OCR HIPAA Privacy Rule Enforcement Roundup: Right of Access Initiative and Improper PHI Disposal
The Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) has been busy over the past month announcing new enforcement actions and settlement agreements related to violations of the Privacy Rule implemented under the Health Insurance Portability and Accountability Act (HIPAA). OCR’s latest actions offer a reminder for HIPAA Covered Entities that Privacy Rule enforcement activity can come in a variety of types and sizes.
Most recently, OCR demonstrated its continued interest in enforcing the Privacy Rule's patient right of access to medical records pursuant to its HIPAA Right of Access Initiative that began in 2019. Three dental practices alleged to be in violation have agreed to pay certain resolution amounts to HHS and enter into corrective action plans (CAPs). In general, HIPAA Covered Entities must provide access to protected health information (PHI) requested by individuals in whole or, alternatively, in part if the Covered Entity delays access for reasons such as the PHI is not readily accessible, no later than 30 calendar days from receiving the individual’s written request for the information. OCR considers 30 calendar days to be the outer bounds for responding to individuals’ requests and recommends that Covered Entities respond to individuals under these right of access rules as soon as possible.
Two practices – Family Dental Care, P.C., which agreed to a resolution amount of $30,000 with OCR, and B. Steven L. Hardy, D.D.S., LTD, which agreed to a resolution amount of $25,000 – were alleged to have failed to provide patients with timely access to their medical records by taking more than 30 days to provide complete records to individuals. The third practice, Great Expressions Dental Center of Georgia, P.C., in addition to not providing timely access to the requested medical records, purportedly assessed individuals copying fees that were not reasonable or cost-based and agreed to a resolution amount of $80,000.
The respective CAPs all require the entities to, among other obligations, update their HIPAA policies and procedures to ensure individual rights of access are covered and are in compliance with the Privacy Rule. The CAPs also oblige the entities to ensure they properly distribute the updated policies and procedures to workforce members following HHS approval.
Regardless of the size of the resolution amounts, the fact that there are now 41 total right of access enforcement actions speaks to OCR’s dedication to ensuring entities comply with this portion of the Privacy Rule (see a previous Mintz post from 2019 after the Right of Access Initiative was launched here). HHS’s FAQs on access rights under HIPAA can also be a helpful resource for entities looking to enhance or update the individual right to access sections of their HIPAA policies and procedures.
Breach Settlement: Improper Disposal of PHI
OCR also reached a settlement with New England Dermatology P.C., d/b/a New England Dermatology and Laser Center (NDELC) in late August 2022 after determining that NDELC had improperly disposed of PHI.
According to NDELC’s breach report to OCR filed on May 11, 2021, over the course of about 10 years the practice had routinely placed empty specimen containers that included PHI on the labels in a garbage bin in one of the practice’s publicly accessible parking lots. The containers’ labels included patient names and dates of birth, dates of sample collection, and names of the providers who collected the specimens.
The Privacy Rule requires that Covered Entities implement and use reasonable safeguards to limit incidental, and avoid prohibited, uses and disclosures of PHI, including in connection with the disposal of PHI. OCR contended that NEDLC violated the Privacy Rule because it (i) did not maintain appropriate safeguards to protect the privacy of PHI; and (ii) impermissibly disclosed PHI to unauthorized individuals. As part of its CAP resolving the investigation, NEDLC agreed to update its HIPAA policies and procedures, including around individual rights of access under the Privacy Rule, ensure it properly distributes its policies and procedures to workforce members following HHS approval, and pay HHS a resolution amount of $300,640.
OCR has longstanding FAQs concerning HIPAA and the proper disposal of PHI. This recent settlement agreement serves as an additional reminder that not all breaches are a result of high-tech lapses and that proper handling, disposal, and destruction of tangible PHI continue to be staples of effective HIPAA compliance programs.