Today, the Department of Health and Human Services’ Office for Civil Rights (OCR) announced three more HIPAA Right of Access enforcement resolutions – all against dentists. And the story is largely the same: patients requested records and did not timely or properly receive those records. In one instance, the dental practice significantly overcharged for records. […]
Three dentists and a psychiatrist walk into a bar . . . and they each walk out with a five-figure tab for HIPAA compliance failures. It’s not funny, but the five-figure payment part is true and there’s a lot to be learned from their mistakes. The Department of Health and Human Services’ Office for Civil […]
Here it is! My annual summary of HIPAA enforcement action resolutions. I know you all have been eagerly awaiting its arrival. No plot twists or surprises this year – the enforcement themes are much the same as those in 2020. As I explain below, Right of Access was again the star.
Yesterday, the Department of Health and Human Services’ Office for Civil Rights announced the resolution of five more HIPAA Right of Access claims. That brings the total number of Right of Access resolutions this year to 12 (including a civil monetary penalty), edging out last year’s total of 11. As for settlement and penalty amounts, the Right of Access total for 2021 has surpassed 2020 by more than $300,000.
In my July 23, 2020 blog post, I used the familiar characters in the beloved fable The Three Little Pigs to illustrate the importance of building a secure and compliant telehealth delivery system. I explained that, despite the Office for Civil Rights’ (OCR) announcement of enforcement discretion during the public health emergency (PHE), healthcare providers should establish HIPAA-compliant telehealth delivery systems before enforcement discretion ended. Because the PHE may soon be over, that message bears repeating.
One of the most common areas of enforcement under HIPAA involves a failure to perform an accurate and thorough risk analysis. Despite the known enforcement history and growing frequency of cybersecurity incidents, lack of compliance with the risk analysis requirement is very common. I sat down with Sammy De La O of IT Direct to get his perspective on performing a risk analysis and addressing the results.
In just one week, OCR announced settlements totaling $10.6 million with three organizations for alleged systemic HIPAA Security Rule violations. In each of the three cases, the entity self-reported a hacking incident. Combined, the hacking incidents compromised the health information of more than 16 million people. While it’s not common to see three large settlements in one week, enforcement for HIPAA Security Rule non-compliance is not new and likely will continue with increasing intensity.