For the second time this week, the Office for Civil Rights announced it reached a settlement with a healthcare entity to resolve a potential violation of the Health Insurance Portability and Accountability Act.
Health Specialists of Central Florida agreed to pay the Department of Health and Human Services $20,000 and enter into a corrective action plan after an OCR audit found a possible violation of the HIPAA right of access rule.
The regulator has prioritized these types of HIPAA violations for enforcement in the last few years. The last actions for right of access failures were taken against 11 covered entities in July and three dental offices in September.
With today’s announcement, 42 entities have been issued monetary penalties since the launch of the OCR HIPAA Right of Access Initiative in 2018.
“The right of patients to access their health information is one of the cornerstones of HIPAA, and one that OCR takes seriously,” said OCR Director, Melanie Fontes Rainer, in a statement.
The latest enforcement highlights the importance of patients’ access to their health information. Covered entities must implement procedures and workforce training to support data access.
The HSCF settlement stems from a November 2019 complaint filed with OCR by a daughter acting as a personal representative of her deceased father, a former patient of HSCF. The individual alleged that she’d sent a written access request to HSCF for her deceased father’s medical records on Aug. 29, 2019, and later made several other requests for the records.
HSCF responded with a form to authorize the release of medical information on Aug. 29, 2019. However, the requested records were not sent to the daughter until Jan. 27, 2020, more than six months later. The OCR investigation concluded that HSCF “failed to timely respond to the complainant’s access request.”
OCR determined HSCF indeed failed to provide the timely access, “a potential violation of the HIPAA right of access standard.” As a reminder, HIPAA requires covered entities and relevant business associates to respond to access requests within 30 days, or 60 days if an applicable extension is filed.
In the case of HSCF, the release showed that the daughter only received all of the requested documents as a direct result of OCR’s investigation.
Although the agreement is not a concession, HSCF has entered into a corrective action plan to address possible gaps in HIPAA compliance as a result of OCR’s findings. HSCF is now required to develop and maintain its HIPAA privacy policies and procedures to ensure compliance with the rule.
The measures must include a policy for the release of confidential information within its Right of Access procedures for protected health information, which will ensure “comprehensive responses to requests for records.” The policies should be updated to ensure compliance for timely access.
HSCF is also asked to review its release of confidential information policy to ensure there’s a standard method specific to personal representatives versus individuals. OCR also required a review of the provider’s workforce training protocols for those involved with receiving or fulfilling patient access requests.
The CAP also mandates HSCF develop appropriate sanctions to apply to employees who fail to comply with the provider’s policies. The policies are to be sent to HHS for review, before HSCF trains the applicable workforce members on these new procedures.
HSCF must also submit a report to HHS within four months of implementation to summarize the status of its program under the new CAP requirements.