The 2019 HIPAA Summit recently ended and boy, was there a lot of information given out. The keynote was given by Roger Severino, the Director of the Department of Health and Human Services Office of Civil Rights (HHS OCR). OCR is the office in charge of investigating breaches of Protected Health Information and enforcing HIPAA laws. The biggest takeaway is the change in tone from OCR. No longer are they interested in aiding entities to become compliant. They are now interested in HIPAA enforcement and making examples out of non-complaint sites. The summit should serve as a wakeup call to all those that are covered by HIPAA regulations. Read on to find out about the changes.
HIPAA enforcement is now front and center
OCR has changed its random audit policy to no longer focus on compliance. They are now interested in the enforcement of HIPAA laws. What’s the difference? The majority of audits and investigations by OCR don’t end with fines. They usually end with a compliance plan known as a Corrective Action Plan (CAP) for the breached entity. The goal of these CAPs was to help the entity correct their HIPAA deficiencies and become compliant. However, in the course of their investigations, OCR has found that HIPAA isn’t being taken seriously. Many entities even ignore the initial request for information from OCR. That’s like ignoring the IRS and hoping a tax issue will just go away. It’s not going to happen. Sticking your head in the sand won’t make your HIPAA issues go away.
Now OCR is focused on HIPAA enforcement. They will use every tool at their disposal to force entities into compliance. This means making examples out of sites so that others will see and change their non-compliant ways. This doesn’t bode well for practices that don’t take their HIPAA obligations seriously.
Patient rights to access their medical records is a worry for practices
HIPAA regulations allow patients to request copies of their records. They also have a right to receive them in a reasonable time frame, in a format their choosing.
Here are the guidelines in bullet form. You may read the full guidelines issued by HHS here.
- Patients may request their records in paper or electronic format.
- Requests must be fulfilled within 30 days but this is the outer limit. Entities are encouraged to fulfill the request quickly.
- Entities may charge for the records, but it may only include the following:
- The cost of the labor of copying the records
- Supplies for creating the records (paper or USB drives, etc.)
- Postage if the records are mailed
- Preparation of a summary of the PHI, if the patient agrees beforehand
- Fees MAY NOT include costs with verifying, searching for and retrieving the PHI, maintenance of systems, costs for data access or any other cost not listed above.
What has now changed is that OCR will begin investigating patient complaints about records not being released properly. This means a patient can file a complaint directly with OCR if they were charged too much, didn’t get the records in the format they requested or were denied the records outright. This will initiate an investigation by OCR into the practice that won’t be limited to just patient records requests. It will be full scope concerning the practice’s entire HIPAA compliance. Breaches will no longer be the only event that can cause a practice to be audited and investigated. This is a massive change in how OCR operates and will likely open many more practices to audits.
This change should serve as a wakeup call to all entities that are under HIPAA regulations. The days of paying lip service are coming to an end as the government ramps up its enforcement efforts.
If you would like to watch Mr. Severino’s address, you can watch it here.