HIPAA Enforcement is Happening
Enforcement is in action. That’s what Bayfront Health-St. Petersburg recently learned when they agreed to pay $85,000 in penalties to the Department of Health & Human Services (HHS) Office of Civil Rights for a potential violation of the HIPAA right to access provision.
This is the first enforcement by the OCR since the announcement of their initiative earlier this year. Officials vowed that the right of the patients to receive access to their records was going to be strictly enforced and that this had to be achieved in a timely fashion without being overcharged.
MedRxiv announced earlier this year (in August) that more than 50% of providers failed to comply with this provision of HIPAA based on a study that they had conducted.
The penalty against Bayfront was a result of a complaint filed by a patient when she had to wait 9 months to receive fetal heart monitor records for her unborn child. The request had been filed in October of 2017.
So, what are the HIPAA guidelines for this? A patient must be given the requested records within 30 days and only charged a reasonable fee if necessary. The regulations are also applicable when parents are requesting on behalf of their minor children.
Since Bayfront did not comply with this request in a timely fashion, they are now paying for it with a monetary fine, as well as with other expenses to the business, like damage to their reputation. A corrective action plan must be created, which includes development, maintenance, and revision of policies and procedures to comply with the HIPAA rule, and they will need to assign (and possibly hire) one or more individuals who will oversee this. Employees need to be trained and then acknowledge their compliance. These policies must also be updated annually.
And all of this needs to happen within 60 days to HHS, with subsequent distribution to their workforce and business associates within 30 days of approval by HHS.