Home About Blog Make Contact Put My HIPAA On Autopilot! Login

5 Lessons Learned From 5 HIPAA Fines In One Day

On September 15, 2020, the Office for Civil Rights (OCR) of the Department of Health and Human Services (HHS) hit a NEW record – 5 HIPAA Fines with Corrective Action Plans in ONE day!  The HIPAA fines and corrective action plan had one main theme in common – not supplying patients with a copy of requested medical records in a timely fashion.  The other key item from the action of the OCR is that these were not large multi-million dollar fines that are based on data breaches.  These were fines that ranged from $3,500 - $70,000 and were all based on a patient making a complaint to the federal government, which upon investigation, lead to the findings of noncompliance with HIPAA and patient’s rights defined by HIPAA.


5 Lessons Learned:


  1. Patients Have a Right to File a Compliant – the common theme for these HIPAA fines is they were based on patient complaints to the Department of Health and Human Services.  Once the complaints were received, the OCR opened investigations and found non-compliance with HIPAA’s requirement of the Patient’s Right of Access.
  2.  Missing the Timelines – the HIPAA patient’s access requirement is very clear, an organization has 30 days from the day of receipt of the request without any delay to respond and provide the records to the request.  The organizations that received the HIPAA Fine did not respond in the defined timeframe.
  3.  Incorrect Reasons for Denial – Under the HIPAA Patient’s Right of Access, a healthcare organization can deny a request to records, but there are very specific reasons and guidance to be able to deny access.  In addition, the denial must be provided to a patient in written format with information on how to appeal the denial.  Having a clear process for this is important to set the organization up for success if and when denying access.
  4.  No Formal Process – During the investigation, the organizations were all found to not have current documented policies and procedures for responding to a patient’s request for a copy of his/her medical records.  Healthcare organizations need to have a written policy and procedure that defines the process of receiving the request and responding to the request.
  5.  Lack of Employee Education – Lack of employee education was a finding in all of the 5 HIPAA fine scenarios.  For organizations to be successful, employees need to know and understand the requirements and the process.  Training is not a one-time event, it needs to be incorporated into an annual training plan for all workforce members. 


Healthcare organizations of all sizes and specialties need to take swift steps to establish a robust patient access request and response process to support a patient’s rights under HIPAA.  If your organization doesn’t have a documented policy and procedure, hasn’t educated your workforce on the patient access requirements and your policy, or conducted auditing to make sure you are meeting expected timeframes, now is the time to act!


Source: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/right-of-access-initiative/index.html


Check Out Our Proven System To Identify & Quickly Fix Your "HIPAA Right Of Access" Risks In A Simple & Inexpensive Way!


50% Complete

Two Step

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua.