A study released last month in Jama Open Network entitled Assessment of US Hospital Compliance With Regulations for Patients’ Requests for Medical Records demonstrates that compliance with HIPAA’s right to access medical records remains woeful. In the second half of 2017, researchers contacted 83 US hospitals and conducted a simulated patient experience to ask for medical records. Among the hospitals, the researchers found that “there was discordance between information provided on authorization forms and that obtained from the simulated patient telephone calls in terms of requestable information, formats of release, and costs.” On forms, “only 53% provided patients the option to acquire the entire medical record.” The study concluded that “Requesting medical records remains a complicated and burdensome process for patients despite policy efforts and regulation to make medical records more readily available to patients. Our results revealed inconsistencies in information provided by medical records authorization forms and by medical records departments in select US hospitals, as well as potentially unaffordable costs and processing times that were not compliant with federal regulations.”
I addressed this topic in a blog post about 2 years ago. At that time, I said:
HIPAA doesn’t handle patient access to medical records very well. There are many misunderstandings about patient access under HIPAA that make it quite difficult for patients to obtain their medical information quickly and conveniently. Getting records is currently like a scavenger hunt. Patients have to call and call again, wait seemingly forever to get records, and receive them via ancient means like mail and fax. I often scratch my head at why fax is still used today — it’s one step more advanced than carrier pigeon. Many covered entities do not send records by email, and getting electronic copies can be quite difficult. Many healthcare providers still maintain paper records in handwriting, and healthcare lags far behind most other industries in the extent to which it has moved to digital records.
Sadly, as this study confirms, little has changed.
Have you ever asked your healthcare provider to send you medical records by email? Most likely, you’ve received the reply: “We can’t do that. We can only fax them to you or provide you with a paper copy.” This answer is wrong.
HIPAA’s right for individuals to access their health information, 45 CFR § 164.524, provides:
The covered entity must provide the individual with access to the protected health information in the form and format requested by the individual, if it is readily producible in such form and format; or, if not, in a readable hard copy form or such other form and format as agreed to by the covered entity and the individual.
Recently, I created two new HIPAA training resources.
I created a 1-page visual summary of HIPAA, which I call the HIPAA Whiteboard. The idea was to summarize HIPAA in a concise and visually-engaging way. You can download a PDF handout version here. We’ve been licensing it to many organizations for training and awareness purposes.
HIPAA Interactive Whiteboard
I subsequently created a new training module — an interactive version of the HIPAA Whiteboard — the HIPAA Interactive Whiteboard. When people click on each topic, the program provides brief narrated background information, presented in a very understandable and memorable way. Trainees can learn at their own pace. This program is designed to be very short — it is about 5 minutes long.
It can readily be used on internal websites to raise awareness and teach basic information about HIPAA. It can also be used in learning management systems.
At the end of 2017, the OCR logged just under $20 million in fines for HIPAA violations from 10 enforcement actions with monetary penalties. In 2016, the total in penalties was roughly the same amount but from 15 organizations.
Here is an overview of the resolution agreements and enforcement actions with civil monetary penalties from 2017:
Lessons from 2017
Devices, devices, devices . . .
Quite a number of cases involved failure to implement safeguards for PHI on mobile devices. The best fix is to superglue devices to staff. Short of doing that, organizations should recognize that mobile devices frequently get lost or stolen, so there should be heightened security controls when PHI is accessible on these devices.
Several cases involved failing to provide timely notice or to act promptly after problems were discovered. In politics, it’s often not the scandal, but the coverup that fells politicians. In the world of HIPAA, it’s often not the incident, but the response that leads to organizations being penalized.
As ransomware escalates and poses serious security risks for healthcare institutions, many privacy experts and legislators have called for more specific guidance from the U.S. Department of Health and Human Services (HHS).
A few weeks ago, HHS responded to these calls with a detailed fact sheet to explain ransomware and provide advice. Although most of the document outlines what should be obvious for an organization that already has a solid data security plan (including reliable back-ups, workforce training, and contingency plans), the major headline is HHS’s verdict on whether or not a ransomware attack qualifies as a data breach under HIPAA.
Recently, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) issued its first resolution agreement and monetary penalty against a business associate (BA).
By Daniel J. Solove
ProPublica has been running a series of lengthy articles about HHS Office for Civil Rights (OCR) enforcement that are worth reading.
A Sustained and Vigorous Critique of OCR HIPAA Enforcement
A ProPublica article from early in 2015 noted that HIPAA fines were quite rare. The article noted that from 2009 through 2014, more than 1,140 large data breaches were reported to OCR, affecting 41 million people. Another 120,000 HIPAA violations were reported affecting fewer than 500 people. “Yet, over that time span,” the article notes, “the Office for Civil Rights has fined health care organizations just 22 times. . . . By comparison, the California Department of Public Health . . . imposed 22 penalties last year alone.”
I’ve been going through my blog posts from 2015 to find the ones I most want to highlight. Here are some selected posts about health privacy and security:
by Daniel J. Solove
Recently, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) publicized its resolution agreement in its HIPAA enforcement action against St. Elizabeth’s Medical Center (SEMC). SEMC agreed to pay $218,000.
The case began with a complaint filed with OCR back in 2012 that employees were sharing PHI of nearly 500 patients via an online sharing application without a risk analysis on such activities being undertaken. OCR investigation found that the medical center “failed to timely identify and respond to the known security incident, mitigate the harmful effects of the security incident and document the security incident and its outcome.”
by Daniel J. Solove
I recently created a new resource page for the TeachPrivacy website: HIPAA Training Requirements: FAQ.