HIPAA Biannual Update

Digital Debut

HIPAA Biannual Update

July to December 2021

Since ASCA’s last update in July, healthcare organizations across the country posted 331 breaches of protected health information (PHI) affecting 500 or more individuals. Consistent with previous time periods, the vast majority of the breaches—95 percent—were caused by unauthorized access or hacking. The percentage of breach investigations due to theft continues to steadily decrease, comprising only 4 percent of breaches in the last six months of 2021 compared to 21 percent in the first half of 2017.

SOURCE: ASCA


Within the US Department of Health & Human Services (HHS) the Office for Civil Rights (OCR) is the enforcement agency responsible for protecting rights related to health information privacy. This includes enforcement actions for violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), which delineates who can view or receive an individual’s PHI and sets standards for security of PHI when being stored or transferred electronically.

ASCs can take important steps to help prevent breaches and limit their liability. They can review and update policies and procedures frequently to help prevent unauthorized access, improper disposal, loss and theft of PHI. ASCs also can visit the OCR website to review enforcement actions and consider how they can avoid the mistakes made by others.

Many recent enforcement actions have been through the HIPAA Right of Access Initiative. Since the previous update in July, OCR has announced five more settlements in its HIPAA Right of Access Initiative, bringing the total to 25 enforcement actions since 2019. The recent investigations found varying degrees of noncompliance with patients’ requests to promptly receive their medical records and resulted in corrective action plans with several years of monitoring and settlements ranging from $10,000 to $160,000.

The Practice of Robert Glaser, MD

What Happened: The failure to respond to a patient’s medical records request in 2018 snowballed when Glaser refused to cooperate with OCR’s investigation or provide any requested data. The delay caused the investigation to span several years, with the eventual settlement including a fine of $100,000.

Takeaway for ASCs: In 2019, OCR introduced a specific provision of the HIPAA Privacy Rule related to health information technology (IT) to help enforce and support an individual's right to timely access their health records at a reasonable cost. ASCs should review their policies and training programs to ensure that all HIPAA obligations are able to be met when a patient requests access to their medical records. As OCR continues to announce more settlements in its HIPAA Right of Access Initiative, ASCs should keep in mind that it remains critical that patients are able to be granted timely access to their own medical information and be able to take charge of healthcare decisions in a prompt manner.

In the case of Glaser, this was the second complaint to OCR after Glaser and other members of his staff failed to provide medical records to patients when requested. Staff of all levels are subject to cooperation with any OCR investigations or requests for information. In this instance, the physician failed to respond to multiple methods of communication, including mailed and faxed letters and phone calls, further delaying the patient’s request for their health records.

Advanced Spine & Pain Management (ASPM)

What Happened: The practice provides management and treatment of chronic pain in several locations in Ohio. In November 2019, a patient submitted a written request to access their medical records, but the patient did not receive a copy until March of the following year. Following an OCR investigation, ASPM agreed to pay a monetary settlement of $32,150 and institute a corrective action plan that includes two years of monitoring.

Takeaway for ASCs: While the patient did ultimately receive their requested medical records, it took months longer than the amount of time legally allowed. Under the Privacy Rule, HIPAA-regulated entities such as ASCs, barring an extension, are required to provide an individual their requested medical records within 30 days. ASCs should review and update their policies to ensure that every patient is able to receive their requested medical records in the allotted time. In this case, the failure to do so might have impacted the patient’s ability to promptly make crucial, informed decisions about their health.

ASCA provides several resources to help ASCs remain compliant with HIPAA. The HIPAA Resources page can be found in the Federal Regulations section of ASCA’s main site. It provides background on the act itself, as well as the four key provisions: privacy, security, breach notification and enforcement. ASCA’s facility and corporate members also have free access to the HIPAA Workbook for ASCs, a comprehensive resource for designing, updating and evaluating HIPAA compliance programs.

For more information or for questions and concerns, write Alex Taira, ASCA’s regulatory policy and research manager.