HIPAA OCR Privacy Enforcement Overview: Right to Access Initiative and Improper Disposal of PHI |  JD Supra

HIPAA OCR Privacy Enforcement Overview: Right to Access Initiative and Improper Disposal of PHI | JD Supra

The U.S. Department of Health and Human Services (HHS) Office of Civil Rights (OCR) has been busy over the past month announcing new enforcement actions and settlement agreements related to privacy rule violations. implemented under the Health Insurance Portability and Accountability Act. (HIPAA). OCR’s latest actions remind HIPAA-covered entities that privacy enforcement activity can come in all shapes and sizes.

More recently, the OCR has demonstrated its continued interest in enforcing patients’ right of access to privacy rule medical records in accordance with its HIPAA right of access initiative that began in 2019. Three alleged dental practices in violation have agreed to pay certain resolution amounts to HHS and enter into corrective action plans (CAPs). In general, HIPAA-covered entities must provide access to protected health information (PHI) requested by individuals in whole or, alternatively, in part if the covered entity delays access for reasons such as PHI not readily available, no later than 30 calendar days of receiving the individual’s written request for the information. OCR considers 30 calendar days to be the outer limits for responding to requests from individuals and recommends that Covered Entities respond to individuals under these right of access rules as soon as possible.

Two practices – Family Dental Care, PC, which accepted a rescission amount of $30,000 with OCR, and B. Steven L. Hardy, DDS, LTD, which accepted a rescission amount of $25,000 – allegedly failed to provide patients with timely access to their medical records by taking more than 30 days to provide complete records to individuals. The third firm, Great Expressions Dental Center of Georgia, PC, in addition to failing to provide timely access to requested medical records, allegedly assessed individuals’ copying fees that were not reasonable or cost-based and agreed for a resolution amount of $80,000.

The respective CAPs all require entities, among other obligations, to update their HIPAA policies and procedures to ensure individual access rights are covered and compliant with the Privacy Rule. CAPs also require entities to ensure that they properly distribute updated policies and procedures to staff after HHS approval.

Regardless of the size of the resolution amounts, the fact that there are now 41 total access enforcement actions demonstrates OCR’s commitment to ensuring that entities comply with this part of the Privacy Rule (see a previous Mintz article from 2019 after the Right to Access Initiative was launched here). The HHS Access Rights FAQ under HIPAA may also be a useful resource for entities seeking to improve or update the individual right of access sections of their HIPAA policies and procedures.

Violation Settlement: Improper PSR Disposal

OCR also reached an agreement with New England Dermatology PC, d/b/a New England Dermatology and Laser Center (NDELC) in late August 2022 after determining that NDELC improperly disposed of PHI.

According to NDELC’s violation report to OCR filed May 11, 2021, over the course of approximately 10 years, the practice had routinely placed empty sample containers that included PHI on the labels in a trash can in one parking lots accessible to the public of the practice. The container labels included the names and dates of birth of the patients, the dates the samples were collected, and the names of the providers who collected the samples.

The Privacy Policy requires Covered Entities to implement and use reasonable safeguards to limit inadvertent and prohibited uses and disclosures of PHI, including PHI Disposal. The OCR argued that the NEDLC breached the confidentiality rule because it (i) failed to maintain appropriate safeguards to protect the confidentiality of the PHIs; and (ii) unauthorized disclosure of PHI to unauthorized persons. As part of its CAP resolving the investigation, the NEDLC agreed to update its HIPAA policies and procedures, including with respect to individual access rights under the Privacy Rule, to ensure that it properly distributes its policies and procedures to staff members after HHS approval and paying HHS a resolution. amount of $300,640.

OCR has a long-standing FAQ regarding HIPAA and the proper disposal of PHI. This recent settlement agreement serves as a further reminder that not all breaches are the result of high-tech breaches and that the proper handling, disposal and destruction of tangible PHI continues to be the cornerstones of effective HIPAA compliance.

[View source.]

#HIPAA #OCR #Privacy #Enforcement #Overview #Access #Initiative #Improper #Disposal #PHI #Supra

Leave a Comment

Your email address will not be published.