The complaint, received in August 2018, involved a mother who waited over 9 months to receive prenatal records from Bayfront Health in St. Petersburg. She requested the records of her unborn child in October 2017 and after receiving incomplete records in March 2018, she did not receive the complete records until August 2018 (via her lawyers). It was not until after the OCR’s investigation in February 2019 that she received the complete records directly. HIPAA requires medical records to be provided within 30 days of the request.
The OCR concluded that Bayfront violated 45 C.F.R. § 164.524 by failing to provide access to PHI. Bayfront has paid $85,000 and agreed to a corrective action plan. The corrective actions include written policies and procedures around access rights, increased training and incident reporting among others.
I applaud the OCR bringing this case, but it is quite shocking that this is the first enforcement action with a fine for a violation of the right to access in HIPAA’s history. More than 15 years went by before this single action. A lot more enforcement must start happening.
One of the biggest sore spots in HIPAA compliance has been providing individuals with their right to access their medical records. In addition to the countless anecdotal accounts about the painful process of getting medical records, a recent study demonstrated just how far there is to go for providers to be in compliance. More than half of medical providers included in the recent medRxiv study did not meet the basic requirements in HIPAA for providing medical records. A further 20% of the providers would not provide records until requests were escalated to supervisors. Which means that more than 70% of the subjects studied would not have been in compliance had the supervisors not been involved.
HIPAA provides that “an individual has a right of access to inspect and obtain a copy of protected health information about the individual in a designated record set, for as long as the protected health information is maintained in the designated record set.” 45 CFR §164.524
This cartoon depicts something that happens far too often with HIPAA — HIPAA is used as an excuse not to do something (such as make disclosures or provide access to records in ways that patients request) even though HIPAA doesn’t have such a restriction. This is often done out of a lack of knowledge about HIPAA. Healthcare providers frequently have mistaken notions of HIPAA being far more restrictive than it actually is. For example, last year, I wrote a post about how numerous healthcare providers wrongly use HIPAA as an excuse to refuse to email medical records to patients. Ironically, instead of forbidding it, HIPAA actually requires that medical records be emailed to patients if patients so request.
The existing penalty structure under HIPAA is based on the HITECH Act of 2009, which increased HIPAA’s fines in an attempt to give teeth to HIPAA enforcement. Since HIPAA began being enforced in 2003 until the HITECH Act, fines had barely been issued despite an enormous amount of HIPAA violations. HITECH was Congress’s rebuff to this weak enforcement approach. After HITECH’s more potent penalty structure, HHS finally began issuing fines. The chart below is how HHS has been interpreting the HITECH penalty framework since the HITECH Act:
There were some ambiguities under the HITECH Act as to these penalty tiers, but HHS had long interpreted these tiers according to the above chart. But now, HHS has suddenly changed its mind and adopted a very different interpretation. Under this new interpretation, the penalty tier limits are now as follows:
Notice the new annual limits. There are severe reductions in the annual limits for nearly every category except for uncorrected willful neglect. This change yanks many of the teeth out of HIPAA enforcement.
These days, there seems to be a lot of energy around a federal comprehensive privacy law in the United States. When the US Congress started passing privacy laws in the 1970s, 80s, and 90s, it eschewed the route of passing a comprehensive privacy law, opting instead for the sectoral approach — passing a series of narrow industry-specific laws. Then, in the late 1990s and early 2000s, there was a brief debate in the US about passing a comprehensive privacy law, when a few companies suggested it. But most companies shot down the idea. They liked the sectoral approach. They were okay with being regulated by a patchwork of various federal and state privacy laws.
At the time, when discussing the issue at conferences and events, I said that this view was short-sighted. The rest of the world was starting to move toward a comprehensive privacy law. The patchwork of laws left many gaps and holes in privacy protection and had countless inconsistencies. Congress did nothing.
Congressional Paralysis and the Rise of the States
Since 2000, Congress has largely been unable to pass many privacy laws. It has largely passed amendments to existing laws, but it hasn’t passed many major pieces of sectoral privacy regulation, let alone a broader privacy law. Partisanship, as well as a lack of compromise and maturity, have rendered Congress unable to craft laws with the nuance and balance needed to address privacy and data security issues. During this time, the states have passed a blizzard of laws. Every state has passed a data breach notification law. States have passed countless privacy laws too — especially California.
A New Urge for Congress to Act
The EU’s General Data Protection Regulation (GDPR), which started being enforced in May 2018, and the passage of California’s Consumer Privacy Act (CCPA) have reignited the debate over a comprehensive federal privacy law. “It’s time,” many people are saying. Now, industry is crying out for a comprehensive federal law. In November 2018, in response to a call for comments on a federal privacy law by the NTIA, numerous companies responded by stating that they were now in favor of a federal privacy law.
But with this Congress, I think that a comprehensive privacy law is unlikely.