HHS OCR's Latest HIPAA Enforcement Action20th 'Right of Access' Settlement, But When Will a New Director Be Named?
While the wait continues for the Biden administration to name a new leader for the Department of Health and Human Services' Office for Civil Rights, the HIPAA enforcement agency recently issued its 20th settlement to date in a case involving a patient "right of access" dispute.
HHS OCR in a statement last week said Omaha, Nebraska-based Children's Hospital & Medical Center has agreed to pay an $80,000 financial settlement and implement a corrective action plan for potential violations of the HIPAA right of access provision.
HHC OCR says that in May 2020, a parent filed a complaint with the agency alleging that CHMC had failed to provide her with timely access to her minor daughter's medical records. CHMC provided some records, but it did not provide all of the requested records to the parent, despite multiple follow-up requests.
OCR's investigation into the complaint determined that CHMC's failure to provide timely access to the requested medical records was a potential violation of the HIPAA right of access standard. Under that provision, a covered entity is required to take action on an access request within 30 days of receipt, or within 60 days if an extension is applicable.
As a result of OCR's investigation, the parent finally received all of the requested records, the statement notes.
"Generally, HIPAA requires covered entities to give parents timely access to their minor children's medical records, when the parent is the child's personal representative," said Robinsue Frohboese, OCR's acting director in the statement.
"OCR's right of access initiative supports patients' and personal representatives' fundamental right to their health information and underscores the importance of all covered entities' compliance with this essential right," she says.
Corrective Action Plan
CHMC's resolution agreement with OCR calls for the pediatric center to take a number of corrective actions, including:
- Review, and as necessary, revise its policies and procedures related the HIPAA right of access standard;
- Implement any revised access policies and procedures, and distribute them to its workforce;
- Provide revised training materials to all CHMC workforce members whose jobs duties deal with individual requests for access to records.
CHMC did not immediately respond to an Information Security Media Group request for comment on the settlement.
Other 2021 Settlements
HHS OCR launched its "right of access" enforcement initiative in April 2019. Since then, the agency's 20 settlements in these cases have included financial penalties ranging from $3,500 to $200,000.
Overall, HHS OCR has announced a total of nine HIPAA enforcement settlements totaling nearly $5.6 million so far in 2021. That includes seven "right of access" cases.
OCR's largest HIPAA settlement so far this year - $5.1 million - was announced in January with Excellus Health Plan. That settlement stemmed from a cyberattack reported in 2015 that affected 9.3 million individuals.
Collections from HIPAA settlements and civil monetary penalties are used to help fund OCR's HIPAA enforcement activities in subsequent fiscal budgets.
Meanwhile, nine months into the Biden administration, a new director for HHS OCR has yet to be named. Roger Severino - the agency's last director and longest serving leader to date - left in January at the end of the Trump administration. Severino held the position for all four years of Trump's term.
Since Severino's departure, Frohboese, an attorney, has served as acting director at the agency. During her 21-year tenure with OCR, Frohboese has held a variety of leadership positions, including acting OCR director during four administration transitions.
Privacy attorney Iliana Peters of the law firm Polsinelli says that while Frohboese has been with OCR many years and in many different capacities, she does not expect her to be appointed director, because her focus is primarily civil rights issues in healthcare, unrelated to data privacy and security.
Additionally, Peters - herself a former longtime senior adviser at OCR - notes that she's unaware of a career staff person ever being elevated to a political appointee at OCR.
"I am not surprised that appointment of a political appointee for director is taking a while, as that is typical for OCR, given the director position does not require Senate confirmation," Peters notes.
Most administrations prioritize appointments that require Senate confirmation and then address remaining appointments after those have been filled, she adds.
Some experts say that until HHS OCR finally names a new director, much of its critical HIPAA-related work - including ongoing rulemaking pertaining to a notice of proposed changes to the HIPAA privacy rule that was published in January - is stalled (see: The Final HIPAA Actions Under Trump Administration).
"It is an important position that should be filled," says privacy attorney Kirk Nahra of the law firm WilmerHale.
"I doubt the rule evaluation will move forward much until a new person is named, as there are some very complicated parts of the notice of proposed rulemaking discussion," he says.
Peters offers a similar assessment.
"I expect that once the [new] director is appointed, they will need time to get up to speed on all of OCR policy and enforcement priorities, both by the civil rights division at OCR and the health information privacy and security division at OCR," she says. "As such, I do not expect any HIPAA Rules changes until that process is complete."
In the meantime, some experts say they predict HHS OCR will remain focused on patient access issues as a top enforcement priority.
"I think OCR’s patient access initiative is a good example of how enforcement can call attention to and correct violations of patient privacy rights," says regulatory attorney Paul Hales of Hales Law Group.
"This may encourage the next OCR director to undertake many more specific HIPAA enforcement initiatives."
HHS OCR did not immediately respond to an ISMG request for comment.