OCR announces resolution of more HIPAA Right of Access Initiative cases

On July 15, 2022, the Office for Civil Rights (OCR) announced that it has resolved eleven more investigations in its Right of Access Initiative. This initiative, which began in 2019, enforces the patient right of access to health records under the Health Insurance Portability and Accountability Act (HIPAA). Thirty-eight investigations have been completed under this program.

The Right of Access investigations have involved many types of providers. The most recent announcement includes:

  • A civil money penalty of $100,000 imposed on a podiatry practice that failed to provide a former patient with requested medical records, and ignored data requests from OCR.
  • A settlement of $3,500 with a psychiatry practice that withheld access to the patient's record because the patient had an outstanding balance.
  • A settlement of $55,000 with a health care provider which did not provide a personal representative with timely access to medical records, mistakenly believing that the power of attorney did not allow for access.
  • A settlement of $240,000 with a health system for failing to timely respond to an access request.

The HIPAA Privacy Rule generally requires that a health care provider respond within thirty days to a request for access to health records from the patient or personal representative. This applies to both medical records and billing records. All health care providers should make sure their procedures for requesting records do not impose barriers that are not permitted under the Privacy Rule, and that they record when the patient or representative requests the record and how long it takes to respond.

OCR publishes guidance on releasing PHI related to abortion

The Office for Civil Rights (OCR) has published guidance discussing how the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule applies to release of information concerning abortion. Most health care providers are covered entities under HIPAA, and are permitted to disclose protected health information (PHI) only as expressly permitted or required under the Privacy Rule. The guidance discusses several scenarios involving the Privacy Rule provisions concerning disclosures required by law, disclosures to law enforcement and disclosures to avert a serious threat to health or safety.

Disclosures of PHI required by law include only disclosures where the health care provider is compelled to disclose PHI, and the disclosure is limited to what the law requires. OCR gives the example of a patient in a hospital emergency department experiencing complications related to miscarriage in the tenth week of pregnancy, where a hospital staff member suspects that the patient may have taken medication to end the pregnancy. If state law prohibits abortion after six weeks but does not expressly mandate health care workers to report suspected violations to law enforcement, disclosure would be prohibited.

Concerning disclosures for law enforcement, OCR notes that the Privacy Rule permits disclosure only where law enforcement presents a legally enforceable mandate, such as a court order. If a law enforcement official requests a reproductive health care clinic to provide information on abortions at the facility but the official does not present a court order or other binding legal process, the clinic would violate the Privacy Rule by disclosing the requested information. In contrast, if the official presents a court order requiring the clinic to provide that information, the Privacy Rule would permit the clinic to disclose only the PHI expressly covered by the order.

Finally, OCR discusses a scenario where a pregnant patient in a state that bans abortion informs their health care provider that they intend to seek an abortion in another state. OCR concludes that disclosing this information to law enforcement would violate the Privacy Rule, because the patient's statement would not qualify as a serious and imminent threat to the health or safety of a person or the public, and would be inconsistent with professional ethical standards.

OCR publishes guidance on HIPAA, COVID vaccines and the workplace

The Office for Civil Rights (OCR) of the Department of Health & Human Services has published guidance on what inquiries and disclosures about COVID-19 vaccination status are permitted. The OCR notes that the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule applies only to covered entities and their business associates. (Covered entities are health plans, health care clearinghouses and health care providers that conduct electronic transactions, and business associates are entities that provide various management and related services for covered entities.).

The HIPAA Privacy Rule does not prohibit businesses or individuals from asking whether customers or clients have received a COVID-19 vaccine. This is the case even for businesses that are covered entities or business associates, because the HIPAA Privacy Rule applies to uses and disclosures of protected health information (PHI) by covered entities and business associates, not requests for information. HIPAA also does not prohibit an individual from disclosing whether the individual has been vaccinated.

The OCR points out that the HIPAA Privacy Rule does not apply to employment records (including records held by covered entities or business associates in their capacity as employers). HIPAA does not regulate what information can be requested from employees as a condition of employment. Therefore, employers (including covered entities and business associates) can require their employees to provide documentation of COVID-19 vaccination, to sign an authorization for the employee's health care provider to provide such documentation, to wear a mask while on the employer's premises or in the course of performing their duties, or to disclose whether the employee is vaccinated if a patient asks for that information. The OCR notes, however, that the Americans with Disabilities Act requires that documentation of vaccination, like other employee health information, must be kept confidential and stored separately from personnel files. The OCR also addressed questions relating to employee health services. Health care providers are permitted to disclose PHI relating to an individual's vaccination status to an employer in connection with medical surveillance of the workplace or to evaluate whether the individual has a work-related illness, but only if the health care provider is providing services to the individual at the request of the employer, the individual is notified that PHI related to medical surveillance and work-related illnesses will be disclosed to the employer, and certain other conditions apply.

It is necessary to distinguish between employment records and health records maintained by a health care provider in the course of treatment. The HIPAA Privacy Rule generally requires covered entities, including health care providers, to obtain the patient's authorization in order to disclose information (with certain exceptions, such as disclosures to public health authorities).

NIST invites comments on Security Rule compliance guide

The National Institute of Standards and Technology (NIST) is inviting comments on updating its resource guide for implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. NIST's resource guide was published in 2008. The public is invited to provide input by June 15, 2021. NIST seeks comments on how health care organizations and business associates are using the resource guide to assist in complying with the HIPAA Security Rule. NIST also invites comment on how organizations assess risk to electronic protected health information (ePHI), how health care organizations manage concerns regarding business associates' compliance with the Security Rule, and how organizations document implementation of recognized security practices.


The topic of how recognized security practices are implemented should be particularly important for health care organizations and business associates. Effective January 5, 2021, the Health Information Technology for Economic and Clinical Health Act (the HITECH Act) was amended by P.L. 116-321 to provide that in conducting audits of Security Rule compliance and assessing fines, the Department of Health and Human Services shall consider whether the organization has demonstrated that it had recognized security practices in place. The term "recognized security practices" is defined to include standards, guidelines and best practices developed by NIST.

HHS extends comment period for HIPAA Privacy Rule changes to May 6

The Department of Health & Human Services (HHS) has announced that it is allowing additional time for public comment on proposed changes relating to access to and disclosure of protected health information (PHI). The Office for Civil Rights (OCR) of HHS published significant proposed modifications to the Health Insurance Portability & Accountability Act (HIPAA) Privacy Standards in the Federal Register on January 21, 2021. The proposed rules were focused on supporting the transition to value-based health care by modifying restrictions on use of PHI for care coordination and case management. OCR also proposed significant changes in procedures for individuals’ access to their PHI. The original comment date of March 22, 2021 has been extended to May 6, 2021.

Read more ...

HITECH amendment encourages adoption of recognized security practices

An amendment to the Health Information Technology for Economic and Clinical Health Act (HITECH) enacted on January 5, 2021 provides incentive for a covered entity under the Health Insurance Portability and Accountability Act (HIPAA), or a covered entity’s business associates, to adopt recognized security practices. H.R. 7898, enacted as P.L. 116-321, states that the Secretary of the Department of Health and Human Services shall consider whether the covered entity or business associate has adopted recognized security practices, that may mitigate fines or other remedies imposed for HIPAA security violations, or favorable termination of a HIPAA security audit. Recognized security practices are standards, guidelines and best practices developed by the National Institute of Standards & Technology (NIST) or other regulatory guidelines for cybersecurity.

OCR will permit providers to schedule COVID vaccine appointments online

The Office for Civil Rights (OCR) has issued a notification of enforcement discretion permitting entities covered under the Health Insurance Portability and Accountability Act (HIPAA), and their business associates, to use online or web-based scheduling applications (WBSAs) to schedule appointments for COVID-19 vaccinations during the public health emergency. The notification will be published in the Federal Register on February 24, 2021 and applies as of December 11, 2020.

Read more ...

View LinkedIn Profile

Shack Cookies Restrict

This website uses cookies to properly administer the site and improve your experience. Continuing to use this website indicates your acceptance. Please click "accept" to remove this message.