For the second time this week, the Civil Rights Office announced that it had reached an agreement with a health care entity to resolve a potential violation of the Health Insurance Portability and Accountability Act.
Central Florida health specialists have agreed to pay the Department of Health and Human Services $20,000 and put in place a corrective action plan after an OCR audit found a violation possible of the HIPAA right of access rule.
The regulator has prioritized these types of HIPAA violations for enforcement in recent years. The latest actions for breaches of the right of access were brought against 11 covered entities in July and 3 dental practices in September.
With today’s announcement, 42 entities have been issued monetary penalties since the OCR HIPAA Right of Access Initiative launched in 2018.
“Patients’ right to access their health information is one of the cornerstones of HIPAA, and one that OCR takes seriously,” OCR Director Melanie Fontes Rainer said in a statement.
The latest implementation highlights the importance of patient access to their health information. Covered Entities must implement procedures and staff training to support data access.
The HSCF settlement stems from a complaint filed with the OCR in November 2019 by a daughter acting as a personal representative for her deceased father, a former HSCF patient. The person alleged that she sent a written access request to the HSCF for her deceased father’s medical records on August 29, 2019, and then made several other requests for the records.
HSCF responded with a form to authorize release of medical information on August 29, 2019. However, the requested records were not sent to the girl until January 27, 2020, more than six months later. The OCR investigation concluded that the HSCF “did not respond in a timely manner to the complainant’s request for access”.
The OCR determined that HSCF had indeed failed to provide access in a timely manner, “a potential violation of the HIPAA Access Right Standard.” As a reminder, HIPAA requires covered entities and affected business associates to respond to access requests within 30 days, or 60 days if an applicable extension is filed.
In the case of HSCF, the release showed that the girl had only received all of the requested documents as a direct result of the OCR investigation.
Although the agreement is not a concession, HSCF has entered into a corrective action plan to address any gaps in HIPAA compliance as a result of the OCR findings. HSCF is now required to develop and maintain its HIPAA privacy policies and procedures to ensure compliance with the rule.
The measures are to include a policy for the disclosure of confidential information as part of its procedures for the right to access protected health information, which will ensure “full responses to requests for records”. Policies should be updated to ensure compliance for quick access.
HSCF is also urged to review its policy on the disclosure of confidential information to ensure that there is a standard method specific to personal representatives versus individuals. The OCR also required a review of the provider’s workforce training protocols for those involved in receiving or processing patient access requests.
The CAP also requires the HSCF to develop appropriate sanctions to apply to employees who fail to comply with supplier policies. Policies should be sent to HHS for review, before HSCF trains affected staff on these new procedures.
HSCF must also submit a report to HHS within four months of implementation summarizing the status of its program under the new CAP requirements.
#HIPAA #rightofaccess #failure #costs #Florida #provider #federal #government #settlement