Over the past month, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has announced new enforcement actions and settlements related to privacy rule violations implemented under the Health Insurance Portability and Accountability Act. They were busy announcing contracts. (HIPAA). The OCR’s latest action is a reminder to HIPAA-covered entities that privacy rule enforcement activities can come in many different types and sizes.
Most recently, OCR has shown continued interest. Enforce patient rights for privacy rules to access medical records according to its provisions HIPAA Access Rights Initiative Started in 2019. The three dental practices in alleged violations have agreed to pay HHS a certain settlement amount and enter into a corrective action plan (CAP). Generally, a HIPAA Covered Entity will provide, in whole or in part, access to protected health information (PHI) requested by an individual if the Covered Entity delays access because the PHI is not readily accessible or otherwise. required and must be provided within 30 calendar days at the latest. From receipt of an individual’s written request for information. OCR considers 30 calendar days to be the outer boundary for responding to individual requests and encourages Covered Entities to respond to individuals as soon as possible under the rights of these Access Rules. .
Two clinics, Family Dental Care of PC, which agreed to a $30,000 settlement with OCR, and B. Steven L. Hardy, DDS, LTD, which agreed to a $25,000 settlement, were unable to provide the following treatment to their patients: It is claimed that Timely access to medical records is ensured by taking 30 days or more to provide an individual with complete records. A third clinic, Great Expressions Dental Center of Georgia, PC, in addition to not providing timely access to requested medical records, charges individuals unreasonable or cost-based copying fees. and agreed to a settlement amount of $80,000.
All of their respective CAPs, among other obligations, have updated their HIPAA policies and procedures to require entities to ensure their individual access rights are covered and comply with privacy regulations. CAP also requires entities to properly distribute updated policies and procedures to their employees after approval by HHS.
Regardless of the size of the settlement, the fact that there are currently 41 total access enforcement actions speaks to OCR’s dedication to ensuring entities comply with this part of the Privacy Rule.initiative started here). of HHS Frequently asked questions about access rights under HIPAA It is also a useful resource for entities seeking to enhance or update individual rights to access sections of the HIPAA Policy and Procedures.
Breach Settlement: Improper Disposition of PHI
OCR also allows NDELC to Improper disposal of PHI.
According to NDELC’s OCR violation report filed on May 11, 2021, for approximately 10 years, the clinic labeled PHI in a trash can in one of the clinic’s publicly accessible parking lots. Empty specimen containers containing The container label included the patient’s name and date of birth, the date of sample collection, and the name of the donor who collected the sample.
The Privacy Rule limits the incidental use and disclosure of PHI, including in connection with disposition of PHI, and requires Covered Entities to implement reasonable safeguards to avoid prohibited uses and disclosures. and require the use of OCR argued that NEDLC violated privacy rules because: (ii) Unauthorized disclosure of PHI to unauthorized individuals; As part of the CAP resolving the investigation, NEDLC will update its HIPAA policies and procedures, including individual access rights under the Privacy Rule, properly distribute the policies and procedures to employees after approval by HHS, and notify HHS. I agreed to pay for the solution. Amount of $300,640.
OCR includes HIPAA and Proper disposal of PHIThis recent settlement agreement ensures that not all violations are the result of hi-tech lapses and that proper handling, disposal, and destruction of tangible PHI continue to be a key component of an effective HIPAA compliance program. reminds me again.
[View source.]