Electronic Healthcare Records , Governance & Risk Management , Healthcare
Analysis: HIPAA Enforcement in a Biden Administration
HHS Issues 10th 'Right of Access' Settlement; Will Such Actions Continue?The Department of Health and Human Services last week issued its 10th settlement involving a HIPAA “right of access” case since launching its patient records access initiative last year. But how might HIPAA enforcement priorities at HHS’ Office for Civil Rights change under a Biden administration?
See Also: Frost Radar™ on Healthcare IoT Security in the United States
Some observers predict that enforcing compliance with HIPAA’s “right of access” requirements will continue to be a top priority. But the fate of unfinished work – such as potential changes to the HIPAA rules as well as revival of a HIPAA compliance audit program that has been shelved since the end of the Obama administration – is unclear.
The Latest Records Access Case
HHS OCR’s resolution agreement announced Friday with Riverside Psychiatric Medical Group, a group practice in Riverside, California specializing in child and adolescent mental healthcare, includes a $25,000 financial payment plus a corrective action plan. The case involved repeated requests and complaints by a patient seeking access to health records.
The agreement with the medical group is the 15th HIPAA settlement of any type announced by OCR so far this year. Those HIPAA settlements called for a total of more than $13.4 million in penalties.
The largest of OCR’s HIPAA enforcement actions so far this year was a $6.8 million settlement announced in September with Premera Blue Cross in a case involving a 2014 breach that exposed information on 10.4 million individuals.
Settlement Details
OCR says in a statement that in March 2019, the agency received a complaint from a Riverside Psychiatric Medical Group patient alleging the practice failed to provide her a copy of her medical records despite multiple requests beginning in February 2019.
“Shortly after receiving the complaint, OCR provided RPMG with technical assistance on how to comply with the HIPAA Right of Access requirements and closed the matter. In April 2019, however, OCR received a second complaint alleging that RPMG still had not provided the complainant with access to her medical records,” OCR says.
OCR’s investigation determined that RPMG’s failure to take action in response to the individual’s request was a “potential violation” of the HIPAA right of access standard. “RPMG claimed that because the requested records included psychotherapy notes, they did not have to comply with the access request.”
While the HIPAA rules do not require patient access to psychotherapy notes, the regulations do require covered entities to provide requestors a written explanation when it denies any records request in whole or in part, which RPMG did not do, OCR says.
As a result of OCR’s investigation, RPMG finally sent the individual all the requested information in her medical record, excluding psychotherapy notes, in October.
Under a corrective action plan, RPMG has agreed to revise and implement its policies and procedures related to the right of access to protected health information.
Priorities Under New Administration
While top leadership of OCR will undoubtedly change under a Biden administration, HIPAA compliance program efforts – including enforcement of patient right of access - will continue to be a top priority for the agency, some regulatory experts predict.
"OCR should continue to pursue 'right of access' cases for individuals who have been denied access to their medical records. This is a matter of civil and patient rights."
—Twila Brase, Citizens’ Council for Health Freedom
“HIPAA and data privacy and security has always been a bipartisan effort, and patient access to records is arguably the most important right under the HIPAA rules,” says privacy attorney Iliana Peters of the law firm Polsinelli.
“This enforcement initiative has been an important part of the recent work by OCR over the past couple of years,” says Peters, who was a former senior HHS OCR adviser during the Obama administration. “While these settlements have been small, they represent a large percentage of the work that OCR has been engaged in lately from an enforcement perspective, and these investigations are almost all driven by individual complaints.”
Providing patients with access to their health records - including consumers being able to directly access health records through their smartphones - “was a major goal of the 21st Century Cures legislation championed by then vice president Biden,” notes privacy attorney David Holtzman of the consultancy HITprivacy.
“I would expect that this remain an area of focus in the new administration,” says Holtzman, a former OCR senior adviser during the Obama administration.
Twila Brase, president and co-founder of privacy advocacy group Citizens’ Council for Health Freedom, says right of access should remain a top enforcement priority.
"Whatever the outcome of the election, OCR should continue to pursue ‘right of access’ cases for individuals who have been denied access to their medical records. This is a matter of civil and patient rights,” she says.
A Top Priority?
HIPAA attorney Paul Hales of the law firm Hales Law Group says he expects HIPAA enforcement overall to remain a top HHS priority under the Biden administration.
“OCR HIPAA enforcement funding is self-sustaining from settlement payments and civil money penalties,” he says. “I hope OCR will ramp up HIPAA enforcement significantly and return to carrying out HIPAA audits required by law.”
As called for under the HITECH Act, during the Obama administration, OCR rolled out two phases of a pilot program to audit covered entities and business associates for their compliance with the HIPAA rules (see: HIPAA Audi Update: Here’s What’s Next).
But the HIPAA audit program has been on hold since late 2016, and it did not progress during the Trump administration.
Still Pending
The Trump administration has other unfinished HIPAA work.
“The White House Office of Management and Budget recently completed its review of OCR’s proposed rulemaking that would remake some provisions of the HIPAA Privacy Rule,” Holtzman notes.
"While it is likely there are some settlements in the pipeline, it is difficult to handicap whether they come in over the finish line during the transition to a new administration,"
—David Holtzman, HITprivacy
Potential changes involve addressing the perceived obstacles in the sharing of patient information among healthcare providers as well as the burdens often put on patients and their families to have that information exchanged.
This action by OMB clears the way for OCR to publish the proposed rule in the Federal Register, even before a change-over to a Biden administration.
“While it is still early days in transition to a new administration, the HIPAA notice of proposed rulemaking would be expected to continue on its pathway to release,” he says.
Timothy Noonan, OCR’s deputy director for health information privacy, told ISMG in August that the agency plans to issue a notice of proposed rulemaking to modify the HIPAA rules before the end of this year (see Proposal for HIPAA Modifications Coming by Year’s End).
Settlements Take Time
Negotiations of resolution agreements to settle HIPAA enforcement actions often require many months and several levels of approval, Holtzman says. “While it is likely there are some settlements in the pipeline, it is difficult to handicap whether they come in over the finish line during the transition to a new administration,” he says.
Peters notes that many HIPAA covered entities are currently engaged with OCR on patient right of access investigations.
“I would strongly suggest that HIPAA covered entities ensure that they have a robust policy and procedure to address patient or beneficiary access requests, that they make access to records a priority, and that they respond quickly and reasonably to any patient complaints that come to them directly from patients or beneficiaries,” she says.
It’s important for covered entities to remember that they are “ultimately liable” for HIPAA access violations, even though they may engage business associates to help with that work, she says.