The U.S. Department of Health and Human Services Office for Civil Rights’ (“OCR”) 2021 enforcement actions started with a bang, with five Right of Access Initiative settlements in the first three months of the year. Under the Right of Access Initiative, OCR has aimed to support individuals’ right to timely access of their Protected Health Information (“PHI”)[1] and has targeted covered entities’ non-compliance with fulfilling HIPAA’s right of access requirements. While the emerging enforcement trends from this Initiative are particularly relevant for covered entities, they also have important implications for business associates, especially with respect to contractual obligations and liabilities under business associate agreements (BAAs). Below, we analyze these trends and implications and provide our recommendations for how business associates may best address their right-of-access obligations and ensure compliance.
It’s clear from OCR’s activity under its Right of Access Initiative that:
Further, while the right of access is a covered entity’s obligation under HIPAA, and one that a business associate is obligated to support contractually, we expect that the increase of enforcement actions will prompt covered entities to more closely monitor business associate compliance with right-of-access obligations under BAAs. Accordingly, business associates that maintain PHI in designated record sets should, among other activities described below, implement and/or review policies and procedures to respond to such access requests, to ensure they can do so in a compliant and timely manner.
Since starting its Right of Access Initiative in 2019, OCR has actively pursued right-of-access enforcement actions, recently settling its eighteenth investigation. By way of background, the right of access under HIPAA generally requires HIPAA covered entities to provide individuals with access to their PHI that is maintained in designated record sets[2] either by or on behalf of the covered entity. Specifically, individuals have the right to obtain a copy of their PHI and/or inspect it, as well as the right to direct a covered entity, if it uses or maintains the individual’s PHI in an electronic health record (“EHR”),[3] to transmit an electronic copy of their PHI in the EHR to a designated third party of the individual’s choice.[4]
So far, OCR’s right-of-access investigations have involved covered entities of varying sizes and sub-industries, including:
In a majority of these cases, covered entities have settled potential violations of the HIPAA Privacy Rule involving their failure to provide individuals with a copy of their requested PHI within the required time frames. Monetary settlements have ranged from $3,500 to $200,000, and all settlement agreements have included corrective action plans, with compliance monitoring for 1-2 years.
Additional enforcement trends that have emerged from the Initiative include:
While to date, OCR’s Right of Access Initiative has only targeted covered entities, as covered entities are primarily responsible for responding to individuals’ requests to access PHI under HIPAA, the Initiative could prompt covered entities to more closely monitor compliance with business associates’ contractual obligations regarding access requests. To comply with HIPAA, business associate agreements (BAAs) require a business associate to make PHI available in accordance with HIPAA’s individual access rights requirements.[5] While this may simply require providing access to the covered entity, often, the parties may agree in the BAA that the business associate will provide access to individuals directly, particularly where the business is the only holder of the designated record set or part thereof. Similarly, to the extent that the business associate maintains PHI in an EHR for a covered entity, it may be called on to send an electronic copy of such PHI to a third party, upon an individual’s request.
Business associates, therefore, must understand and define what PHI, if any, they maintain in designated record sets, including EHRs, in order to comply with their BAA right-of-access obligations. Note that although EHRs and designated record sets may contain overlapping information, they are not identical. Moreover, while certain kinds of information—such as medical records and insurance information—are clearly part of both EHRs and designated record sets, business associates may require assistance from covered entities in determining what other information is included, such as other information that is created or consulted by health care clinicians in the case of an EHR, or other records that the covered entity may use to make decisions about individuals in the case of a designated record set.
In addition, business associates must be conscious of required timeframes for responding to access requests, in order to comply with their BAA obligations. Currently, a covered entity must respond to an individual’s access request within 30 days, or 60 days if it utilizes a one-time, 30-day extension; however, under the current NPRM, OCR has proposed cutting this timeframe in half to 15 days, with the possibility for one 15-day extension. Covered entities may therefore obligate business associates to provide PHI to them within even shorter timeframes under their BAAs.
Additionally, due to the regulatory scrutiny a covered entity may expect to receive from OCR under the Initiative, in the event that a business associate fails to respond to an access request within the designated timeframe in its BAA, the covered entity may also seek to enforce any breach and/or audit provisions of the BAA to address such a failure. The covered entity may also seek to shift liability for right-of-access noncompliance to the business associate, to the extent it has not already done so, through an indemnification provision in the BAA.
To avoid contractual liability and oversight, business associates should review their right-of-access obligations under any applicable BAAs, to determine:
While not required by HIPAA, to ensure compliance with their BAAs, business associates should also implement policies and procedures to ensure compliance with their right-of-access obligations, addressing:
Finally, business associates should also monitor their compliance with their internal policies and procedures, and review and modify these policies and procedures periodically to account for any changes in law, new BAA obligations, or process improvements.
Republished in the September 2021 edition of Pratt's Privacy & Cybersecurity Law Report.
[1] See 45 CFR 164.524.
[2] A designated record set is a group of records maintained by or for a covered entity that comprises:
[3] An EHR is an electronic record of health-related information on an individual that is created, gathered, managed, and consulted by authorized health care clinicians and staff.
[4] In 2013, the Omnibus Rule modified provisions of the Privacy Rule and the HITECH Act to broaden the right of access to include the right of an individual to direct copies of their PHI contained in designated record sets to third parties, regardless of format (e.g. paper and electronic health records). In 2016, OCR issued guidance, regarding the rates that an entity can charge for an individual’s access to their PHI and stated that this rate limit also applied to when an individual directed such access to a third party (e.g. a law firm, an insurance company) to receive a copy of such records. In 2020, the D.C. Circuit vacated this expansion of the right of access, regardless of format, and OCR’s price limits when individuals directed access to their designated record sets to third parties, with its decision in Ciox Health, LLC v. Azar. See 435 F. Supp. 3d 30 (D.D.C. 2020).
[5] See 45 CFR 164.504(e)(2)(E).