Drumbeat for Right of Access

By Matt Fisher, General Counsel, Carium
LinkedIn: Matthew Fisher
X: @matt_r_fisher
X: @cariumcares
Host of Healthcare de Jure – #HCdeJure

The drumbeat of settlements from the Office for Civil Rights around the individual right of access continues. The most recent settlement offers a different reminder than the previous settlements. This time, the settlement impacted a health insurance company.

The Details of the Settlement

The settlement announced by OCR on August 24, 2023 involved alleged conduct of UnitedHealthcare Insurance Company (UHIC). UHIC provided insurance through UnitedHealthcare’s employer and individual business. OCR was notified of an access issue by means of a complaint submitted on March 25, 2021. The complainant reportedly submitted a request for access by mailing the request to a post office box in Utah. The complainant asserted that no response was ever received from UHIC.

The complaint prompted OCR to reach out to UHIC to get more information about what happened. After receiving notice from OCR, UHIC determined that the lack of a response was the result of employee error. The resolution agreement does not include any more detail than that.

OCR’s press release about the resolution gives slightly more color. The press release notes that the complainant made the first request for their records on January 7, 2021. The records were not provided until July 2021, which was after OCR initiated its investigation. However, OCR also stated that it received three complaints from the same individual with allegations that UHIC failed to honor right of access requests.

All of the conduct resulted in UHIC making an $80,000 payment to resolve the allegations.

Some Color Commentary

The resolution is important from the perspective that it focuses on a health insurance company. This may be the first right of access settlement to address an insurer’s obligation to honor the right of access. It should be an obvious point because all covered entities must respond to an access request. As all should be aware, the definition of covered entity includes health insurers, health care providers, and health care clearinghouses. It is easy to direct attention to providers when thinking about access because providers create and maintain medical records. However, insurers also create, receive, and maintain arguably more comprehensive information about individuals. From that perspective, it may be surprising that more access requests aren’t directed to insurers. Insurers may potentially have more resources available to timely respond to requests, so that speculative thought could be why this is the first settlement with an insurer.

Did the identified conduct of UHIC justify a penalty? The skimpy details leave plenty of room for speculation, which is what we’ll do now. Was the inattentiveness of UHIC’s employee a repeated pattern of conduct? Did the complainant try reaching out to UHIC before complaining to OCR multiple times? If the complainant did reach out to UHIC, was the complainant ignored or given the brush off? Was the individual required to physically mail the request to a post office box that increased the likelihood of it getting overlooked? Were pandemic related measures still being followed that impacted the timeliness of seeing written correspondence?

All of those questions are important in being able to assess how and why UHIC faced enforcement action from OCR. The simple act of an employee overlooking a request seems fairly innocuous and something that could happen at any time to any organization. Human error alone doesn’t seem like enough of a justification to impose a penalty, unless OCR felt that it could do it to an insurer with some of the deepest pockets in the industry (though $80,000 likely wouldn’t even count as pocket change in this instance). There is a strong feeling that there is something more to the story that could elucidate the issue more, but OCR is not giving that information. While many of OCR’s resolutions would be helped by giving more of the detail behind the issue, this one, in particular, would carry more value if the background was fleshed out more.

Leaving all of those issues aside, right of access remains a problem. The conduct in the UHIC settlement only dates back to 2021, so relatively recent, especially given some of the other resolutions that OCR announced this year. It is a broken record to say that organizations must implement, review, and assess compliance with right of access policies. Regular training and education of the workforce on the policies is also necessary. It is not enough to write a policy and then put it on the shelf. That approach leaves little room for awareness or understanding, which in turn could easily lead to becoming the next headline for an OCR resolution. Internalize and operationalize the right of access not just for compliance purposes, but for improving relationships with patients, members, or however an organization identifies the individuals that it serves.

This article was originally published on The Pulse blog and is republished here with permission.