HIPAA Privacy Rule: Is Your Healthcare Organization Compliant?
January 2nd, 2020
The OCR is enforcing the HIPAA Privacy Rule, and violators have been penalized. Learn why partnering with a data expert can keep you compliant.
Under HIPAA, healthcare organizations have many responsibilities related to how they collect, store, use, and transfer protected health information (PHI). That includes providing access to patients. The HIPAA Privacy Rule dictates that patients have the right to access their PHI by request. The PHI also must be delivered within 30 days of the request.
OCR Levies Fines Against Noncompliant Entities
While providing a patient access to their healthcare information should be simple enough, healthcare organizations have struggled with compliance. In 2019, two providers were fined by the Department of Health and Human Services Office for Civil Rights (OCR). OCR announced plans last year to begin enforcing the Privacy Rule and fining violators.
In September of 2019, the OCR reached a settlement with Bayfront Health for $85,000. This marks the first settlement for such a violation. But they aren’t the only ones. A study by medRxiv found that half of providers are not compliant with this provision of HIPAA.
The settlement comes after a patient made a request to Bayfront for records related to an unborn child. The organization did not respond within 30 days, and the patient filed a complaint with the OCR. After an investigation was launched, the patient did receive the records, albeit nine months later.
The OCR settled another case against Korunda Medical with an $85,000 fine and a plan for corrective action. A patient filed a complaint after requesting PHI be sent to a third-party. The records were finally sent to the third-party but not within the window of time required.
Supplying PHI: Streamlining the Process for Compliance
Like any data workflow in the realm of healthcare, there must be a process that considers timeliness, compliance, and security. Healthcare entities receive requests for medical records on a regular basis. They also are well versed on the need to complete these timely to remain compliant with the HIPAA Privacy Rule.
But healthcare organizations struggle with this process. The struggle could be due to many reasons, including:
- Lack of technical expertise
- No assigned employee to handle requests
- Inferior security protocols
- No policies or procedures regarding requests (or ones that aren’t enforced)
- Inability to access data quickly
No matter the size of a healthcare organization, any of these causes could be the culprit. But looking outside their own walls may be the answer to remaining compliant and fulfilling requests promptly.
Choose a Data Partner to Keep You Compliant
With custom data solutions from InfoWerks, your organization could shift the onus of the responsibility. We can create workflows that allow for the secure and fast transfer of PHI to the patient or a third-party.
The threat of noncompliance with the Privacy Rule could cost you money and your reputation. Make sure you are operating within the rules with our help. Contact us today to see how we can reduce risk and help you remain compliant.