Home About Blog Contact Us Put My HIPAA On Autopilot! Login

Planet HIPAA Blog

5 More HIPAA Patient Rights Violations: Strategies for Avoiding Fines

In September of 2019, the Office of Civil Rights (OCR) of the Department of Health and Human Services settled the first HIPAA Fine and Corrective Action Plan for $85,000.  Fast forward a little over 2 years and The OCR just assigned 5 more fines and corrective actions plans for non-compliance with Patient Access now totaling 25 covered entities with settlements with fines.  This is a wake-up call for the entire healthcare industry regardless of specialty that having a defined process in place to respond to a patient’s request for information is a MUST.

HIPAA is very clear in the regulations regarding patient access.  The main components of the Patient Access Regulation are that:

  •  Patients have a right to inspect and get a copy of their health information
  •  All record requests should be provided to the patient within 30 days with no unreasonable delay
  •  A one-time 30-day extension may be used, but the patient needs to be informed in writing...
Continue Reading...

UPDATED: 5 Lessons Learned From 5 HIPAA Fines In One Day

Blog Update - November 12, 2020

Since September 2020, enforcement on HIPAA Patient's Right of Access continues to be a focus of the OCR.  The OCR has added 4 MORE Right of Access HIPAA Fines to the 2020 list.  That is a total of 11 HIPAA Fines based on violations of the Patient's Right of Access.  

  • October 7, 2020 - $160,000 to a Medical Center for not providing all the requested patient records after multiple requests
  • October 9, 2020 - $100,000 to a Spine Medical Clinic for not providing all records as requests by the patient
  • November 6, 2020 - $25,000 to a Psychiatric Medical Group for not providing patient's records in a timely manner
  • November 12, 2020 - $15,000 to a Private Practitioner for not providing records in a reasonable time at a reasonable cost

These 3 additional HIPAA fines align with the information that we have provided below.  If you DO NOT have a clear, document process for responding to patient's requests for a copy...

Continue Reading...

A Solo Doctor Practice Received A $100,000 HIPAA Fine: What Steps Should You Take Now To Avoid Being Next?

Dr. Steven Porter has a gastroenterology practice that sees more than 3000 patients per year.  In 2013, Dr. Porter reported to the OCR that a business associate was impermissibly using his practices’ electronic protected health information and blocking the practice access to vital ePHI unless a monetary fee was paid by the practice.  The Office for Civil Rights (OCR) of the Department of Health and Human Services (DHHS) opened an investigation and found Dr. Porter’s practice to be significantly out of compliance with the HIPAA Privacy and Security regulations.  OCR offered technical assistance to Dr. Porter’s practice; however, no steps were taken to correct the areas of HIPAA non-compliance.  As a result, Dr. Steven Porter’s practice was fined $100,000.

What was Dr. Porter’s Practice Missing?

HIPAA Risk Analysis

Dr. Porter’s practice failed to conduct a thorough and complete HIPAA risk analysis before and after the...

Continue Reading...

How a Yelp Review Led to a $10K HIPAA Fine & How You Can Avoid A Similar Fate

Another HIPAA enforcement fine for 2019, another reality that the focus, investigations, and settlements of the Department of Health and Human Services’ Office for Civil Rights (OCR) attention is on protecting patient’s rights given under HIPAA. 

This time, a dental office in Texas was assessed a $10,000 HIPAA fine as information was improperly disclosed in response to a Yelp review.  I know it can be frustrating to have negative online reviews and you want to respond and support/protect your clinic – but unfortunately, there are items you cannot say, especially in the online world!  Like it or not – it is the REALITY!  Read more about responding to Yelp reviews in my Article “An Expert’s Guide to Patient Privacy and Online Reviews.

“It’ll Never Happen to my Organization”

In my many years of consulting in the healthcare privacy and security space, I hear it all the time:

  • “The OCR doesn’t...
Continue Reading...

What Do Dental Clinics, Prison & HIPAA Have In Common?

A receptionist from a New York Dental Practice was recently sentenced to a 2 – 6 year Jail Term for accessing and disclosing protected health information from the Dental Clinic where she worked. 

For a 6-month period of time, the dental receptionist accessed patient information from the dental practice and disclosed it to a third party via unsecured email.  The third party then used the information to steal identities of the patients. 

You don’t want to think that this scenario will ever happen to your practice or that your employees will ever go rogue. Unfotunately, something like this could happen again and if you don’t have the right processes established or safeguards implemented, your ability to quickly and appropriately respond can be delayed.

Employees snooping through patient medical records or stealing patient information is a big HIPAA risk that needs to be addressed within a practice.  Workforce members causing HIPAA violations is one...

Continue Reading...

HIPAA Data Breaches in 2017 – Another Record Breaking Year!

Unfortunately as promised, 2017 brought many challenges to properly protecting patient information in healthcare. We saw a record number of data breaches in 2016 with cybersecurity being on a fast and furious rise. In 2017, the trend continued with many healthcare organizations being hit with different cybersecurity attacks, resulting in data breaches. However, on top of the increase in cybersecurity issues, many other reasons for data breaches emerged. A total of 340 large data breaches (500+ individuals impacted) were reported in 2017 impacting 4,977,655 individuals!

Some key highlights from the 2017 HIPAA Data Breaches!

Healthcare providers continue to lead in the number of data breaches. This should come as no surprise as there are more healthcare providers than health plans and healthcare clearinghouses in the United States. Of the 340 large data breaches:

  • 274 were reported by covered entities (81%)
  • 49 were reported from health plans (14%)
  • 17 were reported from business...
Continue Reading...

5 Essential Steps to Ensure an Effective HIPAA Program

HIPAA Compliance is a term that is often thrown around the healthcare industry; however, I commonly ask myself – is the meaning of HIPAA Compliance the same throughout the industry? The answer is NO! Walking into a healthcare organization in the last month, the HIPAA Privacy Officer was excited to tell me that they are fully HIPAA compliant and don’t have any on-going concerns with meeting the regulations. A quick review of the documentation requirements and auditing practices indicated that there were many missing holes in their HIPAA Compliance Program. As I spoke with the HIPAA Privacy Officer, she provided me with the tool she used to get to their current state with HIPAA. Needless to say, the tools were missing core components of documentation requirements and didn’t have specific essentials for on-going maintenance for compliance. This left the organization at risk for a HIPAA data breach or unauthorized use or disclosure of health information!

Trying to...

Continue Reading...

Here’s A Quick Way To Check If Your Website Is HIPAA Compliant

Part of being successful with the HIPAA regulations is understanding what is needed for compliance. Definitely easier said than done. The HIPAA Protocol that was published in 2016 is a great tool to evaluate your HIPAA Compliance and understand the areas that you need to work on. The HIPAA audit protocol definitely is the answer key that you can use to take the HIPAA Compliance test!

In 2016, Planet HIPAA wrote a blog “Could Your Organization’s Website Reveal Your HIPAA Non-compliance?” This blog focused on the need to look at your website to determine if your Notice of Privacy Practices is posted and current. The response to that post was amazing and many organizations reached out for more guidance and additional information regarding the Notice of Privacy Practices.

For some fun, I recently did an audit of 18 different websites to determine how the Notice of Privacy Practices was coming along and if organizations were actually posting it on their website. The...

Continue Reading...

19 Days into 2017 and 2 HIPAA Fines Later…

Well, HIPAA enforcement is getting off to an active start in 2017. While 2016 saw a record year with 13 HIPAA Enforcement fines amounting to $23.5 Million! 19 days into the New Year, OCR has published 2 HIPAA Enforcement fines amounting to $2.7 Million. It is safe to assume that we are going to see another active year with HIPAA Fines and Enforcement!

2017 HIPAA Enforcement Fine #1 – Lack of Timely HIPAA Breach Notification – $475,000

Presence Health found out about missing operating room paper schedules containing 836 patient’s protected health information on October 22, 2013. Notification was made to the Department of Health and Human Services on January 31, 2014 – approximately 101 days later. This was definitely a flag and the Office for Civil Rights (OCR) went in to investigate the concerns. During the investigation, it was found that Presence Health failed to write timely notification to those affected by data breaches on multiple occasions. In...

Continue Reading...

Does the 2016 HIPAA Audit Protocol Set New Expectations for HIPAA Policies and Procedures?

The HIPAA Privacy, Security, and Breach Notification Regulations require healthcare organizations to establish and create policies and procedures to help demonstrate compliance with the regulations. An organization can have well-established security practices or appropriately provide a patient of a copy of medical records, but if the organization doesn’t have a policy and procedure written for that specific requirement, they can be found out of compliance with the HIPAA regulations. Why is that? Because the HIPAA regulations have specific requirements that mandate the creation of written policies and procedures.

The specific regulations are as follows:

  • Privacy Rule Documentation – 164.530(i) – A covered entity must develop and implement written privacy policies and procedures that are consistent with the Privacy Rule
  • Security Rule Documentation – 164.316(b)(1) – Maintain the policies and procedures implemented to comply with the regulations in written...
Continue Reading...
1 2

50% Complete

Two Step

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua.