Five Health Providers Held Accountable for Violating HIPAA Right of Access
OCR has shown that its serious about patients being able to access their healthcare records – recently levied penalties serve as a reminder for organizations to know where PHI is at all times.
The Office for Civil Rights (OCR) at the United States Department of Health and Human Services (HHS) continues to levy financial penalties on healthcare organizations that fail to comply with its initiatives.
Healthcare facilities, doctors, and physicians have to comply with Federal healthcare laws and regulations, like the Health Insurance Portability and Accountability Act (HIPAA) or risk being imposed a civil money penalty.
HHS’ latest penalties involve HIPAA’s Right of Access Initiative. The HHS began enforcing its Privacy Rule back in 2003 for most HIPAA covered entities but didn’t begin enforcing its Right of Access Initiative, which supports a patient to timely access their health records at a reasonable cost, until 2019. Entities that violate the provision are usually culpable if it takes them longer than 30 days to send along health records or if they charge an exorbitant fee.
OCR announced on Tuesday that it settled with five offices, bringing the total number of HIPAA Right of Access enforcement actions up to 25.
Collectively, the organizations, which range from an eyecare center to a primary care physician office, were fined $332,100.
The most egregious violation appears to be against a New York-based cardiovascular disease and internal medicine doctor that was fined $100,000 after not sending requested records to a patient despite several requests from 2013 to 2017. The patient that requested their records still hadn't received them by March 2018 and the doctor in charge of the office failed to respond to letter and phone inquiries, forcing the federal government to impose the lofty penalty.
In at least four of the five incidents, the covered entity will be required to take corrective action to further prevent any HIPAA Right of Access violations.
While different from HIPAA Right of Access complaints, OCR typically sees the following five issues in complaints alleging a violation of its Privacy, Security, and Breach Notification Rules:
- Impermissible uses and disclosures of protected health information;
- Lack of safeguards of protected health information;
- Lack of patient access to their protected health information;
- Lack of administrative safeguards of electronic protected health information; and
- Use or disclosure of more than the minimum necessary protected health information.
Implementing fixes for many of these - ensuring PHI is safeguarded, that it's not improperly disclosed, etc. - can go a long way in ensuring the HIPAA Right of Access Initiative, not to mention HIPAA itself, isn’t violated later down the line.
The settlements are yet another reminder for healthcare organizations to know where their patients’ data, especially protected health information, is at all times. While every organization's access policies and procedures vary, it’s critical to ensure data – wherever its stored - computers, servers, and storage devices – is classified, encrypted, and protected. I can help ensure an organization is in compliance with HIPAA too.