Start Your FREE Membership NOW
 Discover Proven Ways to Be a Better Medical Office Manager
 Get Our Daily eNewsletter, MOMAlert, and MUCH MORE
 Absolutely NO Risk or Obligation on Your Part -- It's FREE!

Upgrade to Premium Membership NOW for Just $90!
Get 3 Months of Full Premium Membership Access
Includes Our Monthly Newsletter, Office Toolbox, Policy Center, and Archives
Plus, You Get FREE Webinars, and MUCH MORE!

5 lessons learned From 5 HIPAA fines in one day

By Danika Brinda bio

The Office for Civil Rights (OCR) of the Department of Health and Human Services (HHS) hit a new record on Sept. 15, 2020—five HIPAA Fines with Corrective Action Plans in one day. The fines and corrective action plans had one main theme in common—not supplying patients with a copy of requested medical records in a timely fashion. The other thing of note from the action of the OCR is that these were not large multi-million dollar fines that are based on data breaches. These were fines that ranged from $3,500–$70,000 and were all based on a patient making a complaint to the federal government, which upon investigation, lead to the findings of noncompliance with HIPAA and patient’s rights defined by HIPAA.

5 lessons learned:

  1. Patients have a right to file a complaint – The common theme for these HIPAA fines is they were based on patient complaints to the Department of Health and Human Services. Once the complaints were received, the OCR opened investigations and found non-compliance with HIPAA’s requirement of the Patient’s Right of Access.
  2.  Missing the timelines – The HIPAA patient’s access requirement is very clear: An organization has 30 days from the day of receipt of the request without any delay to respond and provide the records to the request. The organizations that received the HIPAA Fine did not respond in the defined timeframe.
  3.  Incorrect reasons for denial – Under the HIPAA Patient’s Right of Access, a healthcare organization can deny a request to records, but there are very specific reasons and guidance to be able to deny access. In addition, the denial must be provided to a patient in written format with information on how to appeal the denial. Having a clear process for this is important to set the organization up for success if and when denying access.
  4.  No formal process – During the investigation, the organizations were all found to not have current documented policies and procedures for responding to a patient’s request for a copy of his/her medical records. Healthcare organizations need to have a written policy and procedure that defines the process of receiving the request and responding to the request.
  5.  Lack of employee education – Lack of employee education was a finding in all of the 5 HIPAA fine scenarios. For organizations to be successful, employees need to know and understand the requirements and the process. Training is not a one-time event; it needs to be incorporated into an annual training plan for all workforce members.

Healthcare organizations of all sizes and specialties need to take swift steps to establish a robust patient access request and response process to support a patient’s rights under HIPAA. If your organization doesn’t have a documented policy and procedure, hasn’t educated your workforce on the patient access requirements and your policy, or conducted auditing to make sure you are meeting expected timeframes, now is the time to act.









Try Premium Membership