HIPAA Enforcement Takes a Dramatic New Direction

November 14, 2019

Historically, HIPAA enforcement has focused predominantly on the failure of covered entities, including labs, to keep protected health information (PHI) private and secure; but now the scope is broadening to encompass keeping PHI too private and too secure. Last month, the HHS Office for Civil Rights (OCR), the agency that enforces HIPAA rules, broke new ground by fining a Florida hospital for failing to provide access to PHI to the individual it relates to. Here’s a look at the case and what it portends about the new direction in HIPAA enforcement.

The HIPAA Right of Access

When you hear the term “HIPAA Privacy Rule,” the first thing likely to jump into your mind is the obligation to keep PHI secure and refrain from disclosing it to third parties without appropriate authorization. But there’s another lesser known part of the (Rule 45 C.F.R. § 164.524(a)) that requires labs to give individuals access to their own PHI. Specifically, individuals have the right to see, amend and get copies of the PHI you keep about them in one or more “designated record sets.” Upon receiving a request, the lab has 30 days to provide access to the information, unless it can cite a legal ground for denying the request.  

The so-called right of access applies to all forms of PHI, including lab test results, billing information and other medical records except:

  • Psychotherapy notes; and
  • Information compiled in reasonable anticipation of, or for use in a civil, criminal or administrative action or proceeding.

There are also rules setting out the valid grounds for denying an access request, (e.g., you don’t have to let individuals amend their PHI if you determine that it’s accurate and complete) as well as the timing and format of disclosure and the fees you can charge. 

The OCR Right of Access Initiative

Over the years, right of access has generated roughly one in three of all HIPAA complaints to the OCR. However, all of the enforcement litigation and most of the Phase 2 compliance audits have targeted privacy and security breaches. 

Earlier this year, the OCR signaled a significant policy change by announcing the Right of Access Initiative promising to vigorously enforce the rights of individuals to receive copies of their medical records promptly and without being overcharged. “Providing patients with their health information not only lowers costs and leads to better health outcomes, it’s the law,” noted OCR Director Roger Severino. “We aim to hold the health care industry accountable for ignoring peoples’ rights to access their medical records and those of their kids.”

The Bayfront Hospital Settlement

Apparently, the OCR wasn’t kidding. On September 9, 2019, the OCR announced that Bayfront Health St. Petersburg, a Level II trauma and tertiary care center licensed as a 480-bed hospital with over 550 affiliated physicians, agreed to pay $85,000 and adopt a corrective action plan to settle charges for denying a mother timely access to her unborn child’s PHI, making it the first ever monetary settlement of a HIPAA right of access claim. In addition to the fine, Bayfront also had to sign a corrective action plan promising to “ develop, maintain, and revise, as necessary, its written access policies and procedures” to ensure compliance with HIPAA right of access requirements.

The case itself was fairly routine. It began in October 2017 when the mom sent Bayshore a timely written request for access for the fetal heart monitor records from her delivery. We can’t find the records, Bayfront replied. The mom then went to an attorney and filed a complaint with the OCR, which initiated an investigation. In August 2018, Bayshore finally produced the records. But the HIPAA 30-day deadline had long passed by then.

Takeaway: A New Era in HIPAA Enforcement

Denying individuals access to their PHI has always been illegal; the difference is that now it can result in fines and other penalties. The Bayfront case is only the first enforcement action under the Right of Access Initiative. Expect many more to follow in the months and years ahead. Bottom Line: We have entered a new era in HIPAA enforcement, one that makes it imperative for labs to respect patients’ rights to see, copy and amend their lab records without being overcharged for doing so.

**************

This article originally appeared in G2 Intelligence, National Intelligence Report, November 2019

ADVERTISEMENT