Privacy+Security Blog by Prof. Daniel Solove

First OCR Enforcement of HIPAA’s Right of Access

Founder of TeachPrivacy

September 16, 2019

Days after my recent blog post on the HIPAA Right of Access, the OCR released details of their first enforcement action for violation of the Right of Access.

The complaint, received in August 2018, involved a mother who waited over 9 months to receive prenatal records from Bayfront Health in St. Petersburg. She requested the records of her unborn child in October 2017 and after receiving incomplete records in March 2018, she did not receive the complete records until August 2018 (via her lawyers). It was not until after the OCR’s investigation in February 2019 that she received the complete records directly. HIPAA requires medical records to be provided within 30 days of the request.

The OCR concluded that Bayfront violated 45 C.F.R. § 164.524 by failing to provide access to PHI. Bayfront has paid $85,000 and agreed to a corrective action plan. The corrective actions include written policies and procedures around access rights, increased training and incident reporting among others.

I applaud the OCR bringing this case, but it is quite shocking that this is the first enforcement action with a fine for a violation of the right to access in HIPAA’s history. More than 15 years went by before this single action. A lot more enforcement must start happening.

The Failure of HIPAA’s Right of Access

Daniel Solove

@danielsolove

Founder of TeachPrivacy

September 8, 2019

One of the biggest sore spots in HIPAA compliance has been providing individuals with their right to access their medical records. In addition to the countless anecdotal accounts about the painful process of getting medical records, a recent study demonstrated just how far there is to go for providers to be in compliance. More than half of medical providers included in the recent medRxiv study did not meet the basic requirements in HIPAA for providing medical records. A further 20% of the providers would not provide records until requests were escalated to supervisors. Which means that more than 70% of the subjects studied would not have been in compliance had the supervisors not been involved.

HIPAA provides that “an individual has a right of access to inspect and obtain a copy of protected health information about the individual in a designated record set, for as long as the protected health information is maintained in the designated record set.” 45 CFR §164.524

I have written on numerous occasions about patient control of their own records and reforms needed to support this right. Getting access to medical records doesn’t seem to have improved very much. Despite HIPAA’s right of access, it doesn’t seem to be taken very seriously by providers.

HIPAA Cartoon: HIPAA as an Excuse

Daniel Solove

@danielsolove

Founder of TeachPrivacy

August 11, 2019

This cartoon depicts something that happens far too often with HIPAA — HIPAA is used as an excuse not to do something (such as make disclosures or provide access to records in ways that patients request) even though HIPAA doesn’t have such a restriction. This is often done out of a lack of knowledge about HIPAA. Healthcare providers frequently have mistaken notions of HIPAA being far more restrictive than it actually is. For example, last year, I wrote a post about how numerous healthcare providers wrongly use HIPAA as an excuse to refuse to email medical records to patients. Ironically, instead of forbidding it, HIPAA actually requires that medical records be emailed to patients if patients so request.

The FTC Can Rise to the Privacy Challenge, but Not Without Help From Congress

Daniel Solove

@danielsolove

Founder of TeachPrivacy

August 11, 2019

Over at Lawfare, I have an essay co-authored by Chris Hoofnagle and Woodrow Hartzog called The FTC Can Rise to the Privacy Challenge, but Not Without Help From Congress. This piece is also posted at the Brooking Institution’s TechTank. The essay begins:

Facebook’s recent settlement with the Federal Trade Commission (FTC) has reignited debate over whether the agency is up to the task of protecting privacy. Many people, including some skeptics of the FTC’s ability to rein in Silicon Valley, lauded the settlement, or at least parts of it.

Others, however, saw the five-billion-dollar fine, oversight reforms, and compliance certification measures as a drop in the bucket compared to Facebook’s profits. Two dissenting FTC commissioners and other critics pointed out that the FTC did not change Facebook’s fundamental business model nor hold Mark Zuckerberg personally liable, despite hints that the company fell out of compliance with its original 2010 FTC consent order soon after that agreement was inked. Some privacy advocates and lawmakers even argued that the limits of the settlement are evidence that the FTC, the leading privacy regulator in the U.S. since the late 1990s, is no longer the right agency to protect our personal information from Big Tech. They support creating a new, consumer privacy-focused federal agency.

We think the FTC is still the right agency to lead the US privacy regulatory effort. In this essay, we explain the FTC’s structural and cultural strengths for this task, and then turn to reforms that could help the FTC rise to modern information privacy challenges. Fundamentally, the FTC has the structure and the legal powers necessary to enforce reasonable privacy rules. But it does need to evolve to meet the challenge of regulating modern information platforms.

You can read the rest of the essay over at Lawfare.

Cartoon on Data Breach

Daniel Solove

@danielsolove

Founder of TeachPrivacy

August 5, 2019

This cartoon is about evolution of data breaches, which began to grab headlines back in 2005, thanks in large part to California’s data breach notification law — the first of such laws. Since that time, every state has passed breach notification laws, and there are breach notification laws sprouting up around the world. Every day, we hear of more and more data breaches . . . and they are getting larger and larger.