Tips for staying off the HIPAA naughty list

Appreciating how to avoid an enforcement action under the Right of Access Initiative, as well as mitigating cyberattacks with HHS’s cybersecurity resource website.

Just in time for the Holiday Season, HHS Office for Civil Rights (“OCR”) announces five separate resolutions as part of its HIPAA Right of Access Initiative. This initiative focuses on providers and health plans who fail to provide individuals with the ability to view and receive copies of their protected health information (“PHI”) within 30 days unless an extension is provided. Importantly, the 30 day timeframe applies under federal HIPAA, states may have shorter timeframes to provide patients with their medical records. Here’s a recap of the five resolutions:

  1. Advanced Spine & Pain Management (Ohio) – paid OCR $32,150 and agreed to take corrective actions that include two years of monitoring;
  2. Denver Retina Center (Colorado) – paid OCR $30,000 and agreed to take corrective actions that includes one year of monitoring;
  3. Robert Glaser, MD (New York) – OCR issued a civil monetary penalty of $100,000 after Dr. Glaser failed to cooperate with OCR’s investigation and waived his right to a hearing;
  4. Rainrock Treatment Center, LLC (Oregon) - paid OCR $160,000 and agreed to take corrective actions that includes one year of monitoring; and
  5. Wake Health Medical Group (North Carolina) - paid OCR $10,000 and agreed to take corrective actions.

To stay on OCR’s “nice list” providers should have adequate policies and procedures that staff are trained on, log the initial request date, and comply with both state and federal timeframes. If an extension is needed, notify the patient or representative.

Established under the Cybersecurity Act of 2015, the 405(d) program was established. On December 1st, HHS delivered a holiday gift – a new website - 405(d) Aligning Health Care Industry Security Approaches Program, which offers healthcare providers and public health officials cybersecurity and patient safety resources, as well as best practices. “Absence of Cybersecurity is a(n) Enterprise Risk, Patient Risk, Organization Risk, [and] Provider Risk.” Said another way, the 405(d) program’s motto that “Cyber Safety is Patient Safety” provides a variety of different resources, including cybersecurity posters, infographics, and a bi-monthly newsletter.

In sum, to avoid the ransomware Grinch, remain vigilant because ransomware criminals are ramping up.