Compliance Corner: The HIPAA Right of Access Crackdown Continues
On Sept. 9, 2019, the Office for Civil Rights (OCR), the HHS agency in charge of federal HIPAA enforcement, did something it had never done before by entering into a monetary settlement with a provider for a HIPAA right of access claim. And before the year was out, it did it again. The OCR Right of Access Initiative The actions are part of the Right of Access Initiative that the agency unveiled in Spring 2019. Although right of access has generated roughly one in three HIPAA complaints, privacy and security breaches have historically been the focus of OCR litigation and Phase 2 compliance audits. The first “trophy” yielded by this major enforcement policy change was the $85,000 September settlement with Florida’s Bayfront Hospital for allegedly denying an expectant mother timely access to the protected health information (PHI) of her unborn child. The Most Recent Settlement Coincidentally, the most recent Right of Access Initiative settlement also involved a Florida provider. The cases began in March when the OCR received a complaint about Korunda Medical’s alleged failure to send a patient’s PHI to a third party in a timely manner despite repeated requests. Then, when it finally did transmit the information, the […]
On Sept. 9, 2019, the Office for Civil Rights (OCR), the HHS agency in charge of federal HIPAA enforcement, did something it had never done before by entering into a monetary settlement with a provider for a HIPAA right of access claim. And before the year was out, it did it again.
The OCR Right of Access Initiative
The actions are part of the Right of Access Initiative that the agency unveiled in Spring 2019. Although right of access has generated roughly one in three HIPAA complaints, privacy and security breaches have historically been the focus of OCR litigation and Phase 2 compliance audits. The first “trophy” yielded by this major enforcement policy change was the $85,000 September settlement with Florida’s Bayfront Hospital for allegedly denying an expectant mother timely access to the protected health information (PHI) of her unborn child.
The Most Recent Settlement
Coincidentally, the most recent Right of Access Initiative settlement also involved a Florida provider. The cases began in March when the OCR received a complaint about Korunda Medical’s alleged failure to send a patient’s PHI to a third party in a timely manner despite repeated requests. Then, when it finally did transmit the information, the primary care and interventional pain management services provider allegedly didn’t do so in the requested electronic format and charged the patient excessive fees. Only after the OCR intervened for the second time did Korunda adequately fulfill the request. As in the Bayfront Hospital case, the settlement amount was $85,000. And like Bayfront, Korunda also had to implement a burdensome corrective action plan as part of the settlement.
Takeaway
The deadline for responding to a patient PHI access request is 30 days. To avoid potential audits and liability under the Right of Access Initiative, labs simply cannot afford to drag their feet in meeting the deadline (or charge excessive fees for processing PHI access requests). “For too long, healthcare providers have slow-walked their duty to provide patients their medical records out of a sleepy bureaucratic inertia,” declared OCR Director Roger Severino. “We hope our shift to the imposition of corrective actions and settlements under our Right of Access Initiative will finally wake up healthcare providers to their obligations under the law.”
Subscribe to view Essential
Start a Free Trial for immediate access to this article