The US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has announced the resolution of three investigations and one matter related to compliance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. Two of these cases are part of OCR’s HIPAA Right of Access Initiative, bringing the total number of these enforcement actions to twenty-seven since the initiative began. The other enforcement actions result from healthcare providers impermissibly disclosing their patients’ protected health information (PHI).
OCR has taken the following enforcement actions against healthcare providers:
- A dentist in Pennsylvania failed to provide a patient with a copy of their medical record. After being issued a Notice of Proposed Determination, the dentist requested a hearing before an Administrative Law Judge. The matter was resolved by a settlement in terms of which the dentist agreed to pay $30,000 and to take corrective actions to comply with the HIPAA Privacy Rule’s right of access standard.
- Due to a negative online review on a webpage, a dental practice in North Carolina disclosed a patient’s PHI. The practice did not respond to OCR’s data request, did not respond or object to an administrative subpoena, and waived its rights to a hearing by not contesting the findings in OCR’s Notice of Proposed Determination. OCR imposed a $50,000 civil money penalty.
- A California psychiatric medical services provider has agreed to take corrective actions and to pay OCR $28,000 to settle potential violations of the HIPAA Privacy Rule, including provisions of the right of access standard.
- A dental practice in Alabama disclosed its patients’ PHI to a campaign manager and a third-party marketing company who had been hired to help with a state senate election campaign. The dental practice has agreed to take corrective action and to pay $62,500 to settle potential violations of the HIPAA Privacy Rule.
OCR Director Lisa J. Pino stated, “Between the rising pace of breaches of unsecured protected health information and continued cybersecurity threats impacting the healthcare industry, it is critical that covered entities take their HIPAA compliance responsibilities seriously. OCR will continue our steadfast commitment to protect individuals’ health information privacy and security through enforcement, and we will pursue civil money penalties for violations that are not addressed.”
Issue:
All healthcare workers must understand HIPAA and how to safeguard PHI. The Privacy Rule allows access to information needed to ensure high quality healthcare and to protect the public, while also ensuring an individual’s health information is properly protected. All staff members at all levels must demonstrate understanding of the Privacy Rule, HIPAA, and how to protect PHI. It is essential that healthcare workers understand that residents, upon request, should have access to their PHI in an appropriate time frame.
Discussion Points:
- Review policies and procedures related to HIPAA, PHI, and Privacy. Ensure that they address how health information exchanges should be conducted between healthcare associates.
- Train all staff on HIPAA, PHI, and Privacy, minimally upon hire, annually, and if issues arise. Ensure those who receive requests for record release are knowledgeable in the right of access standard established by OCR that includes timely response. Document that these trainings occurred and file the signed training document in the employee’s education file.
- Periodically audit to ensure that the facility’s policies and procedures for HIPAA, PHI, and Privacy are being followed by all staff and that each one demonstrates understanding and competency. Audit to ensure that timely response to record requests occurs, and report audit results to the QAPI/QAA Committee.
