An $80,000 penalty paid by UnitedHealthcare Insurance Company (“UHIC”) warns other insurers and other health plans, their fiduciaries and plan sponsors that failing to timely deliver requested protected health information triggers substantial Health Insurance Portability and Accountability Act (HIPAA) fines in addition to Employee Retirement Income Security Act (“ERISA”) Section 502(c) penalties and other related exposures and costs.

HIPAA Right Of Access Rule

The Department of Health & Human Services Office of Civil Rights (“OCR”) recently announced health insurance giant UHIC agreed in a resolution agreement to pay $80,000 to resolve a potential violation HIPAA’s access provision that requires health plans, health care providers and health care clearinghouses (“covered entities”) to provide patients access certain protected health information in a within 30 days of a request. In addition to the $80,000 payment, UHIC agreed to implement a corrective action plan and submit to OCR monitoring for a year.

The HIPAA Privacy Rule generally requires health plans and other covered entities to provide individuals, upon request, with access to the protected health information (PHI) about them in one or more “designated record sets” maintained by or for the covered entity after verifying the identity of the person requesting access. This right of access generally applies to all PHI other than:

• PHI that is not part of a designated record set because the information is not used to make decisions about individuals;
• Psychotherapy notes, which are the personal notes of a mental health care provider documenting or analyzing the contents of a counseling session, that are maintained separate from the rest of the patient’s medical record;; and
• Certain information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding.

Even for categories of excluded PHI, however, the right of access rule requires access to the underlying PHI from the individual’s medical or payment records or other records used to generate the excluded records or information remains part of the designated record set and subject to access by the individual.

Where applicable, the right of access requirement includes the right to inspect or obtain a copy, or both, of the PHI, as well as to direct the covered entity to transmit a copy to a designated person or entity of the individual’s choice. Individuals have a right to access this PHI for as long as the information is maintained by a covered entity, or by a business associate on behalf of a covered entity, regardless of the date the information was created; whether the information is maintained in paper or electronic systems onsite, remotely, or is archived; or where the PHI originated (e.g., whether the covered entity, another provider, the patient, etc.).

The Privacy Rules encourage health plans and other covered entities to offer individuals multiple options for requesting access. Covered entities may offer individuals the option of using electronic means (e.g., e-mail, secure web portal) to request access.  Section 164.524(b)(1) of the Privacy Rule also generally allows a health plan or other covered entity subject to the right of access rule to require individuals to request access in writing, and if use of the covered entity’s form does not create a barrier to or unreasonably delay an individual’s access to his PHI, even to require individuals to use the entity’s own supplied form to make the request. However, the Privacy Rule prohibits health plans and covered entities from imposes unreasonable measures on an individual requesting access that serve as barriers to or unreasonably delay the individual from obtaining access.

While the Privacy Rule permits a covered entity to impose a reasonable, cost-based fee if the individual requests a copy of the PHI (or agrees to receive a summary or explanation of the information), Privacy Rule Section 164.524(c)(4) limits how much health plans and other covered entities can charge for copies.  The fee may include only the cost of: (1) labor for copying the PHI requested by the individual, whether in paper or electronic form; (2) supplies for creating the paper copy or electronic media (e.g., CD or USB drive) if the individual requests that the electronic copy be provided on portable media; (3) postage, when the individual requests that the copy, or the summary or explanation, be mailed; and (4) preparation of an explanation or summary of the PHI, if agreed to by the individual.    Section 164.524(c)(4) prohibits a covered entity from including costs associated with verification; documentation; searching for and retrieving the PHI; maintaining systems; recouping capital for data access, storage, or infrastructure; or other costs not beyond this specifically allowed in the Rule even if such costs are authorized by State law or other federal or state rules.

UHIC & Other OCR Right Of Access Resolution Agreements

Since OCR began enforcing HIPAA, OCR enforcement data has reflected widespread noncompliance by covered entities with the HIPAA right of access rule. In response to this compliance data, OCR since 2019 has prioritized investigation and enforcement of the right of access under its “Right of Access Initiative.” The UHIC resolution agreement announced August 24, 2023 is the forty-fifth Right of Access voluntary settlement and the first Right of Access case enforcement action involving a health plan covered entity announced by OCR under its Right of Access Initiative. All previously announced Right of Access Initiative resolution agreements involved complaints against health care provider covered entities.

The UHIC resolution agreement resolves charges arising from an OCR investigation into a March 2021 complaint that UHIC failed to provide required records in response to an individual’s request for a copy of their protected health information in the plan records. The individual first requested a copy of their records on January 7, 2021, but did not receive the records until July 2021, after OCR initiated its investigation. This was the third complaint OCR received from the complainant against UHIC alleging failures to respond to his right of access. OCR’s investigation determined that UHIC’s failure to provide timely access to the requested medical records was a potential violation of the HIPAA right of access provision.

Based on these findings, OCR found UHIC violated the right of access rule. To resolve exposure to potentially more substantial civil monetary sanctions authorized by HIPAA, UHIC agreed in the resolution agreement to pay an $80,000 monetary settlement and implement a corrective action plan that includes one year of monitoring by OCR. UHIC also incurred and is expected to incur substantial legal and other expenses in responding to the investigation, negotiating the resolution agreement, and to fulfill its obligations under the corrective action plan.

When announcing the results of the UHIC investigation and resolution agreement, OCR Director warned other health plans to ensure their right of access compliance. “Timely access to health information is one of the cornerstones of HIPAA. OCR will continue to ensure that covered entities with a record of delaying or denying access requests will be subject to enforcement,” said OCR Director, Melanie Fontes Rainer. “Health insurers are not exempt from the right of access and must ensure that they are taking steps to train their workforce to ensure that they are doing all they can to help members’ access to health information.”

ERISA Section 502(c) Penalty For Failing To Timely Respond To Member Information Request

Apart for the HIPAA right of access rule, failing to timely respond to member requests for plan information and records also can trigger substantial liability for ERISA-covered health plans and their plan administrators under ERISA.

In addition to the HIPAA Right of Access disclosure obligations ERISA-covered health plans and insurer also generally are required to disclose certain plan information when notifying plan members of adverse benefit determinations and within 30 days of a member’s request. ERISA’s claims and adverse benefit determination rules expressly obligate plan administrators to disclose certain information to plan participants and beneficiaries when providing notification of adverse claims determinations. Additionally, Section 104(b)(4) of ERISA requires plan administrators to provide participants with a copy of certain documents if the participant requests them in writing.

Evidence that an ERISA-covered health plan administrator or insurer violated these requirements when administering claims or other obligations frequently prevent or undermine the defensibility of health plan claim denials against ERISA investigations and participant or beneficiary claims related lawsuits. Beyond these litigation effects, ERISA Section 502(c) authorizes the Employee Benefit Security Administration (“EBSA”) to impose administrative penalties of $110 per day. Concurrently, ERISA Section 502(c) also empowers federal courts in the court’s discretion to hold a plan administrator that fails to provide the participant with information within the  scope of the ERISA disclosure provision after 30 days from the request”, the plan administrator “may be personally liable to that participant or beneficiary for up to $110 a day from the date of such failure or refusal and “the court may in its discretion order “such other relief as it deems proper.”  Both the adverse effects of noncompliance with claims and other disclosure requirements on the defensibility of claims denials and the potential significance of triggering Section 502(c) penalties is illustrated by the federal court’s ruling M.S. v. Premera Blue Cross, 553 F. Supp. 3d 1000 (D. Utah 2021). In addition to the undeniable role disclosure deficiencies played in the court’s decision to overturn the plan administrator’s denial of benefits, the District Court also imposed a statutory penalty of under Section 502(c) of $123,100 ($100 per day from the date of the participant’s first written request through the date of the court’s order finding Premera Blue Cross prejudiced the plan participants by failing to make required disclosures) pending its determination of the damages, attorney’s fees and costs, and equitable relief to award to the participants. The court imposed the Section 502(c) penalty against Premera Blue Cross in its capacity as a third-party administrator contracted with the plan sponsor that the plan documents named as the plan administrator based on the functional exercise by Premera of fiduciary duties in handling the claims and disclosures. It bears noting, however, that employers and others serving in named plan administrator or other fiduciary capacities frequently are held liable for acts or omissions of their contract administrators either by direct orders under ERISA or indirectly pursuant to contractual duties to defend and hold harmless the contract administrator plan vendors providing these services commonly include in administrative services contracts.

Plans Must Assure Timely Access & Disclosure

Health plans and health insurers must provide protected health information as required by HIPAA; plan disclosures required by ERISA. Plan sponsors, fiduciaries and administrators wishing to avoid liabilities for violation of either of these requirements should make the necessary contractual, policy and oversight arrangements to provide for timely delivery. Where administration if these duties is outsourced to an insurer or other service provider, the plan sponsor should serk contractual agreements that the vendor will pay costs and liabilities for untimely delivery and refuse to accept contractual language that might obligate the plan sponsor, plan fiduciaries l, or the plan to pay or reimburse those penalties.

If despite efforts to comply an impermissible delay in delivery happens, the responsible party should contact qualified legal counsel about pursuing prompt correction and other steps to mitigate or resolve exposures.

For More Information

We hope this update is helpful. Solutions Law Press, Inc. invites you to receive future updates by registering on our Solutions Law Press, Inc. Website and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn  Health Care Risk Management & Operations Group, HR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy Group.

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here. 

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also may be interested in reviewing some of our other Solutions Law Press, Inc.™ resources available here such as: 

• $80,000 Penalty Confirms Health Plans Exposure For Violating HIPAA Access Rights
• $4.4 Million Warning About Proper Billing On Government Projects
• OSHA Proposing To Expand Third Parties Allowed To Accompany Employees During Inspections
• Employers Should Prepare for Proposed DOL Rules To Disqualify Additional 4 Million Workers For FLSA Exempt Status
• Use Of New Form I-9 Employment Eligibility Verification Form Released 8/1 Permitted Now; Mandatory After 11/1
• Education Association Union Sued For Race Discrimination
• Biden-⁠Harris Administration Ending COVID-⁠19 Vaccination Requirements For Federal Employees, Contractors, International Travelers, Head Start Educators & CMS-Certified Facilities
• Autism Health Plan Exclusions and Limitations May Trigger Mental Health Parity and Addiction Equity Act Liabilities
• Labor Department Shares Resources on PERM and H-2A Program Updates
• Trucking Cos.’ $1.25M Sex Discrimination Warns Other Employers
• $167K In Backpay and Penalties Restaurant Paying For FLSA Violations Warns Other Businesses
• Revise Health Plan HIPAA Records Access Rules & Procedures To Use Newly Flexibility On Charging, Responding To Third Party PHI Requests
• 2/28 New Comment Deadline For NLRB Proposal To Exclude College Work Study Student Workers From NLRA Coverage
• Don’t Get Stuck Paying Another Employer’s Overtime Or Other Backpay
• 2019 OCR Enforcement Shows Getting Defensibly HIPAA Compliant Necessary In 2020!
• DOJ Omnicare/CVS Suit Highlights Potential Pharmacy Benefit Claims Abuse Exposure For Health Plans, Member Safety Risk
• OSHA Seeks Small Business Volunteers For Tree Care Safety Panel
• NLRB Restores Pre-Obama Era Union Dues Checkoff Rule
• $1.6M HIPAA Penalty Largely Caused By Inadequate Security Assessments & Oversight  
• 10 Former NFL Payers Charged With Defrauding NFL Retiree Health Fund  
• NLRB Order Directs Settlement Of McDonald’s Unfair Labor Practice Complaints Including Joint Employer Liability Charges Against McDonald’s USA
• College Pays $54,000 To Settle DOJ ADA Lawsuit For Paramedic Program’s Termination of TA With MS  
• Business Leaders Serve Jail Time For Employment Tax Crimes   
• Salary Threshold Increases Require Employer Review Of Salaried Worker FLSA Exemption Qualification  

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.