Today the Office for Civil Rights (OCR) at HHS announced its thirteenth settlement of an enforcement action in its HIPAA Right of Access Initiative. The Right of Access rule “generally requires HIPAA covered entities (health plans and most health care providers) to provide individuals, upon request, with access to the protected health information (PHI) about them in one or more “designated record sets” maintained by or for the covered entity. This includes the right to inspect or obtain a copy, or both, of the PHI, as well as to direct the covered entity to transmit a copy to a designated person or entity of the individual’s choice.”
The OCR has treated the HIPAA Right of Access Initiative as an enforcement priority since 2019, although many “non-essential” enforcement actions have slowed or paused due to the COVID-19 pandemic. While enforcement may be slow in the near future, as the country re-opens enforcement actions will undoubtedly increase. Check out this excerpt from today’s announcement to see what could happen to non-compliant providers:
“Peter Wrobel, M.D., P.C., doing business as Elite Primary Care (“Elite”), has agreed to take corrective actions and pay $36,000 to settle a potential violation of the HIPAA Privacy Rule’s right of access standard.” Can you really afford to pay a fine like that as a solo practitioner during the pandemic? Imagine how fines would scale across multiple providers in a group practice. For some organizations, that may be enough to shut them down for good.
Although you probably have other issues on your mind as the pandemic continues to rage, now is a good time to remind your staff about HIPAA Right of Access. Don’t let your practice be featured in the next press release from HHS!