Confidentiality, Privacy and Security

Resolution Agreement Highlights - Notice and Access

  • 1.  Resolution Agreement Highlights - Notice and Access

    Posted 09-19-2020 08:15
    A Resolution Agreement (RA) can provide a useful source of insight as to issues of non compliance that the OCR is encountering.  It also gives some information on how the OCR enforces its position on the obligation of covered entities or business associates to comply with such requirements.  Below are 8 items listed in the recently posted Resolution Agreement at  (

    There are two areas within the Privacy Rules that are particularly noted in the RA: Notice of privacy practices, Access of individuals to protected health information.  As shown below, 3 are associated with the Notice requirements and 5 with Access to PHI.

    I am posting the list below so those interested can take a look and see if any of these may be areas they may want to compare their own state of compliance with these specific requirements. As we have come to see...Access to PHI is one area that the OCR jumps on and often jumps on hard when it learns of non compliance in this area.

    To learn more and to get more context, check out the RA.

    164.520 Notice of privacy practices for protected health information.

    1. Right to Notice – 45 C.F.R. §164.520(a)(1)
    2. Content of Notice – 45 C.F.R. §164.520(b)(1)
    3. Provision of Notice – 45 C.F.R. §164.520(c)

    164.524 Access of individuals to protected health information.

    1. Right of Access – 45 C.F.R. §164.524(a)(1)
    2. Timely Action by the Covered Entity – 45 C.F.R. §164.524(b)(2)
    3. Time and Manner of Access – 45 C.F.R. §164.524(c)(3)
    4. Fees – 45 C.F.R. §164.524(c)(4)
    5. Documentation – 45. C.F.R.§ 164.524(e)
    Probably a good idea to check on your Access to PHI policies and we've seen in a number of RAs and announcements by the OCR...this is a hot button that gets OCR's attention!

    Posted: Saturday

    Frank Ruelas
    Compliance Professional