United States: OCR Sanctions Providers Over HIPAA Access Rights And Patient Privacy, Seeks Public Input On Policy Changes

The HHS Office of Civil Rights (OCR) recently announced  the resolution of four investigations. Each led to sanctions on health care providers for violating HIPAA requirements to provide medical record access and protect health information. The OCR also asked for public comment on new potential guidance to clarify certain practices.

The enforcement actions included:

• A dentist in Pennsylvania agreed to pay a $30,000 civil monetary penalty and take corrective action after he failed to provide a patient with a copy of her medical record.
• A dental practice in North Carolina was fined $50,000 after a patient left a negative Google review under a pseudonym and the practice responded by posting a response that included the patient's full name.
• A psychiatry practice in California agreed to pay a $28,000 civil monetary penalty after it repeatedly refused to provide a patient with a copy of her medical records.
• An Alabama dental practice agreed to pay $62,500 in penalties and take corrective action after it impermissibly distributed the names and addresses of 3,657 patients to a campaign manager and third-party marketing company to help a member of the practice run for state senate.

OCR Director Lisa J. Pino stated, "Between the rising pace of breaches of unsecured protected health information and continued cyber security threats impacting the health care industry, it is critical that covered entities take their HIPAA compliance responsibilities seriously . . . OCR will continue our steadfast commitment to protect individuals' health information privacy and security through enforcement, and we will pursue civil money penalties for violations that are not addressed."

These latest settlements show that OCR continues to aggressively pursue its "Right of Access Initiative," bringing the total number of enforcement actions to 27. It is critical that providers have proper policies and procedures in place to ensure patients receive timely access to their medical records, as well as properly safeguard protected health information in accordance with the HIPAA privacy and security rules.

In other OCR news, OCR released a Request for Information (RFI) seeking public comment on:

• How covered entities and business associates are implementing "recognized security practices"
• How they anticipate adequately demonstrating that recognized security practices are in place
• Any implementation issues they would like OCR to clarify through future guidance or rule-making

OCR is also seeking input on whether individuals who have been "harmed" by a potential HIPAA violation should receive a portion of any assessed monetary penalties and potential methodologies that could be utilized. Comments to the RFI must be received by June 6. 

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.