UPDATED: 5 Lessons Learned From 5 HIPAA Fines In One Day
Blog Update - November 12, 2020
Since September 2020, enforcement on HIPAA Patient's Right of Access continues to be a focus of the OCR. The OCR has added 4 MORE Right of Access HIPAA Fines to the 2020 list. That is a total of 11 HIPAA Fines based on violations of the Patient's Right of Access.
- October 7, 2020 - $160,000 to a Medical Center for not providing all the requested patient records after multiple requests
- October 9, 2020 - $100,000 to a Spine Medical Clinic for not providing all records as requests by the patient
- November 6, 2020 - $25,000 to a Psychiatric Medical Group for not providing patient's records in a timely manner
- November 12, 2020 - $15,000 to a Private Practitioner for not providing records in a reasonable time at a reasonable cost
These 3 additional HIPAA fines align with the information that we have provided below. If you DO NOT have a clear, document process for responding to patient's requests for a copy of their medical records, NOW is the time to take action and not become #11 or #12 on the 2020 HIPAA Patient Access Fines List!
In addition to the Patient's Right HIPAA Fines in the past 2 months, the OCR also assessed an additional 5 fines for other HIPAA non-compliance. There has been a total of 12 HIPAA Fines in 2020, with 9 happening in the past 2 months. NOW is the time to get your HIPAA compliance in order.
Original Post Septebember 23, 2020
On September 15, 2020, the Office for Civil Rights (OCR) of the Department of Health and Human Services (HHS) hit a NEW record – 5 HIPAA Fines with Corrective Action Plans in ONE day! The HIPAA fines and corrective action plan had one main theme in common – not supplying patients with a copy of requested medical records in a timely fashion. The other key item from the action of the OCR is that these were not large multi-million dollar fines that are based on data breaches. These were fines that ranged from $3,500 - $70,000 and were all based on a patient making a complaint to the federal government, which upon investigation, lead to the findings of noncompliance with HIPAA and patient’s rights defined by HIPAA.
5 Lessons Learned:
- Patients Have a Right to File a Compliant – the common theme for these HIPAA fines is they were based on patient complaints to the Department of Health and Human Services. Once the complaints were received, the OCR opened investigations and found non-compliance with HIPAA’s requirement of the Patient’s Right of Access.
- Missing the Timelines – the HIPAA patient’s access requirement is very clear, an organization has 30 days from the day of receipt of the request without any delay to respond and provide the records to the request. The organizations that received the HIPAA Fine did not respond in the defined timeframe.
- Incorrect Reasons for Denial – Under the HIPAA Patient’s Right of Access, a healthcare organization can deny a request to records, but there are very specific reasons and guidance to be able to deny access. In addition, the denial must be provided to a patient in written format with information on how to appeal the denial. Having a clear process for this is important to set the organization up for success if and when denying access.
- No Formal Process – During the investigation, the organizations were all found to not have current documented policies and procedures for responding to a patient’s request for a copy of his/her medical records. Healthcare organizations need to have a written policy and procedure that defines the process of receiving the request and responding to the request.
- Lack of Employee Education – Lack of employee education was a finding in all of the 5 HIPAA fine scenarios. For organizations to be successful, employees need to know and understand the requirements and the process. Training is not a one-time event, it needs to be incorporated into an annual training plan for all workforce members.
Healthcare organizations of all sizes and specialties need to take swift steps to establish a robust patient access request and response process to support a patient’s rights under HIPAA. If your organization doesn’t have a documented policy and procedure, hasn’t educated your workforce on the patient access requirements and your policy, or conducted auditing to make sure you are meeting expected timeframes, now is the time to act!