5 More HIPAA Patient Rights Violations: Strategies for Avoiding Fines

In September of 2019, the Office of Civil Rights (OCR) of the Department of Health and Human Services settled the first HIPAA Fine and Corrective Action Plan for $85,000.  Fast forward a little over 2 years and The OCR just assigned 5 more fines and corrective actions plans for non-compliance with Patient Access now totaling 25 covered entities with settlements with fines.  This is a wake-up call for the entire healthcare industry regardless of specialty that having a defined process in place to respond to a patient’s request for information is a MUST.

HIPAA is very clear in the regulations regarding patient access.  The main components of the Patient Access Regulation are that:

•  Patients have a right to inspect and get a copy of their health information
•  All record requests should be provided to the patient within 30 days with no unreasonable delay
•  A one-time 30-day extension may be used, but the patient needs to be informed in writing within the initial 30 days
•  The patient can request a specific form and format of access, and if readily productive should be provided in that format by the covered entity a fee can be imposed, but must be a reasonable, cost-based fee based on the labor of copying the patient information, and the supplies, and the postage

In addition, a covered entity should have a written policy and procedure and provide annual HIPAA training to all workforce members.  

Looking at the detail of the most recent HIPAA fines for non-compliance with the Patient Access requirement, there are two key areas that stand out:

1. Patients are not receiving the records that they request in a timely fashion
2. Patients are being overcharged for records supplied to them under the patient access requirement

In the corrective action plans, two key items are a trend throughout as mitigations expected from the OCR:

1. Create or update the patient access policy and procedure to make sure it addresses the patient access requirements, timely action by the covered entity, form and format of access, time and manner of access and fees of copies of records
2. Provide training and education to all workforce members on the Patient’s right of access

If your organization hasn’t established a process for patient access and a timely response, has no documented HIPAA Patient Access policies and procedures, or has not conducted staff training regarding patient access, you are at risk of a HIPAA fine and resolution agreement.  Not sure where your organization is with compliance to patient access, take Planet HIPAA’s Free Patient Access Checkup.