Yesterday, the Department of Health and Human Services’ Office for Civil Rights announced the resolution of five more HIPAA Right of Access claims. That brings the total number of Right of Access resolutions this year to 12 (including a civil monetary penalty), edging out last year’s total of 11. As for settlement and penalty amounts, the Right of Access total for 2021 has surpassed 2020 by more than $300,000.
Tag Archives: HIPAA
In my July 23, 2020 blog post, I used the familiar characters in the beloved fable The Three Little Pigs to illustrate the importance of building a secure and compliant telehealth delivery system. I explained that, despite the Office for Civil Rights’ (OCR) announcement of enforcement discretion during the public health emergency (PHE), healthcare providers should establish HIPAA-compliant telehealth delivery systems before enforcement discretion ended. Because the PHE may soon be over, that message bears repeating.
(2 min read) 3:35 AM. Alarm blaring. Disoriented, I pop out of bed, reach for my glasses and ask, “what is that?” “It’s the security alarm” my spouse replies. For a moment, I was relieved because I feared it was the fire alarm. For a split second, fire seemed like a better option than an intruder. After briefly playing out the intruder scenario in my head, the fear returned.
On October 1, 2021, major changes to Connecticut’s electronic data breach statute take effect. Those changes will affect health care providers’ reporting obligations for HIPAA breaches involving electronic information (e.g., a misdirected email or fax). This is because the definition of personal information in the state data breach statute will include “medical information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional” as well as health insurance policy or identification numbers. As a result, more HIPAA breaches will also trigger state data breach law reporting.
OCR continues with vigorous enforcement of HIPAA’s Right of Access rules in 2021. In the first three months of the year, OCR announced five Right of Access settlements. The story is nearly identical in each – a patient requests records and a provider fails to timely provide access. Compliance with the Right of Access rules is relatively simple and one of the best ways to avoid unwanted attention from OCR.
Despite the pandemic, HIPAA enforcement was hot in 2020. There were nearly twice as many enforcement action resolutions last year than in each of the previous three years. The DHHS’ Office for Civil Rights (OCR), which enforces HIPAA, announced a total of 19 resolutions in 2020. The 2020 resolutions offer different lessons from previous enforcement years, as the most common issue for enforcement in 2020 is relatively new: the Right of Access under the HIPAA Privacy Rule.
Written in collaboration with Erin MacLean, JD, CHC, CHPC. Over the past several weeks, many have been focused on the proposed changes to the HIPAA Privacy Rule announced in mid-December. While the proposed changes warrant attention and comment, the commentary to those proposed changes from the Department of Health and Human Services’ Office for Civil Rights (OCR) must not be overlooked. In its commentary, OCR provides valuable insights on its interpretation of a provider’s ability to disclose information to third parties under HIPAA’s current treatment exception, including a provider’s ability to share protected health information (PHI) with non-healthcare providers without an authorization.
OCR announced its first HIPAA enforcement resolution of 2021. Picking up where it left off in 2020, this settlement involves Right of Access claims and results in a large non-profit health system with several affiliated covered entities agreeing to pay $200,000 to settle claims related to two of its affiliated entities.
Two years after issuing a request for information seeking feedback on possible changes to HIPAA and smack dab in the middle of a global pandemic, the Department of Health and Human Services (HHS) and its Office for Civil Rights (OCR) announced major proposed changes to the HIPAA Privacy Rule. The proposed changes focus on coordination of care and significant revisions to the patient right of access provisions, including shortening the timeframe to respond to patient requests for records to 15 days and permitting patients to take photos or videos of their PHI.
On November 19, 2020, the Office for Civil Rights (OCR) announced its 10th HIPAA Right of Access settlement of the year. OCR publicized its first five Right of Access settlements this year just over two months ago. It added two more in October and then three in November. And with a full month left in 2020, there may be more to come.