In November of 1918, the First World War (naively called “The Great War”) ended. (For people who appreciate or read into symmetry, World War I ended at the 11th hour on the 11th day of the 11th month of 1918). The League of Nations, the peacekeeping body and the precursor to today’s United Nations, was founded in January 1920 by President Woodrow Wilson and held its first meeting in November of that year.

Another important event took place that November – the Presidential election. Republican presidential candidate Warren Harding, sensing Americans were tired of war, and tired of fighting for peace (ironically, although Wilson formed the League of Nations, the U.S. refused to join), campaigned on the slogan, “A return to normalcy.” His incorrect word usage (the word “normalcy” did not exist when he used it) may have been unserious, but the election results meant business: Harding won in a rout. Normalcy seemed to be back on the menu.

From 2020 to 2022, the U.S. government was engaged in a war of its own, fighting COVID-19 (or trying to, anyways, depending on who you ask). The Department of Health and Human Services (HHS), the federal agency designed to enhance the well-being of Americans, spent much time and resources navigating this public health crisis. 

While COVID-19 has not formally ended, many Americans are anxious to put the events of the last two years behind them – to return to normalcy. As we got further into 2022, HHS’ Office for Civil Rights (OCR) became less focused on COVID-19 public health initiatives and more focused on traditional areas of concern. Enforcement of the Privacy Rule’s right of access provision, and ensuring patient PHI is not impermissibly used or disclosed, took center stage in 2022 and are poised to receive additional emphasis in 2023. The details of HIPAA changes 2023 are described below.

HIPAA Changes 2023: Return to Access

OCR completed investigation of 17 patient right of access cases in 2022. Fifteen of these resulted in a Resolution Agreement (Settlement), and two resulted in the imposing of a civil monetary penalty. The first 2022 resolution agreements were announced in March of 2022. The most recent resolution agreement was announced on December 15, 2022.

OCR launched its Right of Access Initiative in 2019, bravely taking the radical stand that the rules requiring covered entities to act on patient medical requests must be enforced. In 2019, there were two right of access settlements/fines. In 2020, there were 11. In 2021, there were 12. In 2022, there have been 17. 42 in total.

In 2022, OCR emphasized specific aspects of right of access non-compliance, which are recounted below. Providers may expect that these areas of non-compliance will be on OCR’s radar in 2023.

Rated #1 on G2

“Compliancy Group makes a highly complex process easy to understand.”

Easiest To Do Business With 2024

Don’t Look a Gift Horse in the Mouth: Act on Technical Assistance

ACPM Podiatry Group is an Illinois practice. In early April 2019, OCR received an initial complaint from Richard Lindsey (“Complainant”), a former patient who alleged that ACPM refused to provide him with his requested medical records. On April 18, 2019, OCR provided ACPM with written technical assistance regarding the Privacy Rule’s right of access standard (basically, OCR explained what the standard means) and then closed the matter.

OCR then received a second complaint from Mr. Lindsey, alleging that ACPM still needed to provide the medical records after he made numerous requests. ACPM did not respond to multiple data requests from OCR, nor to OCR’s Letter of Opportunity and Notice of Proposed Determination (this is legalese-ey for saying that ACPM blew off OCR’s investigation). Having given ACPM ample time to cooperate with the investigation, OCR issued a Notice of Final Determination and imposed a civil money penalty of $100,000.

In July of 2020, a few months before OCR issued the November 2020 Letter of Opportunity (a Letter of Opportunity, is a document alerting a provider that there are preliminary indications of non-compliance; the letter also allows the provider to submit written evidence of mitigating factors or affirmative defenses for OCR’s consideration in making a determination of the amount of a civil monetary penalty). 

ACPM finally got off its back, rousing itself to provide Mr. Lindsey with copies of his records. However, Mr. Lindsey informed OCR that the records he received – 618 days after he made the initial records request – were incomplete. APCM provided no explanation as to why it could not provide all of the records.

Lesson: OCR provides technical assistance as a way of informally resolving complaints without having to impose more serious measures. When advice is offered, it’s a good idea to follow it.

Records Cannot be Held Hostage

On March 27, 2020, HHS received a complaint against Danbury Psychiatric Consultants (DPC), alleging that DPC failed to provide access to the complainant’s protected health information (PHI).

HHS’ investigation revealed that, on March 24, 2020, the complainant made an access request for her PHI. DPC failed to respond timely to the complainant’s access request. DPC also withheld complainant’s access on the basis that the complainant had an outstanding balance, and required a signed request or authorization request (a provider may require that a request be in writing, but, if it imposes this requirement, it must notify its patients beforehand of the requirement).  

DPC failed to provide access to all the complainant’s PHI until September 14, 2020, after OCR initiated its investigation.

This conduct  – holding records hostage for payment – is prohibited under the right of access provision. For its trouble, DPC settled with HHS by agreeing to pay HHS $3,500 and submit to a two-year corrective plan. Under the CAP, DPC must develop policies and procedures on the HIPAA right of access provision, and must train employees on these policies and procedures.

Lesson: patient records are not bargaining chips.

Clear Up Misunderstandings

Fallbrook Family Health Center, a Nebraska clinic, failed to provide a patient with a complete copy of her designated record set even though she requested it in writing three separate times. 

FFHC claimed it failed to provide access due to a former workforce member’s misunderstanding of an individual’s access rights under HIPAA. The nature of the misunderstanding is not publicly known. As a result of OCR’s investigation, FFHC sent complainant a copy of her complete designated record set on June 19, 2020. Fallbrook agreed to take corrective actions and paid $30,000 to settle a potential violation of the right of access standard. 

The corrective action plan requires FFHC to “review, and to the extent necessary, revise its policies and procedures related to the right of access to protected health information (“PHI”),” and to train staff (including new staff, within 30 days of hire) on these policies and procedures. Having effective written policies and procedures, and training employees on these, should prevent further misunderstandings on the meaning of the phrase “provide access” from happening.

I’ve Got the Power

On July 20, 2020, HHS received a complaint against MelroseWakefield from an individual (“Complainant”) alleging that she requested the protected health information (PHI) of her mother from MelroseWakefield and had been denied access to the requested records.

HHS’ investigation revealed that, on June 12, 2020, the complainant made a valid access request for her mother’s PHI, having attached documentation – a durable power of attorney – verifying that she was her mother’s personal representative.  A durable power of attorney with the right to make healthcare decisions must be honored. In this case, the complainant was not provided access to the records because of MelroseWakefield’s mistaken belief that the durable power of attorney did not allow the complainant to secure the records.

After the complainant notified OCR of the denial of access, OCR notified MelroseWakefi