Revenue Cycle Management
COVID-19
Reimbursement
Diabetes Awareness Month
Risk Management
Patient Retention
Staffing
Medical Economics® 100th Anniversary
Coding and documentation
Business of Endocrinology
Telehealth
Physicians Financial News
Cybersecurity
Cardiovascular Clinical Consult
Locum Tenens, brought to you by LocumLife®
Weight Management
Business of Women's Health
Practice Efficiency
Finance and Wealth
EHRs
Remote Patient Monitoring
Sponsored Webinars
Medical Technology
Billing and collections
Acute Pain Management
Exclusive Content
Value-based Care
Business of Pediatrics
Concierge Medicine 2.0 by Castle Connolly Private Health Partners
Practice Growth
Concierge Medicine
Business of Cardiology
Implementing the Topcon Ocular Telehealth Platform
Malpractice
Influenza
Sexual Health
Chronic Conditions
Technology
Legal and Policy
Money
Opinion
Vaccines
Practice Management
Patient Relations
Careers

Don’t get fined by HIPAA in 2020

February 2, 2020

Article

Failure to provide patient records can result in a HIPAA fine.

The trend continues as the Department of Health and Human Services Office for Civil Rights (OCR) has issued more enforcement actions.

Failure to provide patient records can result in a HIPAA fine. Earlier this year, I wrote an article that addressed one of 2019’s many enforcement actions – Bayfront Health’s failure to provide a pregnant woman with a complete copy of her medical record by omitting the fetal heart rate monitor records of her unborn child. As a result, the hospital agreed to pay $85,000 and implement a corrective action plan.

In December, OCR continued to focus on Privacy Rule violations for failing to comply with HIPPA’s Right of Access. This time, Korunda Medical, a Florida-based provider, agreed to pay $85,000 to settle potential violations of the HIPAA Right of Access, adopt a corrective action plan and revise its policies and procedures to bring them into compliance with the Right of Access.

The HIPAA Right of Access Initiative has been identified as an enforcement drive to ensure HIPAA-covered entities are providing patients with copies of their medical records in a manner that comports with the law. It is also important to read state laws, which often have shorter time periods for providing medical records to patients.

As OCR Director Roger Severino stated, “[f]or too long, healthcare providers have slow-walked their duty to provide patients their medical records out of a sleepy bureaucratic inertia. We hope our shift to the imposition of corrective actions and settlements under our Right of Access Initiative will finally wake up healthcare providers to their obligations under the law.”

In Korunda Medical’s case, an initial complaint was filed with OCR on March 6, 2019. Subsequently, on March 18, 2019, OCR provided technical assistance to Korunda Medical on the HIPAA Right of Access and the complaint was closed. Four days later, a second complaint was received and on May 8, 2019, OCR advised Korunda Medical that a compliance investigation had been launched. And as stated above, a monetary settlement was paid and corrective action plan was implemented.

Two issues come to mind with this most recent fine. First, why weren’t policies and procedures reviewed more closely and on an annual basis to ensure that the content was adequate? Second, how was this missed during the requisite, annual risk analysis?

As 2020 gets underway and compliance preparations are reviewed, covered entities, business associates and subcontractors should evaluate the quality of their policies and procedures, training and risk analysis. Doing so could lead to a year without worry about an enforcement action coming your way.