I have previously written about one of the easiest ways to get a civil money penalty (or a state sanction (see California)—that is, failing to give patients access to and/or a copy of their records. In 2011, Cignet Health of Prince George’s County, Maryland, incurred what was at that time the largest civil money penalty (“CMP”) for a HIPAA violation―that is, $4.3 million. $1.3 million was for failing to give 41 of its patients copies of their charts, and the remaining $3 million was for not cooperating with the investigation into those patients’ complaints to the Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”). Early this year, HHS announced that one of its major enforcement efforts would be denial of access—that is, the right to inspect and copy one’s protected health information (“PHI”).
Under 45 C.F.R. § 164.524, patients have the right to access and get copies of their records, with few exceptions, such as if they have waived the right of access as a condition of participation in a clinical trial. Unless one of the limited grounds for denial applies, the covered entity must honor the request within 30 days. The rule provides for one 30-day extension if the requester is informed of the reason why it is necessary and the date the request will be fulfilled.
This month, OCR has announced the first settlement with a covered entity under the right of access enforcement initiative. Bayfront Health St. Petersburg, a 480-bed hospital in St. Petersburg, Florida, has settled for $85,000 for just one violation of the right of access.
A Bayfront patient complained that the hospital had failed to provide the fetal heart monitor records that she had requested for nine months even after repeated requests by the patient and her attorney. She had been told that the records were lost. Then months later, she received an incomplete set and then ultimately the complete set some nine months later. A suspicious plaintiff’s malpractice attorney might wonder whether this denial of access was an attempt to cover up malpractice. Having settled a case involving fetal monitoring, the author believes that such a conclusion is hardly wildly speculative.
In its press release announcing the settlement, which also included a corrective action plan (“CAP”), OCR Director Roger Severino said, “Providing patients with their health information not only lowers costs and leads to better health outcomes, it’s the law. We aim to hold the health care industry accountable for ignoring peoples’ rights to access their medical records and those of their kids.” See the press release, which includes the CAP, at https://www.hhs.gov/sites/default/files/bayfront-st-pete-ra-cap.pdf.
This area of increased enforcement is an easy one to comply with. Perhaps, if you don’t already have one, you should consider either implementing a Patient Right of Access Policy or having that topic as a part of your overall Release of Information/Disclosure Policy and ensure that you train your workforce on how to handle such requests. Remember that workforce includes not only employees but also volunteers, students, contractors, and anyone else who has access your patients’ records. As always, keep your risk analysis up to date so that you can base this new or improved policy on the results of your risk analysis and not just guessing.
Alice here: Yes, once again, I am here to try to sell things to keep you and us in business. Surely, after having read Jon’s blog items all these years, and especially today’s blog item, you recognize that you must keep your risk analysis up to date. Make sure that you include malware and ransomware in your initial risk analysis and all updates thereof. If you need help with your risk analysis, either initially or for an update, Jon Tomes has written a Risk Analysis ToolKit to provide the structure and tools to help you complete the requirement under HIPAA. You and your risk analysis team can fill it out and document your decisions as to what is reasonable and appropriate for you to adopt in the way of policies and procedures and be done with it. Or you could send your completed risk analysis to Jon to review and render his professional opinion as the country’s leading HIPAA expert (IMO) as to whether it is sufficient to keep you from getting that free trip to Leavenworth or that very expensive trip to the bank. If you have Jon’s Compliance Guide to HIPAA and the DHHS Regulations, 6th edition, with the accompanying HIPAA Documents Resources Center CD, also 6th edition, you can find the Risk Analysis ToolKit on the CD. It is also available with a review by Jon at https://www.veteranspress.com/product/hipaa-risk-analysis-toolkit. Also, Jon Tomes presented a webinar recently on “How to Do a HIPAA and HITECH Risk Analysis.” You can buy a recording of it at https://www.complianceiq.com/trainings/LiveWebinar/2255/how-to-do-a-hipaa-and-hitech-risk-analysis. Jon is also writing a Risk Analysis Update ToolKit, which will be available for you in the near future on the Premium Member section of our website. Please stay tuned for our announcement when it is up and running for you there. Also, include in your risk analysis the lack of a business associate agreement if you are considering hiring a business associate or a downstream business associate.
If you need guidance on how to draft the policies and procedures that your risk analysis or your newly updated risk analysis has shown are reasonable and appropriate for your organization, Jon has also written The Complete HIPAA Policies and Procedures Guide, with the accompanying CD of several dozen HIPAA policies and procedures templates for you to adapt to your situation. That book also contains a chapter by me on how to write in general, but more specifically on how to write a good policy.
Make sure that you train your entire workforce on HIPAA in general and on the HIPAA policies and procedures according to who needs to know what to perform their duties for you. If you need handy HIPAA training in general, consider Jon’s training video and training manual in either of two forms available here: https://www.veteranspress.com/product/basic-hipaa-training-video-dvd-workbook or https://www.veteranspress.com/product/online-hipaa-training-video-certification. Or you could hire Jon to present HIPAA training onsite to your workforce. Just contact him at jon@veteranspress.com or 816-527-3858.
Keep your written documentation of all of these HIPAA compliance efforts where you can find them easily and quickly if HHS shows up demanding your HIPAA compliance documentation. We recommend keeping all of it in Jon’s Your Happy HIPAA Book. Jon included tabs in the three-ring binder for everything that you need to document and a checklist for each tab. I recommend adding the date that you check off each item in each checklist, as one of our clients suggested to us.
If you have had a security incident that you were unsure as to what exactly to do about, or if you are concerned that you may have one, consider reading Jon’s book How to Handle HIPAA and HITECH Act Breaches, Complaints, and Investigations: Everything You Need to Know.
A sample business associate agreement policy and a sample business associate agreement are posted in the Premium Member section of our website at www.veteranspress.com.
As always, thanks for reading Jon’s blog, buying his books and other HIPAA compliance tools, attending our seminars and webinars, and hiring Jon for HIPAA consulting and training. We wish you every success with your HIPAA compliance efforts.