UnitedHealthcare Pays Settlement for HIPAA violation over Patient Medical Records Request

UnitedHealthcare Insurance Company (UHIC), a major health insurer in the United States, has reached a settlement with the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) regarding a potential violation of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule's right of access provision. Under this rule, patients have the right to access their health information in a timely manner.

This settlement, which marks the 45th case of its kind to be resolved through voluntary agreement, requires UHIC to implement a corrective action plan and pay $80,000. The OCR's Director, Melanie Fontes Rainer, emphasized the importance of timely access to health information, stating that the OCR will continue to enforce the right of access and hold accountable any covered entities that delay or deny access requests.

The investigation was initiated in March 2021 following a complaint from an individual who claimed that UHIC failed to respond to their request for a copy of their medical record. The individual had initially made the request on January 7, 2021, but did not receive the records until July 2021, well after the OCR began its investigation. This was the third complaint the OCR received from the same individual against UHIC regarding their right of access.In addition to the financial settlement, UHIC has agreed to a corrective action plan that includes OCR monitoring for one year.

The resolution agreement and corrective action plan can be accessed on the HHS website.The OCR's guidance on the HIPAA right of access is available on their website as well. The OCR remains committed to ensuring the protection of individuals' health information privacy and security under HIPAA. Individuals who believe their own or someone else's health information privacy or civil rights have been violated can file a complaint with the OCR through their online complaint portal.