Right to Access Enforcement Initiative

By Art Gross, President and CEO, HIPAA Secure Now!
Twitter: @HIPAASecureNow
Read other articles by this author

In 2019, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) announced an initiative that they would make it a priority to enforce an individual’s right to access their health records in a timely manner and at a reasonable cost. This falls under the HIPAA Privacy Rule.

While 2020 threw a lot of us off the path of our goals, this was not the case for OCR and this initiative. They recently announced a settlement of at least five investigations for non-compliance in this area. And the range of companies that were fined was not set to one channel or area of healthcare. In fact, it was quite broad.

Housing Works Inc. is a New York City-based nonprofit that has to pay $38,000 with regard to a potential violation stemming from a July 2019 complaint that the victim could not obtain a copy of his medical records. OCR offered assistance to this organization that offers many levels of support to HIV/AIDS patients and closed the complaint. When a second complaint came through in August of the same year, OCR was made aware that they still had not provided access to the complainant. He finally received the records in November. And Housing Works received their fine.

A multi-specialty family medicine practice in Carmichael, California refused to give a patient her records for over a year and a half. The practice, All-Inclusive Medical Services (AIMS) finally got those to her in August of 2020, and also gave the OCR $15,000.

Three psychiatric services were recipients of fines as well, with their fines varying in dollar amounts, but a corrective plan being put in place for all. Beth Israel Lahey Health Behavioral Services had to pay $70,000 when they were nonresponsive to a personal representative seeking her father’s medical records. On a smaller scale, King MD had to pay a $3,500 fine when they failed to respond to a patient’s request for their own medical records. And Wise Psychiatry was fined $10,000 for a violation that lasted years when they refused a man access to his son’s records.

Different but the Same
Each of these practices refused to provide medical records in a timely fashion. A simple request that turned into much more than it needed to be. This then put a focus on their practice from government agencies, mandated changes in their processes, and cost them financially. HIPAA laws are not applicable only to certain sized practices, or those in certain fields, and enforced only in certain situations.

Running a small business, a large practice, a small practice – it can be challenging and take up so much of your time as a manager or business owner, but you MUST put a priority on HIPAA compliance. The money you lose in fines and damage to your reputation could far outweigh the upfront cost of what you will spend being proactive.

This article was originally published on HIPAA Secure Now! and is republished here with permission. HIPAA Secure Now offers annual online subscriptions to help covered entities and business associates keep up with compliance. Learn more here.

HIPAA Secure Now! now offers PHIshMD training for CEs and BAs to help protect your organization from security threats.

Technology safeguards put a virtual wall around your network, but what happens when the bad actors climb over that wall? It’s up to your employees. Over 90% of breaches get caused by human error according to Kaspersky Lab, and if you’re not educating users HOW to protect your organization in this ever-changing threat landscape, your organization could be next. LEARN MORE