More Financial Penalties for HIPAA Right of Access Compliance Failures Expected

At the OCR/NIST HIPAA Security Conference in Washington D.C., the Director of the Department of Health and Human Services’ Office for Civil Rights provided an update on OCR’s HIPAA enforcement priorities over the coming months, outlining the key aspects of noncompliance that OCR is currently cracking down on.

One of the main areas of focus is the HIPAA Privacy Rule’s Right of Access – The right of patients to view or obtain a copy of their medical records in a reasonable time frame at a reasonable cost. Egregious violations of other provisions of HIPAA Rules are still likely to attract a financial penalty, but covered entities now face greater scrutiny over how they are dealing with patient access requests.

OCR investigates all reports of data breaches of 500 or more records, so any entity that experiences a breach may also be scrutinized over their handling of patient requests, but these violations are most likely to be uncovered as a result of complaints filed by patients through the OCR website.

The first financial penalty for such a violation under the OCR’s HIPAA Right of Access Initiative was announced in September. A patient of Bayfront Health St Petersburg filed a complaint with OCR over an untimely response to a request for a copy of the fetal heart monitor records of her child.

The patient had made the request on October 18, 2017 but at the time of filing the complaint on August 14, 2018, a complete set of records had still not been provided. The full set of records was provided on August 23, 2018. A financial penalty of $85,000 was agreed to settle the case.

This was not the first financial penalty for a violation of the HIPAA Right of Access – In 2011, Cignet Health of Prince George’s County was issued with a civil monetary penalty of $4,300,000 for denying patients access to their medical records – and it will certainly not be the last. OCR Director Roger Severino confirmed that the Bayfront Health financial penalty was the first in a series of penalties for healthcare organizations that have failed to comply with this important provision of the HIPAA Privacy Rule.

“We’ve been doing a lot to see this [HIPAA Right of Access] problem fixed. Now it’s time for serious enforcement, especially when we are moving to a full mobile data cloud age,” said Severino at the HIPAA Security Conference.

In addition providing copies of medical records within 30 days of a request being received, covered entities were reminded that they are not permitted to deny patient requests to have their health data sent to health apps, unless the requested app poses a security risk to the covered entity. After PHI has been disclosed to a health app after being requested by the patient, the covered entity is not responsible for any impermissible disclosures that may occur as a result of that disclosure. Denying a request to send health data to an app when there is no security risk to the covered entity could result in a financial penalty.

OCR previously issued guidance for covered entities on the amounts that can be charged for providing copies of medical records back in 2016. After having clarified the allowable charges, financial penalties for covered entities who are overcharging patients can be expected.

Severino also said OCR had made a final determination on a civil monetary penalty of $2.1 million for a covered entity; however, no further details were provided on the covered entity or business associate in question nor the reason for the penalty. An announcement about the CMP can be expected shortly.

Severino also spoke about the drive to improve the transparency of healthcare costs under the HHS Regulatory Sprint to Coordinated Care initiative. OCR is looking at how HIPAA changes could help encourage greater transparency.

The increase in ransomware attacks and the ever-present threat from phishing was also touched on, notably, the most common methods used by cybercriminals to gain access to healthcare networks and patient data: Exploitation of vulnerabilities in Remote Desktop Protocol (RDP), weak access controls, the failure to terminate PHI access rights when employees leave the company, and how multi-factor authentication could have blocked many healthcare phishing attacks.

The threat from phishing can be reduced to a reasonable and acceptable level by providing employees with security awareness training, which is a requirement of HIPAA.  Severino emphasized how training is critical and explained that training should also include phishing simulation exercises to test whether training sessions have been effective. Any entity that does not incorporate these exercises into their training programs cannot be sure whether training has actually reduced susceptibility to phishing attacks. Severino said these exercises were critical for reducing risk.