Don’t get fined by HIPAA in 2020

February 2, 2020

Failure to provide patient records can result in a HIPAA fine.

The trend continues as the Department of Health and Human Services Office for Civil Rights (OCR) has issued more enforcement actions.

Failure to provide patient records can result in a HIPAA fine. Earlier this year, I wrote an article that addressed one of 2019’s many enforcement actions – Bayfront Health’s failure to provide a pregnant woman with a complete copy of her medical record by omitting the fetal heart rate monitor records of her unborn child. As a result, the hospital agreed to pay $85,000 and implement a corrective action plan.

In December, OCR continued to focus on Privacy Rule violations for failing to comply with HIPPA’s Right of Access. This time, Korunda Medical, a Florida-based provider, agreed to pay $85,000 to settle potential violations of the HIPAA Right of Access, adopt a corrective action plan and revise its policies and procedures to bring them into compliance with the Right of Access.

The HIPAA Right of Access Initiative has been identified as an enforcement drive to ensure HIPAA-covered entities are providing patients with copies of their medical records in a manner that comports with the law. It is also important to read state laws, which often have shorter time periods for providing medical records to patients.

As OCR Director Roger Severino stated, “[f]or too long, healthcare providers have slow-walked their duty to provide patients their medical records out of a sleepy bureaucratic inertia. We hope our shift to the imposition of corrective actions and settlements under our Right of Access Initiative will finally wake up healthcare providers to their obligations under the law.”

In Korunda Medical’s case, an initial complaint was filed with OCR on March 6, 2019. Subsequently, on March 18, 2019, OCR provided technical assistance to Korunda Medical on the HIPAA Right of Access and the complaint was closed. Four days later, a second complaint was received and on May 8, 2019, OCR advised Korunda Medical that a compliance investigation had been launched. And as stated above, a monetary settlement was paid and corrective action plan was implemented.

Two issues come to mind with this most recent fine. First, why weren’t policies and procedures reviewed more closely and on an annual basis to ensure that the content was adequate? Second, how was this missed during the requisite, annual risk analysis?

As 2020 gets underway and compliance preparations are reviewed, covered entities, business associates and subcontractors should evaluate the quality of their policies and procedures, training and risk analysis. Doing so could lead to a year without worry about an enforcement action coming your way.