The Latest HIPAA Enforcement News From HHS OCR | Arnall Golden Gregory LLP

In current weeks, the U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) has introduced 12 decision agreements settling alleged violations of the HIPAA guidelines. Covered entities and enterprise associates ought to pay attention to these resolutions; they level to OCR enforcement priorities and might present guideposts for lined entities and their enterprise associates to establish areas of focus for his or her compliance initiatives.

HIPAA Right of Access

On July 15, 2022, OCR announced the decision of 11 investigations in its HIPAA Right of Access Initiative. OCR has introduced 38 Right of Access enforcement actions because the initiative started three years in the past in an effort to assist people’ proper to well timed entry their well being information at an affordable price below the HIPAA Privacy Rule.

In these most up-to-date enforcement actions, the penalties ranged from $3,500 for a psychiatry follow’s failure to offer well timed entry to a affected person’s medical document upon request, to $240,000 for a well being system’s failure to offer a affected person well timed entry to a replica of her itemized billing information for 564 days after the affected person made 5 separate requests. Most of the enforcement actions concerned conditions the place a healthcare supplier failed to offer entry to requested paperwork till a number of months after the request was obtained (HIPAA requires that entry be given no later than 30 days after receipt of the request, with restricted exceptions). While every decision settlement provides perception into OCR’s enforcement priorities, a number of of the current settlements highlighted notable factors:

• The enforcement motion in opposition to Danbury Psychiatric Consultants concerned withholding a affected person’s entry request on the idea that the affected person had an excellent steadiness and required an authorization request; OCR has beforehand issued steerage in opposition to refusal on such grounds or requiring an authorization to train a person entry request.
• The enforcement motion in opposition to Erie County Medical Center Corporation concerned a failure to offer a full copy of the medical information requested, reiterating the necessity to reply totally to entry requests and coordinate with sufferers and their approved representatives if the request can’t be stuffed.
• The enforcement motion in opposition to Fallbrook Family Health Center concerned an worker who misunderstood the correct of entry required by HIPAA and failed to offer well timed entry. As with most of the Right of Access enforcement initiatives, this once more highlights the significance of coaching for these workers answerable for responding to entry requests.
• The enforcement motion in opposition to MelroseWakefield Healthcare concerned a supplier who mistakenly concluded that the sturdy energy of lawyer utilized by the requestor to request her mom’s information didn’t enable for the availability of medical information. This decision settlement reminds suppliers that proper of entry choices below HIPAA have to be made in live performance with an understanding of state legislation, which can require the evaluation and recommendation of certified counsel.

Breach Settlement With Oklahoma State University

On July 14, 2022, OCR announced that Oklahoma State University – Center for Health Sciences (“OSU-CHS”) has paid $875,000 in civil penalties and agreed to a corrective motion plan to settle potential HIPAA violations arising from an information breach. According to the decision settlement, in 2017 an unauthorized third social gathering gained entry to an online server that contained ePHI and put in malware that resulted within the disclosure of the ePHI of 279,865 people — together with their names, Medicaid numbers, healthcare supplier names, dates of service, dates of start, addresses, and therapy information. Through the investigation of the 2017 incident, OSU-CHS found that a few of its workforce members saved folders on the net server that contained PHI. This discovery led OSU-CHS to re-evaluate — and report as a breach — a previous 2016 incident involving entry to the identical server. At the time of the 2016 incident, OSU-CHS reported that it was not conscious that there was digital PHI saved on that server.

OCR’s investigation discovered numerous HIPAA violations together with impermissible makes use of and disclosures of PHI, failure to conduct an correct and thorough danger evaluation, failure to carry out an analysis, failure to implement audit controls, failure to implement safety incident response and reporting, and failure to offer well timed breach notification to affected people and HHS. This decision settlement not solely underscores OCR’s continued emphasis on conducting correct and thorough danger analyses, but in addition the associated problems with monitoring and coaching to make sure that a lined entity is aware of all of the places the place PHI is saved on its methods and that its workforce understands the protocols to make sure that PHI stays adequately protected.

Conclusion

Together, the current enforcement actions spotlight the significance OCR locations on defending each the rights of people below the HIPAA guidelines and the privateness and safety of the PHI itself. Clear insurance policies, routine coaching, and inner auditing are all components of a functioning HIPAA compliance program. Covered entities and their enterprise associates ought to evaluation their very own approaches to affected person entry and information safety to establish any gaps which will exist of their organizations. To the extent such are recognized, organizations ought to take corrective actions and implement mitigation measures.