This March, we saw two more healthcare providers pay a fine to settle HIPAA investigations into their Right of Access practices. Arbour Hospital, Massachusetts and Village Plastic Surgery, New Jersey have agreed to pay a fine of $65,000 and $30,000 to settle their cases. Along with the monetary fine, the two healthcare providers would carry out a corrective action plan to address the shortfalls identified by the HHS investigators.
Counting these two cases, the HHS has now settled 18 cases under its HIPAA Right of Access initiative. Under the program, the department enforces individuals’ right of accessing their medical and health records. Past investigations have led to fines as high as $200,000 for violating the HIPAA standard.
All healthcare entities covered under HIPAA need to comply with the law. They need to follow the standards set by the three HIPAA rules, namely, Privacy, Security, and Breach notification rules. Violations can trigger a HIPAA investigation, which in turn, could result in strong actions by the HHS. For instance, a co-owner and CEO of two hospice centers, who recently admitted to committing HIPAA violations, might end up spending 14 years in federal prison.
HIPAA Right of access costs two more providers under the HIPAA privacy rule
In this article, we’ll look at the two HIPAA settlements, how the decisions could affect your organization, and what you can do to protect yourself from similar actions.
HHS fines $65,000 and $30,000 for right of access violations
Of the two penalties, the first was slapped on Arbour Inc., a Massachusetts hospital that provides behavioral health services. The hospital would pay a fine of $65,000 and follow a corrective plan for the next two years. This settlement resulted from an HIPAA investigation triggered by repeated complaints from a patient, who claimed that the hospital wasn’t responding to his requests for a copy of his health records.
The patient had sent written, signed requests to Arbour, but did not receive a reply until OCR intervened in the matter. Altogether, the hospital took more than five months to share the requested records with the patient.
The second penalty of $30,000 resulted from the HHS investigation against Village Plastic Surgery. VPS provides cosmetic plastic surgery services in New Jersey. The OCR triggered an investigation against the provider upon receiving a complaint from a patient that VPS was violating their right of accessing their health records.
Results of the OCR investigation
As a result of the OCR investigation, both complainants have received their health records. But, the investigations also concluded that the two providers failed to follow the standards set by the HIPAA Privacy Rule.
The investigators found the two providers to be in potential violation of the following standards –
- Arbour hospital – 45 C.F.R. § 164.524 (b)
- Village Plastic Services – 45 C.F.R. § 164.524
Along with the monetary fines mentioned above, Arbour would need to follow a corrective action plan for the next one year, and VPS for two years.
Under the two plans, the providers need to revise their ‘right of access’ policies and procedures. Specifically, Arbour needs to put in place a system to ensure that their workforce and business associates follow the standards set by HIPAA. This includes, reviewing relationships with partners who fail to aid the covered entity. While VPS needs to revise how they calculate their fee for processing PHI requests.
At the same time, the two providers need to
- Distribute their new policies and procedures to their workforce
- Collect signatures from the workforce attesting that they understand their responsibility
- Conduct HIPAA training on individuals’ right of access.
In addition, if a member of the workforce or a business associate fails to follow the new process, then the provider must notify the HHS of the incident, and what they have done to correct it.
How to comply with the right of access standards
In lieu of the two settlements, we recommend that you should revisit your policies and procedures guiding your system of sharing health records with patients. As per the HIPAA Privacy rule, you need to respond to a patient’s request within 30 days. Any delay, if not agreed upon, is a violation of their right of access.
You should look at your business associate agreements as well. This is because, without their help, you might not be able to honor a patient-request within the time limit. For example, you may have to put in place sanctions against those who fail to help you complete the request.
On the subject of training, the two CAPs stress upon timely training of staff on HIPAA’s Right of access standard. Specifically, the need to train new hires within 30 days of joining and retraining others regularly. Your HIPAA training should cover the Standard and the related policies and procedures.
It appears that OCR would continue enforcing the Right of Access standard strictly. As per the OCR Director Robinsue Frohboese, they would continue to act against entities that fail to comply with HIPAA.
Thus, it’s urgent for you to look into your existing process of handling patient requests for their health records. Along with the process, you need to check if your workforce has received the necessary HIPAA training.
If you need any help with your HIPAA training program, you can connect with us as well. Our team would be happy to help you design a training and attestation program tailored to your business needs.