstate’s HIPAA compliance in December 2017 as a result of OCR’s review of Peachstate’s parent company, related to a breach experienced by the parent company.  OCR’s investigation of Peachstate found systemic noncompliance with the HIPAA Security Rule, including failures to conduct an enterprise-wide risk analysis, implement risk management and audit controls, and document HIPAA Security Rule policies and procedures.  In addition to paying $25,000 to settle the case, Peachstate agreed to a relatively robust CAP, which included engaging an independent monitor and a three-year monitoring period.

In January, Excellus Health Plan, Inc. (“Excellus”), a health plan based in New York, agreed to pay $5.1 million related to a breach affecting over 9.3 million people.  Excellus reported that cyber-attackers gained access to its information systems on or before December 23, 2013 until May 11, 2015.  OCR’s investigation determined that Excellus failed to conduct an enterprise-wide risk analysis, and implement risk management, information system activity review and access controls.

In addition to the HIPAA Security Rule’s risk analysis and risk management implementation specifications, entities continue to struggle with information system activity review.  We recommend ensuring that your organization regularly reviews records of information system activity, such as audit logs and access reports, for any unusual activity that may identify security incidents.

Recognized Security Practices

At the beginning of January 2021, the previous administration signed into law H.R. 7898, which amends the Health Information Technology for Economic and Clinical Health (“HITECH”) Act to require HHS to consider covered entities’ and business associates’ implementation of “recognized security practices,” when imposing fines or penalties under the HIPAA Security Rule.

Although HHS has not undertaken a formal rulemaking process, and the statute has not yet been implemented, OCR has begun requesting the following evidence of entities’ implementation of “recognized security practices” as part of ongoing investigations:

  • Policies and procedures related to the implementation of “recognized security practices”;
  • Completed project plans or similar documentation showing the dates of implementation of “recognized security practices”;
  • Documentation explaining how “recognized security practices” are implemented (e.g., the scope of implementation throughout the entity);
  • Names of any individual responsible for ensuring “recognized security practices” are implemented by the entity’s workforce members;
  • Training materials provided to workforce members regarding “recognized security practices” and the dates of such training; and
  • Documentation showing whether the “recognized security practices” were developed under:
    • Section 2(c)(15) of the National Institute of Standards and Technology (“NIST”) Act;
    • Section 405(d) of the Cybersecurity Act of 2015; and/or
    • Other programs and processes addressing cybersecurity that are developed, recognized, or promulgated through regulations under other statutory authorities.

While it is still unclear what HHS considers “recognized security practices,” it seems likely that implementation of any of the following security standards would arguably satisfy the Act’s documentation requirements: NIST Special Publications Guidance, Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients Guidance, and any additional programs that address specific legal requirements.

Article By

Abby E. Bonjean

Polsinelli PC

Dealing with the New Corporate Transparency Act

The Corporate Transparency Act (the “CTA”) was adopted on January 1, 2021, to combat the laundering of illicit funds through anonymous “shell” companies.

The CTA will require certain corporations and limited liability companies to file reports with the Treasury Department’s Financial Crimes Enforcement Network (“FinCEN”), identifying all of the reporting entity’s “beneficial owners.”

Time for Compliance

Although the CTA already is in effect, companies still have time to learn and understand the reporting requirements — they begin only after final implementing regulations are promulgated by the Secretary of the Treasury.  These rules are supposed to be in effect no later than January 1, 2022, and maybe effective sooner given overwhelming bipartisan support for the CTA. Existing companies will have two years to file initial reports, while newly formed companies (or those newly registered to do business in the US) will be required to file an initial report upon formation or registration. In both cases, changes in company beneficial owners must be reported within one year.

Beneficial Owner

Subject to certain exceptions, a “beneficial owner” is defined in the CTA as “any individual who, directly or indirectly, through any contract, arrangement, understanding, relationship, or otherwise, (i) exercises substantial control over the entity; or (ii) owns or controls not less than 25 percent of the ownership interests of the entity.” Although the CTA does not define “substantial control,” FinCEN probably will clarify that phrase with implementing regulations or other guidance.

Note that “applicants” who file an application to form an entity covered by the CTA (or register a covered foreign company to do business in the U.S.) must report the same information as beneficial owners.­

Reporting Requirements

Information Required:  The information to be reported for each beneficial owner is simple:

  • full legal name;
  • birth date;
  • residential or business street address; and
  • a unique identifying number from an acceptable identification document;
    • U.S. passport;
    • state driver’s license;
    • another state-issued identification document; or
    • a current non-U.S. passport for individuals who do not hold any U.S.-issued identification documents.

Exclusions:  As the CTA is primarily targeted at shall companies, it excludes broad categories of publicly traded, regulated, nonprofit and government entities. It also excludes any company that:

  • employs more than 20 full-time employees in the United States;
  • annually reports more than $5 million in gross receipts or sales to the IRS; and
  • has an operating presence at a physical office within the U.S.


No information FinCEN collects is to be made publicly available. The CTA even imposes penalties for unlawful disclosure of reported information. In keeping with its purpose, however, the CTA allows FinCEN to disclose beneficial ownership information, upon request, to:

  • federal law enforcement agencies, including those requesting information on behalf of a non-U.S. law enforcement agency;
  • with the consent of the reporting company, to certain financial institutions; and
  • state, local, and tribal law enforcement agencies pursuant to court order.


Willful failure to report, or the submission of a report containing false or fraudulent information, is subject to a penalty of $500 per day, and/or a maximum penalty of $10,000 and up to 2 years imprisonment. Even if incorrect information is reported, however, no penalty will be imposed if such information is “voluntarily and promptly” corrected within 90 days.

Further Information

If you have questions regarding whether your company will be required to comply with the CTA, the time to act is now.


Michael E. Kohagen
Ward and Smith, P.A.

Congressional Efforts to Develop Surprise Bill Legislation

Federal lawmakers are debating legislation to address surprise medical bills that, if passed in its current form, would significantly impact how hospitals, physicians and insurers negotiate payment for the provision of certain out-of-network services. A bipartisan coalition led by Senator Lamar Alexander (R-Tennessee), Chairman of the Senate Health, Education, Labor and Pension Committee, and Senator Patty Murray (D-Washington) aims to present to the President for signature a bill to curb surprise billing practices by the end of the year.

Instances of surprise medical billing frequently arise in emergency care situations, where patients often lack the capacity to select the emergency room, their treating physician, or their ambulance provider. Surprise medical billing also occurs in scheduled-care settings, where a patient receives planned services from an in-network provider, but other out-of-network ancillary physicians and providers participate in the course of care.  In the absence of governing state or federal law, when an insured individual receives care from an out-of-network provider, the insurer pays the lower contracted in-network rate and the out-of-network provider then bills the patient for the remaining balance, resulting in a practice known as surprise medical billing or balance billing.

Currently, twenty-five states have enacted laws to address surprise billing. However, in the absence of federal legislation, a substantial number of patients covered under health plans regulated by the federal Employee Retirement Income Security Act of 1974 (ERISA) are not subject to state regulation of surprise bills , thus prompting Congress to look into the issue.

There is a clear appetite on Capitol Hill to address surprise billing, with one policy gaining unanimous support among lawmakers — holding patients harmless from surprise medical bills. Legislators appear to agree that surprise billing should be prohibited even in instances where the patient received scheduled rather than emergency care, and therefore had greater opportunities to discover that a provider from whom they were to receive care was out-of-network.  Despite this broad consensus, however, lawmakers disagree over the proper payment dispute resolution mechanism for non-contracted providers, leaving a legislative solution very much in-flux.

At issue is a choice between three payment dispute resolution models.

One proposal, modeled after the “baseball-style arbitration” approach currently in effect for surprise bills in New York, would require an insurer and a provider — if the parties are unable to reach an agreement — to enter into a formal dispute resolution process wherein each would present to an independent arbitrator their best offer for how much an out-of-network service should cost. The arbitrator would then choose between the two proposals. A recent report by the New York State Health Foundation indicates that the policy has had at least some effect in lowering out-of-network billing for emergency care.  However, it is unclear whether a federal legislative fix will ultimately follow New York’s lead.

A second legislative proposal, referred to as network matching or an in-network guarantee, would require a facility-based provider to either contract with every insurer that the facility accepts or secure alternative payment from the hospital rather than the insurer. In fact, Senator Alexander had expressed an early preference for this approach and had included the policy in the initial Committee draft of the bill. However, in response to vocal opposition from hospitals and providers, he and Senator Murray ultimately eschewed the in-network guarantee in favor of a third alternative, known as benchmarking.

Benchmarking would require insurers to pay out-of-network providers the median in-network negotiated rate for the service in the geographic area where that service was delivered. This alternative to resolving payment largely mirrors the original proposal offered by Chairman Frank Pallone (D-New Jersey) and Ranking Member Greg Walden (R-Oregon) of the House Energy and Commerce Committee, who have crafted their own version of the bill. However, the House bill includes an arbitration backstop: providers and insurers would be allowed to appeal to a neutral arbiter the median in-network rate in cases where it exceeds $1,250. Moreover, the current Senate version of the bill also extends the benchmarking policy to air ambulances, with Sen. Alexander noting that nearly 70% of transports by air ambulances were out-of-network in 2017, according to the Government Accountability Office.

Stakeholders should also take specific note of the preemption provisions in the proposed legislation. Notwithstanding ERISA, except with respect to self-insured group health plans, the Senate bill would not interfere with or pre-empt state solutions for out-of-network payment dispute resolution mechanisms. Rather, the provisions of the Senate bill would only apply to group health plans or health insurance coverage in an individual or group market offered in a state that has not enacted a dispute resolution process for non-contracted provider payment. The provisions would also be limited to self-insured group health plans that are not subject to state insurance regulation.

Similarly, the House bill provides that federal law shall not supersede any existing state laws that set a benchmark or provide for an arbitration process for the fully insured plans that the state may regulate.  As a result, one criticism of the initial draft legislation was that it would allow state laws that have less robust protections than federal law to preempt federal law. Certain stakeholders recommended clarification that federal law applies unless state law is equally or more robust. Despite those concerns, however, the preemption provisions were not amended in the version of the bill that was voted out of Committee. An amendment to clarify federal preemption could still be offered on the floor; however, as of now those criticisms remain intact.

Looking forward, while a broad coalition of health payers and employer benefit groups successfully lobbied Senators to include the benchmarking proposal, an equally broad coalition of hospital and provider groups, were able to amend the House bill to include the arbitration backstop. While at this writing there is legislative momentum for a pathway that allows payors and providers to arbitrate at least some claims, the House and Senate are not yet in sync over the issue and so the shape of a final legislative solution is presently unclear. EBG will continue to monitor the progress of federal legislation and will provide further updates as they are known.

Christopher Taylor, a 2019 Summer Associate (not admitted to the practice of law) in the firm’s Washington, DC, office, contributed significantly to the preparation of this post.