The OCR Wraps Up Its 2020 Patient Access Enforcement Initiative

In 2019 the U.S. Department of Human and Health Services, (HHS), and its enforcement are of the Office for Civil Rights (OCR) announced an enforcement initiative pertaining to HIPAA’s Privacy Rule adherence for patients to have the right of obtaining copies of their medical records. The Rule states that healthcare providers must provide patients their medical records within a thirty-day period unless the records are in offsite storage. If that is the case, the health care provider must notify the patient of the delay.

The OCR had determined that many healthcare providers did not fully complying with this important Privacy Rule and launched a yearlong campaign under its HIPAA Right of Access enforcement. The HIPAA Right of Access standard – 45 C.F.R. § 164.524(a) – gives patients the right to access, inspect, and obtain a copy of their own protected health information in a designated record set.

As of this writing, OCR has announced its 18th HIPAA financial penalty with a 12th fine pertaining to this initiative.

The total amount of the fines is reported to be over $500,000 with a minimum of a two-year Correction Action Plan (CAP) for each investigated organization found to be noncompliant.

Enforcements not only bring a one-time financial penalty, but a Correction Action Plan that creates enormous administrative costs. Many times, this cost is much greater for an organizations non-compliance.

A typical CAP may include:

1. Development, maintenance, and revision as necessary of the organizations written policies and procedures to comply with the Federal standards that govern the privacy of individually identifiable health information (45 C.F.R. Part 160 and Subparts A and E of Part 164, the “Privacy Rule”).

2. The organization shall provide such policies and procedures to HHS within sixty (60) days of the CAP’s Effective Date for review and approval. Upon receiving any recommended changes to such policies and procedures from HHS, the organization shall have thirty (30) days to revise such policies and procedures accordingly and provide the revised policies and procedures to HHS for review and approval.

3. The organization shall implement such policies and procedures within thirty (30) days of receipt of HHS’s approval, with training for all members of the workforce and relevant business associates within sixty (60) days of HHS approval. The organization shall provide to HHS proof of such distribution.

4. The organization shall assess, update, and revise, as necessary, the policies and procedures at least annually or as needed. The organization shall provide such revised policies and procedures to HHS for review and approval.

5. Once approved the organization will distribute the revised policies and procedures to all workforce member and relevant business associates within thirty (30) days of the effective date of any approved substantive revisions and shall provide the required new compliance certifications of completion.

6. Within 30 days of the Effective Date and one year following the Effective Date, the organization shall provide HHS with the following: (a) the names of all business associates and/or vendors that receive, provide, bill for, or deny access to copies or inspection of records, and (b) copies of the business associate agreements that the organization maintains with such business associates and/or vendors.

7. The organization shall promptly investigate upon receiving information that (a) a workforce member may have failed to comply with such policies and procedures, or (b) a business associate may have failed to comply with the provision of access requirements in its business associate agreement. The organization shall report such event(s) to HHS in writing within thirty (30) days. Such violations shall be known as “Reportable Events.”

8. The organization shall provide an Implementation Report and Annual Reports within one hundred twenty (120) calendar days after the receipt of HHS’ approval of the policies and procedures with an attestation signed by an officer of the organization.

As you can see, this list is expansive. It provides only just a small example of possible requirements. The financial obligation goes much farther than the one-time financial penalty imposed by OCR in a Correction Action Plan.

No matter the size of the organization, the requirements of a CAP can be financially devastating. One note, bankruptcy does not discharge any fine or penalty payable to a governmental unit.

Dsyfer provides a Learning Module System of automated, tracking workforce training, up to date HIPAA compliance policies, assessments, along customized policy packs for any organization, no matter of its size.

Call a dsyfer client service member at 480.779.4653 or email info@sybersafe.com for more information.