What Happened: These are the first enforcement actions under a new HHS Right of Access initiative. The initiative seeks to ensure that patients receive requested medical records promptly, at a reasonable price, and in a readily producible format of their choice as is their right under HIPAA. In the Bayfront Health case, the St. Petersburg, Florida-based hospital failed to provide a mother with the medical records of her unborn child for more than nine months, in violation of HIPAA standard practices, which generally require a response within 30 days of a request. Korunda Medical in Naples, Florida, a primary care practice, failed to provide a patient’s medical records in the requested electronic format and charged more than the reasonably cost-based fees allowed under HIPAA. Both companies agreed to an $85,000 fine as well as undertaking a corrective action plan.
Takeaway for ASCs: The HIPAA Privacy Rule provides individuals with a legal, enforceable right to see and receive copies upon request of the information in their medical records maintained by health providers. Protecting this right has become a focus for HHS in recent years, with a number of new guidances since 2016 that clarify processes around a patient’s request for access. ASCs should be sure to review the current rules and respond to any patient requests in a timely manner to avoid a penalty. A good standard to keep in mind is providing information within 30 days, in the manner requested, with only the minimum amount of costs due to labor, supplies, or postage associated with fulfilling the request.
What Happened: An OCR investigation found that Elite Dental Associates, a privately-owned dental practice in Dallas, Texas, had impermissibly disclosed PHI including names and details of health conditions in response to reviews on the practice’s Yelp page. Furthermore, Elite had no policies in place regarding social media interactions or any HIPAA-compliant notice of privacy practices. The eventual $10,000 settlement was a reduced amount due to the practices size and financial circumstances; the practice will undertake a corrective action plan that includes two years of OCR monitoring.
Takeaway for ASCs: As with any place of service, there might be patients that are less than satisfied with aspects of care at an ASC and choose to voice that opinion on public platforms. It is never proper policy, however, to discuss treatment or PHI on a public forum. As OCR Director Roger Severino noted in the settlement press release, “social media is not the place for providers to discuss a patient’s care.” If your center has a social media presence or interacts in public online spaces in any manner, there must be policies and procedures in place to ensure that specific patient PHI is never disclosed.
What Happened: In 2017, OCR received a complaint that Sentara Healthcare, a not-for-profit organization of acute care hospitals and other care centers across Virginia and North Carolina, had incorrectly mailed medical bills that contained patient PHI. Further investigation found that Sentara had mailed 577 patients’ PHI to wrong addresses including names, account numbers and dates of service. In an attempt to reduce the size of its penalty Sentara improperly reported that the breach had affected only eight individuals. The final agreement reached between OCR and Sentara included a $2.175 million settlement, a corrective action plan and two years of OCR monitoring.
Takeaway for ASCs: Breaches can occur by simple negligence and aren’t always the result of a bad actor. When a breach does occur, however, it must be reported as quickly and as accurately as possible. In this case, Sentara incorrectly believed that disclosures must include a patient diagnosis or other medical information to qualify as a HIPAA violation. Its persistence in refusing to properly acknowledge the extent of the breach no doubt played a factor in the eventual multi-million dollar settlement.
ASCA provides several resources to help ASCs remain HIPAA compliant. The HIPAA Resources page can be found in the Federal Regulations section of ASCA’s main site. It provides background on the act itself, as well as the four key provisions: privacy, security, breach notification and enforcement. ASCA’s facility and corporate members also have free access to the HIPAA Workbook for ASCs, a comprehensive resource for designing, updating and evaluating HIPAA compliance programs.
For more information or for questions and concerns, write Alex Taira, ASCA’s regulatory policy and research manager.