UnitedHealthcare Resolves HIPAA Right of Access Case With $80K Settlement

August 25, 2023 - The HHS Office for Civil Rights (OCR) reached a settlement with UnitedHealthcare Insurance Company (UHIC) to resolve potential HIPAA right of access violations. UHIC, a health insurer that provides coverage to millions across the US, agreed to pay $80,000 to OCR to resolve the investigation.

The investigation marks the 45th case settled under OCR’s HIPAA Right of Access Initiative, which was created in 2019 to underscore OCR’s commitment to ensuring that patients have timely access to their medical records.

The UHIC case arose in March 2021, when OCR received a complaint alleging that UHIC had not responded to an individual’s request for a copy of their medical record. The individual requested their records in January 2021, finally receiving them in July 2021, after OCR had initiated its investigation into the matter.

UHIC agreed to implement a corrective action plan in addition to the monetary settlement which entailed updating policies and procedures and providing privacy training to employees on individual access to protected health information (PHI).

“Timely access to health information is one of the cornerstones of HIPAA. OCR will continue to ensure that covered entities with a record of delaying or denying access requests will be subject to enforcement,” said Melanie Fontes Rainer, OCR director, in a press release.

“Health insurers are not exempt from the right of access and must ensure that they are taking steps to train their workforce to ensure that they are doing all they can to help members’ access to health information.”

The settlement shows that all types of HIPAA-covered entities can face consequences if they fail to comply with right of access provisions. OCR directed HIPAA-covered entities to its guidance on right of access provisions and encouraged these entities to familiarize themselves with these provisions.

In general, the HIPAA Privacy Rule requires covered entities to provide patients with access to their PHI “in one or more ‘designated record sets’ maintained by or for the covered entity,” upon request, the guidance states.

“This includes the right to inspect or obtain a copy, or both, of the PHI, as well as to direct the covered entity to transmit a copy to a designated person or entity of the individual’s choice,” OCR continued.

In addition, the records must be delivered in a timely and cost-effective manner, and patients have the right to request records in their preferred format. Covered entities should have processes in place to ensure that patients receive their medical records according to HIPAA’s requirements.