UnitedHealthcare, a major healthcare insurer in the United States, has been fined $80,000 and required to take corrective action after a six-month delay in providing a health plan member with access to their medical records. This settlement marks the 45th enforcement action conducted by the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) regarding HIPAA “right of access” violations.
The OCR stated that it received three complaints in 2021 from the same individual regarding UnitedHealthcare’s subsidiary, UHIC, alleging that the insurance company failed to respond promptly to the member’s request for their medical records. It was reported that UnitedHealthcare took more than six months to fulfill the request, prompting an OCR investigation.
Upon becoming aware of the issue, UnitedHealthcare immediately conducted an internal investigation which concluded that the delay had been due to employee error. All requested records were subsequently sent to the health plan member. However, the OCR determined that UnitedHealthcare’s failure to provide timely access to the medical records was a potential violation of the HIPAA “right of access” provision.
In response to the settlement, HHS OCR Director Melanie Fontes Rainer emphasized the importance of timely access to health information and stated that OCR will continue to enforce compliance for covered entities that delay or deny access requests. Rainer also highlighted that health insurers must train their workforce to ensure members’ access to health information.
In addition to the financial penalty, UnitedHealthcare has agreed to implement a correction action plan as part of its resolution agreement with the OCR. This includes a review and revision of policies and procedures related to the HIPAA right of access, as well as their distribution to the workforce.
UnitedHealthcare expressed their support for members’ timely access to their health information and apologized for any inconvenience caused by the delay. It is worth noting that the OCR has conducted 44 other enforcement actions relating to “right of access” disputes since the launch of its HIPAA compliance initiative in April 2019.
