Five Additional Healthcare Providers Held Accountable for HIPAA Right of Access Violations

HIPAA

On November 30, 2021, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) announced the resolution of five investigations in its Health Insurance Portability and Accountability Act (HIPAA) Right of Access Initiative. The total number of enforcement actions now stands at 25 since the initiative began.

The OCR created the initiative to support individuals’ right to timely access to their health records at a reasonable cost under the HIPAA Privacy Rule. HIPAA gives people the right to see and get copies of their health information from their healthcare providers and health plans. After receiving a request, an entity that is regulated by HIPAA has, absent an extension, 30 days to provide an individual or their representative with their requested records in a timely manner.

The five additional enforcement actions for violations of HIPAA Right of Access include:

  • A management and treatment of chronic pain services company agreed to take corrective actions that include two years of monitoring, and paid OCR $32,150 to settle a potential violation of the HIPAA Privacy Rule’s right of access standard.
  • A provider of ophthalmological services agreed to corrective actions that include one year of monitoring and paid OCR $30,000 to settle a potential violation of the HIPAA Privacy Rule’s right of access standard.
  • A cardiovascular disease and internal medicine physician did not cooperate with OCR’s investigation or respond to OCR’s data requests, after failing to provide a patient with a copy of their medical record. The physician waived his right to a hearing and did not contest the findings of OCR’s Notice of Proposed Determination. Accordingly, OCR closed this case by issuing a civil money penalty of $100,000.
  • A licensed provider of residential eating disorder treatment services has taken corrective actions, including one year of monitoring, and paid OCR $160,000 to settle a potential violation of the HIPAA Privacy Rule’s right of access standard.
  • A provider of primary care and other healthcare services agreed to take corrective actions and paid OCR $10,000 to settle a potential violation of the HIPAA Privacy Rule’s right of access standard.

OCR Director Lisa J. Pino stated, “Timely access to your health records is a powerful tool in staying healthy, patient privacy, and it is your right under law. OCR will continue its enforcement actions by holding covered entities responsible for their HIPAA compliance and pursue civil money penalties for violations that are not addressed.”

Issue:

It is essential that all healthcare workers understand HIPAA and how they must safeguard protected health information (PHI). The Privacy Rule allows access to information needed to ensure high quality healthcare and to protect the public, while also ensuring an individual’s health information is properly protected. All staff members at all levels must demonstrate understanding of the Privacy Rule, HIPAA, and how to protect PHI. Additional information is available in the Med-Net Corporate Compliance and Ethics Manual, Chapter 5 Privacy Plan, PP 2.0 Privacy Policy and Procedure.

Discussion Points:

  • Review policies and procedures related to HIPAA, PHI, and Privacy. Ensure that they address how health information exchanges should be conducted between healthcare associates.
  • Train all staff on HIPAA, PHI, and Privacy, minimally upon hire, annually, and if issues arise. Ensure those who receive requests for record release are knowledgeable in the right of access standard established by OCR that includes timely response. Document that these trainings occurred and file the signed training document in the employee’s education file.
  • Periodically audit to ensure that the facility’s policies and procedures for HIPAA, PHI, and Privacy are being followed by all staff and that each one demonstrates understanding and competency. Audit to ensure that timely response to record requests occurs, and report audit results to the QAPI/QAA Committee.