HIPAA Complaints & Settlements
While individuals do not have a right to a private cause of action under HIPAA, they may file a complaint with the Office for Civil Rights (OCR) if they believe that a HIPAA-covered entity or its business associate violated their health information privacy rights or committed other violations under HIPAA. OCR has the authority to investigate such complaints and take action if OCR determines that an individual’s rights were violated by a covered entity or business associate.
On August 24, 2023, OCR announced a settlement with UnitedHealthcare resolving a complaint alleging that UnitedHealthcare did not respond to an individual’s request for a copy of their medical record until after OCR initiated its investigation. Under HIPAA, individuals have a right to request and access their health information and covered entities have an obligation to timely respond to such requests for such information (as long as the information is maintained by the covered entity or a business associate). Generally, covered entities and/or business associates must provide access to the requested information no later than 30 calendar days from receiving the individual’s request, but if they can provide the information sooner, they are strongly encouraged to do so. In some instances, a 30-day extension may be warranted and the covered entity must inform the requester the reason for the delay and when the information will be provided.
This settlement serves as a reminder to all covered entities and their business associates that individuals have a right to their health information and that a timely response to requests for health information is required under HIPAA. Covered entities or business associates should have in place appropriate policies and procedures for handling such requests and provide adequate training to their staff and personnel regarding HIPAA’s protections.