On March 29, 2024, and April 1, 2024, respectively, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced enforcement actions against an Oklahoma multi-facility organization specializing in nursing care and a New Jersey skilled nursing facility for alleged violations of the HIPAA Privacy Rule. In both instances, the facilities failed to provide requesting individuals with timely access to PHI.
Background
The HIPAA Privacy Rule sets standards to protect individuals’ health information, establishes parameters and conditions on the uses and disclosures of PHI, and grants certain rights to individuals, including the right to access and obtain a copy of their information in a timely manner. Specifically, healthcare facilities and other covered entities are required to provide access to PHI maintained in a designated record set within 30 days of receiving a request from an individual or their personal representative. OCR clearly articulates in prior guidance that this 30-day timeframe is an outer limit, encouraging covered entities to provide access as soon as possible (supported further by the information blocking rule under the 21st Century Cures Act). In 2019, OCR launched its Right of Access Initiative, which focuses enforcement efforts on the provision of access in a timely manner and at a reasonable cost. The Right to Access Initiative remains an active enforcement area for OCR, and these recent examples serve to remind healthcare providers of the need for compliant processes for the provision of PHI access to personal representatives.
Phoenix Healthcare Enforcement Action
Phoenix Healthcare, LLC d/b/a Green Country Care Center (Phoenix Healthcare), an Oklahoma multi-facility nursing care organization, reached a settlement agreement with OCR on September 22, 2023, for an alleged violation of the HIPAA Privacy Rule after the daughter of a resident, who served as her mother’s personal representative, was not provided with access to her mother’s PHI for close to a year, despite making numerous requests.
The daughter filed a complaint with OCR in April 2019, alleging that Phoenix Healthcare would not provide her with a copy of her mother’s medical records. After OCR’s attempts to provide technical assistance to the organization and to obtain the records, Phoenix Healthcare provided the records to the daughter 323 days after the initial request.
The OCR enforcement process against Phoenix Healthcare appears to have been more involved than most Right of Access Initiative enforcement efforts. While the OCR announcement does not explain why OCR moved from technical assistance to pursuing a CMP, the settlement agreement describes that, on March 30, 2021, OCR notified Phoenix Healthcare of its intent to impose a $250,000 CMP for failure to provide timely access to PHI; failure to impose a reasonable, cost-based fee in providing access to records; and failure to maintain satisfactory assurances before disclosing PHI to business associates. In response, on June 25, 2021, Phoenix Healthcare requested a hearing before an Administrative Law Judge (ALJ). On February 16, 2023, the ALJ upheld the HIPAA Privacy Rule violations referenced by OCR and agreed with OCR that Phoenix Healthcare acted with willful neglect. However, the ALJ reduced the CMP to $75,000.
On April 17, 2023, Phoenix Healthcare filed a notice of appeal and supporting written brief to contest the willful neglect determination and the CMP amount. On August 4, 2023, the HHS Departmental Appeals Board affirmed the decision to uphold the willful neglect determination and imposition of the CMP. After that decision, OCR and Phoenix Healthcare negotiated a settlement, with OCR agreeing, based on the financial hardship cited by Phoenix Healthcare, to accept a $35,000 financial settlement instead of the $75,000 CMP. The settlement agreement contains some of the terms typically included in corrective action plans with OCR, requiring Phoenix Healthcare to revise its HIPAA policies and procedures and provide signed attestations and training materials as proof that it distributed the updated policies and trained its workforce, among other actions.
Hackensack Meridian Health Enforcement Action
On April 1, 2024, OCR announced a $100,000 CMP against Essex Residential Care, LLC, d/b/a Hackensack Meridian Health, West Caldwell Care Center (Hackensack Meridian Health), a New Jersey skilled nursing facility. OCR investigated Hackensack Meridian Health after receiving a complaint in May 2020 alleging that Hackensack Meridian Health failed to provide a son, serving as his mother’s personal representative, access to his mother’s medical records even after the son provided the facility with documentation describing his authority as the personal representative. After OCR opened an investigation, Hackensack Meridian Health provided the requested records to the son 161 days after the initial request, a period that OCR refers to as “a significant period of time.”
OCR attempted to work with Hackensack Meridian Health to resolve the matter through a settlement and, while the Notice of Proposed Determination does not explain why that process was not successful, OCR ultimately notified the facility of its intent to impose a CMP. Hackensack Meridian Health, in a response to OCR, explained that the resident and the personal representative were parties to litigation with Hackensack Meridian Health; it is not clear if that was a reason why the facility did not provide access to the records, but that is not a permissible basis for a covered entity to deny access to PHI.
Hackensack Meridian Health waived its right to a hearing before an ALJ and did not challenge OCR’s findings. Consequently, OCR issued a Notice of Final Determination on January 12, 2024, imposing the $100,000 CMP.
Takeaways
Four years after its inception, the Right to Access Initiative remains an active area of enforcement for OCR, and OCR indicates that it will continue to enforce delays in providing access. While the vast majority of Right of Access Initiative enforcement to date involve financial settlements and corresponding corrective action plans, these two recent enforcement actions illustrate that OCR will pursue CMPs if the circumstances warrant. While Phoenix Healthcare was successful in lowering the amount paid to OCR, organizations contesting a proposed CMP and moving through the administrative hearing process likely spend significant personnel and legal resources during that process. Covered entities and business associates faced with an OCR investigation may be better served by devoting time and resources in responding to OCR at the outset and working with OCR’s technical assistance process to correct any identified noncompliant conduct, as that may preclude OCR’s pursuit of a CMP or other financial settlement.
Similar to previous Right of Access Initiative enforcement efforts, the alleged access delays by Phoenix Healthcare and Hackensack Meridian Health both involved requests for PHI by personal representatives. Such requests can be tricky for health care providers and other HIPAA covered entities to navigate, as the authority of a personal representative is dictated by state law. However, while OCR is clear that a healthcare provider may request documentation to verify a personal representative’s authority, as Hackensack Meridian Health did, the healthcare provider or other covered entity must not use the verification process to evade the Privacy Rule’s requirement to provide timely access. Covered entities should continue to emphasize to administrative and support staff handling medical records that time is of the essence when requests are received, both from personal representatives and directly from individuals. Workforce members should be trained on how they respond to requests from personal representatives, as well as the reasonable cost requirements imposed by the HIPAA Privacy Rule and any corresponding cost limitations under state law.
Finally, while Phoenix Healthcare was successful in lowering the amount it ultimately paid to OCR, organizations contesting a proposed CMP and moving through the administrative hearing process likely spend significant personnel and legal resources to do so. Covered entities and business associates faced with an OCR investigation may be better served in devoting time and resources in responding to OCR at the outset and working with OCR’s technical assistance process to correct the conduct, as that may preclude OCR’s pursuit of a CMP or other financial settlement.