Recently, OCR settled 5 investigations in a HIPAA right of access initiative. The initiative was announced as an OCR priority in 2019 to support an individual’s rights to timely access to their health records under the HIPAA Privacy Rule.
What is different about these five cases?
These cases are all with little guys. We are accustomed to seeing large entities with large fines like Anthem paying $16 million for a data breach or the University of Rochester Medical Center paying $3 million for failing to secure mobile devices. What we are not used to seeing is a small medical practice being leveed fines. This hit close to home, further proving that no entity large or small is above compliance. All patients, whether cared for in a large hospital or a small rural general practice, are entitled to privacy, and in these five cases, their healthcare records.
So who has agreed to pay fines and take corrective action to settle a potential violation of the HIPAA Privacy Rule’s right of access provision?
1. Housing Works, Inc has agreed to pay $38,000. Housing Works, Inc is a NY based Non-profit that provides healthcare and homeless services for people living with and affected by HIV/AIDS.
2. All Inclusive Medical Services, Inc. has agreed to pay $15, 000. AIMS is a California-based multi-family medicine clinic specializing in pain management, rehabilitation, and internal medicine.
3. Beth Israel Lahey Health Behavioral Services has agreed to pay $70,000. BILHBS is a network of mental health service provider in eastern Massachusetts.
4. King MD has agreed to pay $3,500. King MD is a small health care provider of psychiatric services in Virginia.
5. Wise Psychiatry, PC has agreed to pay $10,000. Wise Psychiatry is a small health care provider in Colorado.
While these fines seem relatively small in comparison to the larger fines previously mentioned, they are large to the smaller entities that are paying them. They represent payroll and utilities and given that many small healthcare practices are already facing hardship in the midst of COVID-19 uncertainty, now is not the time to let up on making sure your organization is compliant.
As a reminder, the RIGHT OF ACCESS rule states that patients have a right to receive their healthcare records in a timely fashion, in the form or format that is requested, and for a fee that is cost based and reasonable. HIPAA states that a reasonable time frame equals 30 days or less but be aware that this timeline may be shortened in varying states. Virginia’s law mandates healthcare records be shared in 30 days or less.
To make sure that your organization is fully compliant with all HIPAA regulations, contact CentraVance for a free risk assessment today!
Final Enforcement Action from OCR for 2018 Revealed