The complaint, received in August 2018, involved a mother who waited over 9 months to receive prenatal records from Bayfront Health in St. Petersburg. She requested the records of her unborn child in October 2017 and after receiving incomplete records in March 2018, she did not receive the complete records until August 2018 (via her lawyers). It was not until after the OCR’s investigation in February 2019 that she received the complete records directly. HIPAA requires medical records to be provided within 30 days of the request.
The OCR concluded that Bayfront violated 45 C.F.R. § 164.524 by failing to provide access to PHI. Bayfront has paid $85,000 and agreed to a corrective action plan. The corrective actions include written policies and procedures around access rights, increased training and incident reporting among others.
I applaud the OCR bringing this case, but it is quite shocking that this is the first enforcement action with a fine for a violation of the right to access in HIPAA’s history. More than 15 years went by before this single action. A lot more enforcement must start happening.
One of the biggest sore spots in HIPAA compliance has been providing individuals with their right to access their medical records. In addition to the countless anecdotal accounts about the painful process of getting medical records, a recent study demonstrated just how far there is to go for providers to be in compliance. More than half of medical providers included in the recent medRxiv study did not meet the basic requirements in HIPAA for providing medical records. A further 20% of the providers would not provide records until requests were escalated to supervisors. Which means that more than 70% of the subjects studied would not have been in compliance had the supervisors not been involved.
HIPAA provides that “an individual has a right of access to inspect and obtain a copy of protected health information about the individual in a designated record set, for as long as the protected health information is maintained in the designated record set.” 45 CFR §164.524
Last year was a record-setting year for HIPAA enforcement. On HHS’s website, OCR has touted its 2018 enforcement:
OCR has concluded an all-time record year in HIPAA enforcement activity. In 2018, OCR settled 10 cases and secured one judgment, together totaling $28.7 million. This total surpassed the previous record of $23.5 million from 2016 by 22 percent. In addition, OCR also achieved the single largest individual HIPAA settlement in history of $16 million with Anthem, Inc., representing a nearly three-fold increase over the previous record settlement of $5.5 million in 2016.
Pagosa Springs Medical Center (PSMC) has agreed to pay $111,400 to the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) for an alleged violation of HIPAA. OCR found that the company failed to deactivate a former employee’s access to a web-based calendar that contained the protected health information (PHI) of 557 patients. The company also failed to obtain a business associate agreement (BAA) with the calendar company (Google).
Advanced Care Hospitalists PL (ACH) has agreed to pay $500,000 to the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) for an alleged violation of HIPAA. OCR found that the company shared protected health information (PHI) with an unknown vendor without a business associate agreement (BAA). According to the Resolution Agreement, “ACH impermissibly disclosed the PHI of 9,255 of its patients to a third party for billing processing services without the protections of a business associate agreement in place.” The PHI later turned up on the vendor’s website.
This was clearly an unforced error in compliance — and an expensive one! So easy to avoid too! Providing PHI to a vendor without a business associate agreement is like going to work without your clothes on. Vendor management is incredibly important, and organizations that fail to have proper agreements with their vendors that receive personal data are often punished severely by many privacy laws beyond HIPAA. The GDPR requires vendor agreements, and the FTC has found that companies engage in an unfair practice under the FTC Act Section 5 when they lack an adequate vendor agreement.
The main lesson from most privacy enforcement cases, whether HIPAA or otherwise: Do the basics! So many cases involve failing to do obvious things. There’s not much muddy ground in the land of enforcement.
The press release can be viewed here. The Resolution Agreement can be viewed here.