The Office for Civil Rights (OCR) at the US Department of Health and Human Services (HHS) has been busy over the past month announcing new enforcement actions and settlement agreements related to violations of the privacy rule applicable under the Health Insurance Portability and Accountability Act (HIPAA). The latest OCR actions serve as a reminder to HIPAA-covered entities that privacy rule enforcement activity can come in a variety of types and sizes.
Recently, OCR has shown its continued interest in Enforce the privacy rule patient’s right to access medical records according to HIPAA . Access Right Initiative which began in 2019. Three alleged violating dental practices have agreed to make certain resolution payments to HHS and enter into corrective action plans (CAPs). In general, HIPAA-covered entities must provide access to PHI requested by individuals in whole or, alternatively, in part if the covered entity delays access for reasons such as the PHI is not readily accessible, in No later than 30 calendar days after receiving a written request from the individual for information. The OCR considers 30 calendar days to be the outer limits for responding to individual requests and recommends covered entities to respond to individuals under these access rules as soon as possible.
Two practices — Family Dental Care, PC, which agreed to a $30,000 resolution with OCR, and B. Steven L. Hardy, DDS, LTD, which agreed to a $25,000 resolution — allegedly failed to provide patients access in timeliness to their medical records by taking more than 30 days to provide complete records to individuals. The third practice, Great Expressions Dental Center of Georgia, PC, in addition to not providing timely access to required medical records, allegedly assessed individuals’ transcription fees that were not reasonable or cost-based and agreed to a dissolution amount of $80,000.
All relevant CAPs require entities, among other obligations, to update their HIPAA policies and procedures to ensure individual access rights are covered and compliant with the Privacy Rule. Standard work plans also oblige entities to ensure that updated policies and procedures are properly distributed to members of the workforce after HHS approval.
Regardless of the size of the decision amounts, the fact that there are now 41 total rights in access enforcement actions speaks to OCR’s dedication to ensuring that entities comply with this part of the privacy rule (see Mintz’s previous post from 2019 after the access initiative was launched over here). hhs for Questions and answers about access rights under HIPAA It can also be a useful resource for entities looking to enhance or update an individual’s right to access sections of their HIPAA policies and procedures.
Settling the breach: Improper disposal of PHI
OCR also reached a settlement with New England Dermatology PC, d/b/a New England Dermatology and Laser Center (NDELC) in late August 2022 after determining that NDELC had Incorrectly disposed of PHI.
According to the NDELC Breach Report to the OCR filed on May 11, 2021, over the course of about 10 years, the practice had routinely placed empty sample containers that included protected health information on labels in a litter box in a publicly accessible parking lot. Container labels included patients’ names, dates of birth, dates of sample collection, and names of providers who collected samples.
The Privacy Rule requires that Covered Entities implement and use reasonable safeguards to limit accidental avoidance of prohibited uses and disclosure of PHI, including in connection with the disposal of PHI. The OCR asserted that the NEDLC violated the privacy rule because (i) it did not maintain appropriate safeguards to protect the privacy of protected health information; and (ii) unauthorized disclosure of PHI to unauthorized individuals. As part of CAP’s solution to the investigation, the NEDLC agreed to update its HIPAA policies and procedures, including individual rights of access under the Privacy Rule, ensure that it properly distributes its policies and procedures to members of its workforce after HHS approval, and paid a decision to HHS $300, 640 dollars.
OCR contains long-term FAQs related to HIPAA and Proper disposal of PHI. This latest settlement agreement is an additional reminder that not all violations result from high-tech vulnerabilities and that the proper handling, disposal, and destruction of physical PHI remain essential components of effective HIPAA compliance programs.