One of the nation’s leading health insurance companies, United Healthcare Insurance Company (“UHIC”), was recently fined $80,000 for violating the provisions of the Health Insurance Portability and Accountability Act (“HIPAA”) which require that individuals be provided access to their protected health information (“PHI”) upon request.
The factual background resulting in the fine, as reflected in the terms of the Voluntary Resolution Agreement (the “Agreement”) between UHIC and the U.S. Department of Health and Human Services (“HHS”), indicates that UHIC failed to respond to an individual’s medical records request made via mail to a UHIC post office box. HIPAA requires that an individual’s request for access be acted upon no later than 30 days after the request is made (45 C.F.R. § 164.524).
Due to the lack of a response, the individual filed a complaint with HHS. In addition to the penalty, the Agreement requires UHIC to (i) review and revise its PHI access policies and procedures; (ii) distribute updated policies and procedures; (iii) provide workforce training on the HIPAA access requirements; and (iv) report any additional failures to HHS. UHIC’s penalty serves as a reminder to exercise diligence in complying with HIPAA’s mandates.