HIPAA Privacy Rule: Is Your Healthcare Organization Compliant?

Under HIPAA, healthcare organizations have many responsibilities related to how they collect, store, use, and transfer protected health information (PHI). That includes providing access to patients. The HIPAA Privacy Rule dictates that patients have the right to access their PHI by request. The PHI also must be delivered within 30 days of the request.

OCR Levies Fines Against Noncompliant Entities

While providing a patient access to their healthcare information should be simple enough, healthcare organizations have struggled with compliance. In 2019, two providers were fined by the Department of Health and Human Services Office for Civil Rights (OCR). OCR announced plans last year to begin enforcing the Privacy Rule and fining violators.

In September of 2019, the OCR reached a settlement with Bayfront Health for $85,000. This marks the first settlement for such a violation. But they aren’t the only ones. A study by medRxiv found that half of providers are not compliant with this provision of HIPAA.

The settlement comes after a patient made a request to Bayfront for records related to an unborn child. The organization did not respond within 30 days, and the patient filed a complaint with the OCR. After an investigation was launched, the patient did receive the records, albeit nine months later.

The OCR settled another case against Korunda Medical with an $85,000 fine and a plan for corrective action. A patient filed a complaint after requesting PHI be sent to a third-party. The records were finally sent to the third-party but not within the window of time required.

Supplying PHI: Streamlining the Process for Compliance

Like any data workflow in the realm of healthcare, there must be a process that considers timeliness, compliance, and security. Healthcare entities receive requests for medical records on a regular basis. They also are well versed on the need to complete these timely to remain compliant with the HIPAA Privacy Rule.

But healthcare organizations struggle with this process. The struggle could be due to many reasons, including:

• Lack of technical expertise
• No assigned employee to handle requests
• Inferior security protocols
• No policies or procedures regarding requests (or ones that aren’t enforced)
• Inability to access data quickly

No matter the size of a healthcare organization, any of these causes could be the culprit. But looking outside their own walls may be the answer to remaining compliant and fulfilling requests promptly.

Choose a Data Partner to Keep You Compliant

With custom data solutions from InfoWerks, your organization could shift the onus of the responsibility. We can create workflows that allow for the secure and fast transfer of PHI to the patient or a third-party.

The threat of noncompliance with the Privacy Rule could cost you money and your reputation. Make sure you are operating within the rules with our help. Contact us today to see how we can reduce risk and help you remain compliant.