HIPAA

HIPAA Notice of Privacy Practices
HIPAA

What is a HIPAA Notice of Privacy Practices & Why Do You Need One?

June 10, 2021 Comments Off on What is a HIPAA Notice of Privacy Practices & Why Do You Need One?

June 10, 2021 Whether you’re a self-appointed 5 star chef or an Uber Eats connoisseur, you know that skipping one small ingredient (or forgetting the guacamole on your Chipotle burrito) can throw the whole meal off. And while there aren’t many similarities between cooking up your famous casserole dish and implementing a complete HIPAA program – both require various steps that are each essential to the final product. So amongst the exhaustive list of HIPAA essentials like the Security Risk Analysis (SRA), annual staff training, business associate agreements, and more –  falls an important and often overlooked ingredient in achieving compliance, the Notice of Privacy Practices (NPP).  What is it?  Under the HIPAA Privacy Rule, covered entities are required to provide patients with a notice that states how their protected health information (PHI) will be used and shared. In a nutshell, the purpose of the document is to clearly outline the practices you have in place to protect the privacy of sensitive data (hence the name Notice of Privacy Practices) along with your organizations’ legal responsibilities and patients’ rights to their own PHI.  What’s in it?  Creating a proper notice requires a little prep work, so in looking at the meat and potatoes of what goes into this important HIPAA document, the NPP should include a description of the following:  How do I provide it? It’s one thing to have all of the ingredients needed for the NPP but the part that often gets healthcare organizations in a pickle is determining how to properly securely serve it to patients. Typically, the notice is given to a patient at their first appointment along with other important documents like the HIPAA authorization form. But simply getting a copy signed once isn’t all that’s needed. Most practices don’t understand it’s a HIPAA requirement to also post the notice in a clear and easily accessible location to the patient. Additionally, if your practice has a website, a copy of the NPP should be posted and readily available there as well.  Why is it so important?  Compared to the many other more complex pieces of a complete HIPAA program, putting together a Notice of Privacy Practices seems almost as easy as whipping up a box of Kraft Mac and Cheese. However, according to the most recent HIPAA Audit Results, only 2% of covered entities fully met the NPP requirements while two-thirds failed to or made minimal or negligible efforts to comply. So why is there such an overwhelming amount of noncompliance for a relatively easy standard to meet? Well, the report found that many entities audited were able to submit some type of document but the majority could not provide a notice that was written in plain language and most were missing required content often related to individual rights. In addition to the widespread lack of proper content within the notice, the report also found that many entities failed to meet the prominently posted requirement. This meant that even if the entities had the notice and posted it on their website – if it wasn’t easily accessible from the website’s homepage it didn’t cut it in the OCR’s books.  Some food for thought? Having a complete compliance program in place starts with following the recipe of HIPAA requirements. Ensuring that your practice has a properly written and accessible NPP might one be a small piece of the whole HIPAA pie – but just like forgetting to add yeast when baking the crust, missing one requirement – even if you have everything else in place – can cause all of your other compliance efforts to fall flat.

OCR Announces 19th Right of Access Settlement
Fines, HIPAA

OCR Announces 19th Right of Access Settlement

June 2, 2021 Comments Off on OCR Announces 19th Right of Access Settlement

June 2, 2021 With the official kickoff of summer only a few weeks away, the Office for Civil Rights (OCR) is getting some last minute spring cleaning in – announcing their latest HIPAA settlement with a practice whose Privacy Rule violations couldn’t be swept under the rug. Diabetes, Endocrinology & Lipidology Center, Inc. (DELC) was handed a $5,000 fine and tasked with a two-year corrective action plan (CAP) to help clean up their “HIPAA mess” that started back in 2019.  Today’s fine marks the 19th Patient Right of Access settlement since the OCR officially announced their initiative two years ago. And ironically enough – around the same time that the government was declaring their focus on enforcing the standards around patient rights, DELC became a perfect example of just how many practices weren’t upholding them.  The incident began in July of 2019 when a parent requested access to her minor child’s health records. After DELC failed to take timely action in response to the request, a complaint was filed with the OCR in early August 2019. It wasn’t until the OCR got involved that the healthcare organization finally provided access, almost two whole years after the initial request.  Though the fine amount might seem on the lower end of what the OCR typically doles out, the corrective action plan has plenty of requirements to make up for it and just to name a few: This hefty “honey-do list” shows that the dollar amount doesn’t cover all the costs associated with violating HIPAA and proves why it’s so important to get your practice’s compliance efforts in order before an incident occurs. So while DELC took longer to fulfill the request than it would to dust off every book in the Library of Congress, the OCR hasn’t delayed in performing quite a bit of housekeeping themselves. With 19 settlements and $1,093,500 collected on behalf of patient right of access violations, the OCR has stuck to their initiative and continued to sweep up any and all violators. And though the settlements all range in resolution amount, corrective action requirements, and organization size and specialty – the message has always been the same and was reiterated by Acting OCR Director Robinsue Frohboese in that, “It should not take a federal investigation before a HIPAA covered entity provides a parent with access to their child’s medical records. Covered entities owe it to their patients to provide timely access to medical records.”   

Vaccination Status & HIPAA
Best Practices, HIPAA

Vaccination Status & HIPAA

May 28, 2021 Comments Off on Vaccination Status & HIPAA

May 28, 2021 News reports centered around patient privacy and COVID-19 seem to break on the daily – bringing newfound fame to HIPAA law and even more speculation on what is – and isn’t – covered within its requirements. Most recently, the conversation of vaccinations has been a trending headline with the question of ‘HIPAA violation’ commonly featured. So while there’s still plenty of uncertainty where COVID-19 is concerned, hopefully, we can at least shed some light on where HIPAA truly comes into play. When it comes to the commonly asked question of whether HIPAA protects against employers and other businesses requesting vaccination records, the short answer is no. HIPAA law only applies to covered entities which therefore means that private businesses and citizens are not obligated under the stringent data protection laws and CAN ask about vaccination status. However, patients do have the right to not disclose their own health information and can choose to decline to answer, but based on state-specific laws and company requirements there may be repercussions as a result. In a quote from Kayte Spector-Bagday, a lawyer and bioethicist at the University of Michigan, she highlights the popular misconception in saying, “People often feel like HIPAA protects them from being asked about their medical information, or prohibits other people from asking about their medical information. Neither is true. HIPAA prohibits health professionals, such as your doctor, from sharing your identified health information without your permission in most circumstances. People can always ask about your health information, and you can almost always decline to answer.”  So where does HIPAA come in?  As we just mentioned, healthcare organizations and their business associates are liable under the federal law meaning that your practice can NOT disclose vaccination information (or any protected health information for that matter) unless direct patient authorization is granted. So, say a patient’s employer calls your office to ask about their employee’s vaccination status. Well, because of the standards outlined in the HIPAA Privacy Rule, you cannot disclose any sensitive health information without patient consent, and doing so would result in a HIPAA violation. While vaccination status and test results are the trending topics at the moment, it’s important to note that these stipulations go for any and all types of patients’ health information, not just what’s related to COVID-19. And while the current state of the public health emergency still leaves a lot of unanswered questions – when it comes to your practice’s ability to disclose protected health information (PHI), HIPAA law still applies.

Peachstate Clinical Laboratory HIPAA Violation
Fines, HIPAA

OCR Announces HIPAA Settlement with Peachstate Clinical Laboratory for Security Rule Violations

May 25, 2021 Comments Off on OCR Announces HIPAA Settlement with Peachstate Clinical Laboratory for Security Rule Violations

May 25, 2021 No matter the time of year, HIPAA enforcement never goes out of season and we have today’s announcement from the Office for Civil Rights (OCR) to prove it. The latest HIPAA settlement and sixth of the year involves Peachstate Health Management, LLC – a Clinical Laboratory based out of Georgia who provides diagnostic and laboratory-developed tests. The violation stemmed from Peachstate’s failure to meet several of the HIPAA Security Rule requirements and led to a $25,000 fine and 3 year corrective action plan issued by the OCR – a result that probably didn’t leave the organization feeling too peachy afterall.  So what happened?  Well it may seem like comparing apples to oranges when looking at what triggered this settlement versus the ones we’ve recently seen centered around patient right of access violations and large cyberattacks. But the latest violation resulted from a variety of different and very relevant factors from data breaches to telehealth and business associates with systemic noncompliance at its core. It started back in 2015 after the U.S. The Department of Veterans Affairs (VA) reported a data breach involving their telehealth services program managed by its business associate, Authentidate Holding Corporation (AHC). A year later, the OCR initiated an investigation into the business associates’ compliance program where they uncovered that AHC and Peachstate had earlier entered into a reverse merger in January of 2016 whereby AHC acquired Peachstate. As a result of this finding, the OCR opened up another compliance review into Peachstate and found that the clinical laboratories were ripe for the picking in their ongoing noncompliance in the following key areas:   In addition to the fine and extensive corrective plan that the OCR issued, their response to the incident and message for other healthcare organizations is the cherry on top and should not be taken lightly. “Clinical laboratories, like other covered health care providers, must comply with the HIPAA Security Rule. The failure to implement basic Security Rule requirements makes HIPAA regulated entities attractive targets for malicious activity, and needlessly risks patients’ electronic health information,” said Robinsue Frohboese, Acting OCR Director. “This settlement reiterates OCR’s commitment to ensuring compliance with rules that protect the privacy and security of protected health information.”  So in other words – the only way to avoid being the low-hanging fruit for a HIPAA violation is ensuring that your healthcare organization has met these basic standards that Peachstate was missing. And while an apple a day might keep the doctor away, this latest settlement is yet another example of why having a complete compliance program in place is so essential to keeping your practice away from OCR scrutiny and avoiding a HIPAA fine like this one.   

HIPAA Protected Health Information
HIPAA

HIPAA Protected Health Information

May 7, 2021 Comments Off on HIPAA Protected Health Information

May 7, 2021 Most healthcare professionals understand many of HIPAA’s regulations are all about safeguarding protected health information (PHI), but there is much confusion in attempting to define what PHI actually is and is not. We all know that things like social security numbers and bank account information should be kept under lock and key but it’s not just the obvious details that could be used maliciously. These are only two examples of the 18 different identifiers that constitute PHI and all it takes is for just one to fall into the wrong hands for your practice to have a HIPAA breach on yours. So ensuring that you’re fully safeguarding this sensitive data starts with having a complete understanding of what needs to be protected and knowing why it’s so important that you do.  What are PHI and ePHI? PHI can be defined as any personal health data created, transmitted, received, or stored by a covered entity and their business associate (BA) that could potentially identify an individual. Now between the many documents, forms, records, and other communications that your practice handles on a daily basis – PHI is more than likely featured on most if not all of these things. As you probably already know, and the 86% of providers currently utilizing Electronic Health Records (EHR) can attest to, many of these communications are done so electronically and therefore contain electronically protected health information (ePHI). So whether the information is transferred, received, or simply saved on paper or in an electronic form – if it consists of any one of the following identifiers of PHI, it needs to be properly protected: Why does it need to be protected?  So now that you know what fits the bill of PHI – it’s important to know why and how it should be protected. To hackers and other individuals with malicious intent, a healthcare practice containing patients’ sensitive information is a gold mine considering a single medical record can be valued up to $250 on the black market. Now to put that into perspective, financial and banking information is only valued at $5.40 – so why such a large price tag on PHI? Well, unlike a credit card – if your sensitive health information gets into the wrong hands you can’t just cancel the card or change your information. Healthcare data breaches are hard to detect, and once that sensitive information is out there, it’s much more difficult to get back.  How should it be protected?  As you can see from the 18 identifiers listed above, PHI comes in many different shapes and sizes and requires more than just having locks on your doors and passwords on your computers to keep out of harm’s way. HIPAA law outlines how PHI should be protected in its Security and Privacy rule requirements – providing administrative, technical, and physical controls that are all essential for securing patient data. While these safeguards help to protect PHI when it’s being stored and handled within your practice, encryption is key to maintaining data integrity when it’s being sent or received and proper disposal is crucial when the PHI is no longer needed. So now that you know the what, why, and how – let’s talk about the who. With patient complaints and data breaches continuing to take on all-time highs, it’s more important now than ever to ensure that everyone who works with your patients’ PHI is doing so properly. Best protecting your patients means conducting regular HIPAA training for all staff members, having signed business associate agreements with all third-party vendors, and maintaining a complete compliance program that meets these government requirements and encompasses all the necessary safeguards.  While understanding exactly what PHI is and how it should be protected might still be a bit confusing, thanks to Abyde, it doesn’t have to be! Meeting HIPAA standards and safeguarding PHI has never been easier with Abyde’s revolutionary approach and team of HIPAA experts there to support you every step of the way. Schedule a complimentary one-on-one consultation to learn more! 

How HIPAA Impacts Your Practice
HIPAA

How HIPAA Impacts Your Practice

April 29, 2021 Comments Off on How HIPAA Impacts Your Practice

April 29, 2021 The book you started but never finished, the closet that’s in desperate need of some reorganization, and that dreaded check engine light in your car – there are plenty of tasks that we need to do but can’t seem to actually find the time for. Unfortunately without another set of hands and 10 extra hours in the day, it’s easy to avoid dealing with the items that aren’t at the top of our priority list and focus on the ones that are. And while there’s nothing wrong with setting some things aside for later, too often medical practices treat HIPAA compliance programs like homeowners treat cleaning out the gutters – a nuisance task that ‘I’ll get to later’. But given how important the law is to ensuring protected health information (PHI) is kept safe and secure, and how costly it can be for your organization if it’s not – HIPAA deserves a bit more precedence than it’s given.  While it’s probably not always front and center and top of mind, HIPAA law plays a supporting role in your everyday work-life more than you might even realize. And with the common misconceptions around what the law actually is and what being fully compliant entails, it’s hard to give credit where credit is due. So to give HIPAA the much-deserved spotlight and prove how significant the law is to your daily operations, let’s take you through a day in the life of Sally Sue the Office Manager.  Today’s just like any other day at the practice starting with Sally settling into her desk, logging into the practice’s EHR system, and listening to any voicemails missed from the night before. One patient called to request that her son’s medical records be sent to another provider and Sally (large coffee in hand, extra ready to tackle the day) returns her call right away to see whether she would like to have the records sent electronically or in a paper copy via mail. After the patient record request has been handled, Sally checks the appointment log and notices that one of the first appointments is with a new patient. So, as per the practice’s proper procedures for onboarding patients, Sally gets the Notice of Privacy Practices (NPP) and patient consent form all ready to be signed by the patient as soon as they check-in.  After a busy morning of phone calls and appointments, Sally takes her lunch break and decides to sift through some of the practice’s unread emails. She notices an email that looks like it’s from a credit card company saying that there’s an overdue balance along with a link to make a payment. Since Sally’s always reading up on the latest news, she knows that phishing schemes are common especially in healthcare, and decides to call the credit card company to see if the email was legitimate. After receiving confirmation that it was in fact a scam, she immediately deletes the email and lets the HIPAA Compliance Officer know about the avoided issue and red flags to be on the lookout for. Luckily the rest of the day is crisis-free and Sally has some downtime to review the practice’s handbook and manual as she is working on transitioning over to managing everything electronically.  In what seemed to have flown by, it’s just about 5:00 and the practice is getting ready to close. Unfortunately, today is one of Sally’s favorite colleagues last day before she moves out of state, and after enjoying some going-away cake and thanking her for all that she’s done – Sally collects her keycard, removes her from all user accounts, and changes access codes and passwords before logging out of her computer and heading home for the night.  As you can see, and can probably relate, Sally had quite the busy day that definitely warrants a free pass from any spring cleaning and car maintenance that is still sitting on her “when I can get around to it” to-do list. BUT as you can also see, whether it’s responding to patient record requests, getting the necessary patient authorization forms signed, offboarding employees, or even just logging into the practice computer with a secure password – the requirements and safeguards outlined within the HIPAA Privacy and Security Rule weave themselves in and out of the majority of a practices daily operations.  So if your practice handles HIPAA with as much of a keen eye as Sally does, you probably don’t have too much to worry about. But imagine if she hadn’t responded to that patient’s record request right away and they filed a complaint with the Office for Civil Rights (OCR). Or if she let the potential phishing email go unnoticed and hackers gained access to their sensitive data. Or if she had just forgotten to log out of the computer at the end of the day and there was a break-in overnight. Any one of these worst-case scenarios could’ve followed suit and ultimately resulted in a violation and hefty fine for the practice if HIPAA precautions weren’t kept top of mind throughout the day.  Thanks to HIPAA, there are safeguards established to help prevent things like data breaches and patient complaints from happening and laws in place to actually mandate that healthcare organizations uphold the standard. So no matter how busy life gets, protecting patients’ sensitive information is not something that you can just save for a rainy day – and ensuring that you have a complete HIPAA program in place that meets all government requirements should always be a priority.

Why You Need a Business Associate Agreement
Best Practices, Business Associates, HIPAA

When & Why You Need a Business Associate Agreement

April 20, 2021 Comments Off on When & Why You Need a Business Associate Agreement

April 20, 2021 We’ve all heard the saying ‘sharing is caring’ but sometimes doing a good deed could actually steer you into some consequences later down the road. Let’s say, for example, you just loaned your car to your best bud whose “quick trip to the store” actually consisted of running red lights and racking up parking tickets. Though you might not have been the one in the driver’s seat – your name will be the one on all of the lovely fines that wind up in your mailbox, not your BFF’s. Now you’re probably wondering where we’re going with all of this. And while cars and protected health information (PHI) might not have a whole lot in common, it goes to show how certain situations in life require additional precautions to minimize the risk of being responsible for another’s wrongful actions. This idea rings especially true when it comes to working with and sharing something as valuable as sensitive health information. HIPAA law provides a pretty specific roadmap for how your practice should be safeguarding PHI and outlines certain standards that if not met – could result in a hefty fine. But with all the government requirements, advancements in technology, and changing patient needs – it’s impossible today to run a practice without the help of third-party vendors. So whether it be an outside medical billing company, IT support, or document shredding company – any vendor that comes into contact with PHI is a business associate (BA) of your practice and requires their own set of directions for proper handling.  Just as covered entities have obligations under HIPAA law, so do business associates – with one of the most important being a documented and signed Business Associate Agreement (BAA). A BAA is essentially a written agreement between your organization and the business associate, specifying each party’s responsibilities when accessing and maintaining PHI and it offsets the liability so that your practice can take a backseat if any incidents were to occur.  As you probably wouldn’t hand over your keys to just anyone without laying down some ground rules first, the same goes for providing access to patients’ sensitive health information. Like most contracts, the terms and conditions in a proper BAA can be pretty lengthy and may vary based on the type of vendor you’re working with – but here are some of the basic HIPAA requirements that should be outlined:  Permitted uses and disclosures of PHI Specific safeguards that the BA is expected to establish Breach Notification requirements Policies and procedures for providing PHI access at your practice’s or patient’s request Business Associate Training requirements Guidelines for how PHI should be returned or destroyed upon termination of the BAA Meeting all the requirements for what should be included in a BAA is just the first stretch of the drive, and something we’re often asked is, “What if one of my vendors refuses to sign?” Given the fact that having a signed BAA with all vendors you work with is a HIPAA requirement, it’s probably a good idea to put the brakes on any working relationship with a vendor who can’t agree to your terms and conditions. Just last year a medical practice found itself a victim of a HIPAA hit and run after filing a breach report stating that their EHR company was blocking access to the practices’ ePHI in exchange for $50,000 to be paid by the practice. While it might seem pretty obvious that the business associate was the driving force of the incident, because there was no BAA in place – the $100,000 in damage fell solely on the provider.  A Business Associate Agreement not only lays out the rules of the road for how PHI should be handled but holds the BA directly liable for any non-compliance that happens when they’re behind the wheel. Having a proper agreement in place with each and every vendor you work with ensures that they’re best protecting your patients’ PHI and means that your practice can steer clear of the hefty HIPAA fines if they don’t.

HIPAA Whistleblower Exception
Best Practices, HIPAA

What is the HIPAA Whistleblower Exception?

April 8, 2021 Comments Off on What is the HIPAA Whistleblower Exception?

April 8, 2021 Acting out a word or phrase in a game of charades is a perfect party activity but playing a guessing game isn’t as fun when it comes to reporting a work-related incident. Whether you’re taking part in a round of “Guess Who” or just following your practice’s policies and procedures, not everybody will play by the rules – and unfortunately, hackers and those outside your organization with malicious intent aren’t the only ones that pose a potential risk to your patients’ protected health information (PHI). It’s more common than you might think to see the biggest offenders of improper access and disclosure actually come from inside your organization. When and if you uncover an internal incident, knowing how to report the so-called rule-breaker without violating HIPAA yourself can feel like a major game of guesswork.  So what happens if you notice Sally Sue making copies of a patients’ health records for non work-related reasons? Or catch Doctor Dan improperly administering prescriptions to patients? Given how heavily privacy and security protections emphasize proper PHI disclosure, it’s not uncommon to be wary that reporting a HIPAA violation could actually implicate you in a violation yourself. But even if you’re a pro at charades, reporting an incident without giving away the nitty-gritty details to build the case is not easy and certainly not effective. So while HIPAA does establish privacy and security standards that prevent the release of PHI, there is a caveat (if specific criteria is met) for bringing light to malicious activity happening within the practice – a.k.a the HIPAA Whistleblower Exception.  What are the HIPAA whistleblower exception requirements?  Despite the name, ‘whistleblower exception’ has nothing to do with whistles and everything to do with protecting staff and patients from facing any backlash if they report any unlawful conduct within a practice. Under the exception, it is not considered a violation of the HIPAA Privacy Rule if a staff member or business associate discloses PHI, as long as they believe in good faith that either:  The exception is a two-part process and after determining whether the incident meets the requirements for what can be reported, the next move is knowing who you can and can’t actually make the disclosure to. We recommend first going to your HIPAA Compliance Officer (HCO) to help assist you in best handling the situation (as long as they aren’t involved in the incident themselves). But the whistleblower exception also provides additional provisions for whom the disclosure can be made to that include:  While we’d like to hope that everyone within your organization plays fair and square, in the case that you do happen to catch a coworker snooping through patient files – it’s important to know who you can disclose the incident to and that you can include specifics like the patient name and type of health record that was accessed. So if the requirements are met and followed properly, employees can safely report any non-compliant behavior without fearing that a HIPAA violation or termination letter will follow. Wondering whether or not you can take action to protect patients’ privacy and security should never be a guessing game and thanks to the provisions outlined in the HIPAA whistleblower exception, the cards are stacked in your favor.

The 21st Century Cures Act
HIPAA, Legislation

Premiering Now | The 21st Century Cures Act

April 2, 2021 Comments Off on Premiering Now | The 21st Century Cures Act

April 2, 2021 Roll back the curtains and cue the drumroll because it’s the moment we’ve all been waiting for… the 21st Century Cures Act is finally making it’s big debut. The newest legislation directed by the  Office of the National Coordinator for Healthcare Technology (ONC) is officially effective on April 5, bringing several advancements to healthcare and technology that are sure to live up to the hype. So if you’re a healthcare provider and you use any sort of healthcare application, we hope you have your popcorn ready because this one’s for you!  So let’s take it from the top – what even is the 21st Century Cures Act? The HITECH Act and more recently the HIPAA Safe Harbor Law have already set the stage, providing legislative requirements that put technology and healthcare in the spotlight. But the Cures Act goes one step further as the sequel to these health IT related laws, outlining how practices and healthcare app developers can overcome the balancing act of giving patients easy access to their electronic protected health information (ePHI) while still maintaining data privacy and security.  Ultimately, patients play the starring role in the Cures Act requirements. Getting the red carpet treatment to access their health records in the ways that they want to receive it – whether that be an app, another EHR, or similar electronic system. Having this ‘patients-first’ focus is at the center of HHS’s work toward a value-based health care system and enables:  How does it impact me?  This star-studded set of legislation features a ton of improvements for healthcare and technology that you definitely don’t want to miss.  So now what?!  Wondering how this new law changes HIPAA requirements? Spoiler alert – it doesn’t. All of those HIPAA requirements surrounding data privacy and security, proper disclosure, and patient record access requests are still featured within the new legislation and should not be forgotten. Having a complete HIPAA compliance program in place is the groundwork for protecting patient data, and underscores what the Cures Act entails.  Now, if recent enforcement efforts haven’t given you enough of a preview, the government is a tough critic for noncompliance. So much so that in the latest round of HIPAA audit results, 94% of covered entities’ compliance efforts were rated as a total flop. So having a complete compliance program that meets all requirements (including the new ones we just covered) is key to keeping your practice out of the limelight of enforcement and avoiding an Oscar-worthy HIPAA fine.    

Right of Access Settlement Announced
Fines, HIPAA

HIPAA Enforcement is on a Hot Streak – 18th Right of Access Settlement Just Announced

March 26, 2021 Comments Off on HIPAA Enforcement is on a Hot Streak – 18th Right of Access Settlement Just Announced

March 26, 2021 Looks like the Office for Civil Rights (OCR) just decided to play a quick round of 18 – announcing their 18th right of access settlement (and second of the week) with yet another practice who’s HIPAA compliance efforts were well below par.  Village Plastic Surgery (“VPS”) was the latest to tee off against the OCR in a matchup that resulted in a $30,000 fine and two year corrective action plan. And with the 17th right of access settlement announced only two days ago – the tough loss endured by the New Jersey-based provider was just par for the course.  The round began back in September of 2019, after a patient filed an all too familiar complaint to the OCR that the practice had failed to respond to their record request that was made a month prior. Unlike previous settlements where the organization was first provided with technical assistance, all it took was a single patient complaint for the OCR to determine that VPS failed to meet right of access standards – setting the tone that there are no mulligans when it comes to a HIPAA violation.  It’s pretty clear that if you’re not meeting HIPAA requirements, becoming the next opponent on the OCR’s lineup is anyone’s game. But if two fines in one week don’t drive the point home, maybe the latest statement from OCR Director Robinsue Frohboese will be right on target: “OCR’s Right of Access Initiative continues to support and enforce individuals’ vital right to receive copies of their medical records in a timely manner, covered entities must comply with their HIPAA obligations and OCR will take appropriate remedial actions if they do not.” So, with $5,540,000 collected in HIPAA fines just in 2021 alone and patient right of access being a clear government focus – ensuring that your practice’s compliance program is up to par is the best and only way to steer clear of the next round of OCR enforcement.  

Are you prepared for OSHA's Workplace Violence Prevention requirements? Learn what you need to do to be compliant.

DOWNLOAD CHECKLIST
X