The HIPAA Hits Keep Coming

HIPAA enforcement activity is continuing at a strong pace in 2020. The Office for Civil Rights (“OCR”) has recently released five enforcement actions, including the 10th, 11th, and 12th Access Right settlements (in less than two weeks), an action against a municipality, and a settlement with a national health insurer in response to three separate breaches in a six-month period. For more information on the first nine Access Right settlements, click here.

Marking a dozen Access Right settlements, OCR recently settled with the University of Cincinnati Medical Center for $65,000 for alleged failures to provide an electronic record of a patient’s records upon request to her lawyers. In so doing, the OCR has affirmed that patients have a right to direct their records to be sent to third parties and that electronic records be sent where electronic records are maintained.

In further support of its access rights initiative, OCR settled two cases in which records were not provided despite the providers having received specific guidance from OCR about access rights. In the most recent case, Dr. Rajendra Bhayani, a private physician, entered into a corrective action plan and paid a $15,000 for failing to provide records to a patient. In this case, the patient requested records in July 2018 and filed a complaint in September 2018 when she had not received the records. In response, the OCR provided “technical guidance” to the practice, but it appears that the practice did not follow the guidance because the patient filed a second complaint in July 2019. As a result of the investigation, the patient finally received her records in September 2020. Among other things, a key take-away of this matter is that there are no compliance exceptions for small medical practices.

Less than a week before the above settlement, Riverside Psychiatric Medical Group initiated a corrective action plan and paid a $25,000 settlement for alleged HIPAA violations. In this case, a patient filed a complaint with the OCR after the practice failed to provide her records that she requested in February 2019. In response, the OCR provided the practice with “technical guidance” on how to comply with the access request, but, by April 2019, it had not provided the records and the patient filed a second complaint. It appears that the cause of the issue was confusion about the handling of requests that may implicate “psychotherapy notes.” As the OCR noted in its public notice about this case, any denial of an access request must be accompanied by an explanation. Furthermore, the patient has a right to the elements of the record that do not constitute “psychotherapy notes.” Significantly, “psychotherapy notes” are an often-misunderstood and very narrow category of records; they are notes that a provider keeps for himself/herself and must be maintained separately from the patient’s standard medical record.

With respect to alleged violations of both the Privacy Rule and Security Rule, the City of New Haven, Connecticut, recently entered into a corrective action plan and paid $202,400 to settle an investigation. The situation involved a breach of protected health information of 498 people when the City of New Haven’s public health clinic failed to terminate the login credentials of a former employee. Furthermore, prior to separation from the clinic, the same employee had shared her login credentials with an intern. This case highlights the importance of appropriate close-out procedures whenever an employee leaves a covered entity as well as workforce education that login credentials should never be shared. Of course, this settlement also reinforces the OCR’s position that HIPAA compliance matters for both private and public entities alike. Indeed, the OCR has entered settlement agreements with several other government entities in the past. Additionally, it is important to note that the OCR investigated this matter following a breach notification, not a complaint.

Finally, Aetna Life Insurance Company entered into a recent corrective action plan and paid a $1,000,000 settlement in response to three separate breach incidents that occurred over six months. The first incident involved the records of 5,002 individuals being available on the internet without login credentials. The second incident involved mailing window envelopes with the words “HIV medication” that could be seen through the window; 11,887 individuals were affected. The final incident involved 1,600 individuals receiving envelopes with the name and logo of the atrial fibrillation (irregular heartbeat) research study on the outside.

All of the above reflect the fact that regardless of issues with the COVID-19 and regardless of politics, HIPAA enforcement remains at a high pace in 2020.