HIPAA Compliance News

OCR Highlights the Importance of Creating and Maintaining a Comprehensive IT Asset Inventory

Posted by HIPAA Journal

The risk analysis is one of the most important requirements of the HIPAA Security Rule, yet it is one of the most common areas of noncompliance discovered during Office for Civil Rights data breach investigations, compliance reviews, and audits. While there have been examples of HIPAA-covered entities ignoring this requirement entirely, in many cases noncompliance is due to the failure to perform a comprehensive risk analysis across the entire organization.

In order to perform a comprehensive risk analysis to identity all threats to the confidentiality, integrity, and availability of electronic protected health information (ePHI), you must first know how ePHI arrives in your organization, where it flows, where all ePHI is stored, and the systems that can be used to access that information. One of the common reasons for a risk analysis compliance failure, is not knowing where all ePHI is located in the organization.

In its Summer 2020 Cybersecurity Newsletter, OCR highlighted the importance of maintaining a comprehensive IT asset inventory and explains how it can assist with the risk analysis process. An IT asset inventory is a detailed list of all IT assets in an organization, which should include a description of each asset, serial numbers, names, and other information that can be used to identify the asset, version (operating system/application), its location, and the person to whom the asset has been assigned and who is responsible for maintaining it.

“Although the Security Rule does not require it, creating and maintaining an up-to-date, information technology (IT) asset inventory could be a useful tool in assisting in the development of a comprehensive, enterprise-wide risk analysis, to help organizations understand all of the places that ePHI may be stored within their environment, and improve their HIPAA Security Rule compliance,” explained OCR in the newsletter.

An IT asset inventory should not only include physical hardware such as mobile devices, servers, peripherals, workstations, removable media, firewalls, and routers. It is also important to list software assets and applications that run on an organization’s hardware, such as anti-malware tools, operating systems, databases, email, administrative and financial records systems, and electronic medical/health record systems.

IT solutions such as backup software, virtual machine managers/hypervisors, and other administrative tools should also be included, as should data assets that include ePHI that an organization creates, receives, maintains, or transmits on its network, electronic devices, and media.

“Understanding one’s environment – particularly how ePHI is created and enters an organization, how ePHI flows through an organization, and how ePHI leaves an organization – is crucial to understanding the risks ePHI is exposed to throughout one’s organization.”

For smaller healthcare organizations, an IT asset inventory can be created and maintained manually, but for larger, more complex organizations, dedicated IT Asset Management (ITAM) solutions are more appropriate. These solutions include automated discovery and update processes for asset and inventory management and will help to ensure that no assets are missed.

When creating an IT asset inventory to aid the risk analysis, it is useful to include assets that are not used to create, receive, process, or transmit ePHI, but may be used to gain access to ePHI or to networks or devices that store ePHI.  IoT devices may not store or be used to access ePHI, but they could be used to gain access to a network or device that would allow ePHI to be viewed.

“Unpatched IoT devices with known vulnerabilities, such as weak or unchanged default passwords installed in a network without firewalls, network segmentation, or other techniques to deny or impede an intruder’s lateral movement, can provide an intruder with a foothold into an organization’s IT network,” suggests OCR. “The intruder may then leverage this foothold to conduct reconnaissance and further penetrate an organization’s network and potentially compromise ePHI.” There have been multiple incidents where hackers have exploited a vulnerability in one of these devices to penetrate an organization’s network and access sensitive data.

Organizations that do not have a comprehensive IT asset inventory could have gaps in recognition and mitigation of risks to ePHI. Only with a comprehensive understanding of the entire organization’s environment will it be possible to minimize those gaps and ensure that an accurate and thorough risk analysis is performed to ensure Security Rule compliance.

Maintaining an IT asset inventory may not be a Security Rule requirement but covered entities must create policies and procedures that govern the receipt and removal of hardware and electronic media that contain ePHI into and out of a facility. An IT asset inventory can also be used for this purpose. The IT asset inventory can also be compared with the results of network scanning and mapping processes to help identify unauthorized devices that have been connected to the network and used as part of vulnerability management to ensure that no devices, software, or other assets are missed when performing software updates and applying security patches.

The NIST Cybersecurity Framework can be leveraged to assist with the creation of an IT asset inventory. NIST has also produced guidance on IT asset management in its Cybersecurity Practice Guide, Special Publication 1800-5. The HHS Security Risk Assessment Tool can also help with IT asset management. It includes inventory capabilities that allow for manual entry or bulk loading of asset information with respect to ePHI.

The post OCR Highlights the Importance of Creating and Maintaining a Comprehensive IT Asset Inventory appeared first on HIPAA Journal.

House of Representatives Votes to Remove Ban on HHS Funding a National Patient Identifier System

Posted by HIPAA Journal

The House of Representatives has voted to lift the ban on the Department of Health and Human Services using federal funds to develop a national patient identifier system.

The Health Insurance Portability and Accountability Act (HIPAA) called for the development of a national patient identifier system. As the name suggests, a national patient identifier system would see each person in the united States issued with a permanent, unique identification number, similar to a Social Security number, that would allow each patient to be identified across the entire healthcare system in the United States. If a patient from California visited an emergency room in New York, the patient identifier could be used to instantly identify the patient, allowing the healthcare provider to access their medical history. Currently, the lack of such an identifier makes matching patients with their medical records complicated, which increases the potential for misidentification of a patient.

The extent to which records are mismatched has been shown in multiple studies. For instance, in 2012, a study conducted by the College of Healthcare Information Management Executives (CHIME) found that 20% of its members could trace an adverse medical event to the mismatching of patient records. In 2014, the Office of the National Coordinator for Health Information Technology (ONC) found that 7 out of every 100 patient records were mismatched. Between 50% and 60% of records are mismatched when shared between different healthcare providers. A study conducted by the Ponemon Institute suggested 35% of all denied claims are due to inaccurately matched records or incomplete patient information, which costs the healthcare industry around $1.2 million each year.

It has been 24 years since HIPAA was signed into law, yet there is still no national patient identifier system. A ban was implemented in 1999 preventing the Department of Health and Human Services from funding the development of such as system out of privacy concerns. The ban has remained in place ever since.

Attempts have been made to lift the ban, notably by Reps. Bill Foster (D-IL) and Mike Kelly (R-PA). Last year, their efforts were partially successful, as the House of Representatives voted to remove the ban, only for the Senate to reject the house provision by not including the language removing the ban in the fiscal year 2020 funding bill for the HHS.

On July 30, 2020, the House approved the Foster-Kelly amendment for the House fiscal 2021 appropriations bill covering the departments of labor, health and human services and education. If the Foster-Kelly amendment is included in the Senate fiscal year 2021 funding bill, the HHS will be free to evaluate a range of solutions and find one which is cost-effective, scalable and secure.

Proponents of lifting the ban claim a national patient identifier would increase patient safety and would help with the secure exchange of healthcare information. While support for a national patient identifier is growing, not everyone believes such a system is wise. Opponents to the lifting of the ban believe a national patient identifier would create major privacy risks. The Citizens’ Council for Health Freedom said a national patient identifier “would combine all of your private information, creating a master key that would open the door to every American’s medical, financial and other private data.”

While there are concerns about privacy, the benefits of introducing such a system have been highlighted during the COVID-19 pandemic. Temporary healthcare facilities and testing sites have been set up and laboratories are now processing huge numbers of COVID-19 tests. There have been many reports of healthcare facilities struggling to correctly identify patients and laboratories have found it difficult to match test results with the right patients due to the lack of complete demographic data.

“The coronavirus pandemic continues to demonstrate the importance of accurately identifying patients and matching them to their medical records. Today marks another milestone in keeping patients safe with the passage of the Foster-Kelly Amendment in the House, bringing us closer to a national patient identification solution,” Russ Branzell, CHIME CEO.

“Removing this archaic ban is more important than ever as we face the COVID-19 pandemic,” said Rep. Bill Foster. “Our ability to accurately identify patients across the care continuum is critical to addressing this public health emergency, and removing this ban will alleviate difficult and avoidable operational issues, which will save money and, most importantly, save lives.”

The post House of Representatives Votes to Remove Ban on HHS Funding a National Patient Identifier System appeared first on HIPAA Journal.

OCR Imposes $1 Million HIPAA Penalty on Lifespan for Lack of Encryption and Other HIPAA Failures

Posted by HIPAA Journal

The HHS’ Office for Civil Rights has imposed a $1,040,000 HIPAA penalty on Lifespan Health System Affiliated Covered Entity (Lifespan ACE) following the discovery of systemic noncompliance with the HIPAA Rules.

Lifespan is a not-for-profit health system based in Rhode Island that has many healthcare provider affiliates in the state. On April 21, 2017, a breach report was filed with OCR by Lifespan Corporation, the parent company and business associate of Lifespan ACE, about the theft of an unencrypted laptop computer on February 25, 2017.

The laptop had been left in the vehicle of an employee in a public parking lot and was broken into. A laptop was stolen that contained information such as patient names, medical record numbers, medication information, and demographic data of 20,431 patients of its healthcare provider affiliates.

OCR investigated the breach and discovered systemic noncompliance with the HIPAA Rules. Lifespan ACE uses a variety of mobile devices and had conducted a risk analysis to identify potential risks to the confidentiality, integrity, and availability of ePHI. Through the risk analysis, Lifespan ACE determined that the use of encryption on mobile devices such as laptops was reasonable and appropriate given the level of risk but failed to implement encryption. The lack of encryption was a violation of 45 C.F .R. § I 64.312(a)(2)(iv).

OCR also discovered Lifespan ACE had not implemented policies and procedures that required the tracking of portable devices with access to a network containing ePHI, nor was there a comprehensive inventory of those devices, in violation of 45 C.F.R. § 164.310(d)(1).

Lifespan Corporation was a business associate of Lifespan ACE, but both entities had failed to enter into a business associate agreement with each other. Lifespan ACE had also not obtained a signed business associate agreement from its healthcare provider affiliates, in violation of 45 C.F.R. § 164.502(e).

As a result of the compliance failures, Lifespan ACE was responsible for the impermissible disclosure of the ePHI of 20,431 individuals when the laptop was stolen – See 45 C.F.R. § 164.502(a).

Lifespan ACE agreed to settle the case, pay the financial penalty, and adopt a comprehensive corrective action plan (CAP). The CAP requires Lifespan ACE to enter into business associate agreements with its affiliates and parent company, create an inventory of all electronic devices, implement encryption and configure access controls, and review and revise its policies and procedures with respect to device and media controls. Those policies and procedures must be distributed to the workforce and training must be provided on the new policies. Lifespan ACE’s compliance efforts will be scrutinized by OCR for the duration of the two-year CAP.

“Laptops, cellphones, and other mobile devices are stolen every day, that’s the hard reality.  Covered entities can best protect their patients’ data by encrypting mobile devices to thwart identity thieves,” said Roger Severino, OCR Director.

This is the second HIPAA penalty to be announced by OCR in the past week. On July 23, 2020, OCR announced Metropolitan Community Health Services dba Agape Health Services had been fined $25,000 for longstanding, systemic noncompliance with the HIPAA Security Rule.

The post OCR Imposes $1 Million HIPAA Penalty on Lifespan for Lack of Encryption and Other HIPAA Failures appeared first on HIPAA Journal.

Small North Carolina Healthcare Provider Fined $25,000 for HIPAA Security Rule Noncompliance

Posted by HIPAA Journal

The HHS’ Office for Civil Rights (OCR) has announced a $25,000 settlement has been reached with Metropolitan Community Health Services to resolve violations of the HIPAA Security Rule.

Washington, NC-based Metropolitan Community Health Services is a Federally Qualified Health Center that provides integrated medical, dental, behavioral health & pharmacy services for adults and children. Operating as Agape Health Services, Metro provides discounted medical services to the underserved population in rural North Carolina. Metropolitan Community Health Services has around 43 employees and serves 3,100 patients each year.

On June 9, 2011, Metropolitan Community Health Services filed a report with OCR over a breach of the protected health information of 1,263 patients. OCR conducted a compliance review to establish whether the breach was the direct result of noncompliance with the HIPAA Rules. The OCR investigation uncovered longstanding, systemic noncompliance with the HIPAA Security Rule.

Prior to the breach, Metropolitan Community Health Service had failed to implement HIPAA Security Rule policies and procedures, in violation of 45 C.F.R. §164.316, and an accurate and thorough assessment of the potential risks to the confidentiality, integrity, and availability of ePHI had not been conducted, in violation of 45 C.F.R. § 164.308(a)(l )(ii)(A). Despite being in business since 1999, no HIPAA security awareness and training had been provided to the workforce prior to June 30, 2016, in violation of 45 C.F.R. §164.308(a)(5).

When deciding on an appropriate settlement, OCR took the size of the organization and several other factors into account.  In addition to paying a financial penalty of $25,000 to resolve the HIPAA violations, Metropolitan Community Health Services has agreed to adopt a robust corrective action plan and will ensure policies and procedures are implemented to the standards required by HIPAA.  Metropolitan Community Health Services will be monitored for compliance with the corrective action plan for a period of two years.

This is the second HIPAA violation penalty to be imposed on a HIPAA covered entity in 2020 to resolve violations of HIPAA Rules, the first being a $100,000 financial penalty in March 2020 for Steven A. Porter, M.D for risk analysis and risk management failures.

The fine confirms that healthcare providers, large and small, are required to comply with HIPAA Rules. “Health care providers owe it to their patients to comply with the HIPAA Rules.  When informed of potential HIPAA violations, providers owe it to their patients to quickly address problem areas to safeguard individuals’ health information,” said Roger Severino, OCR Director.

The post Small North Carolina Healthcare Provider Fined $25,000 for HIPAA Security Rule Noncompliance appeared first on HIPAA Journal.

Guidance on Contacting COVID-19 Patients to Request Blood and Plasma Donations

Posted by HIPAA Journal

When patients contract an infectious respiratory disease such as COVID-19, the immune system develops antibodies that provide protection if the pathogen is encountered again. The antibodies in the blood of patients who recover from such an illness are valuable, as not only will they provide protection for the patient, that protection could potentially be transferred to other patients.

Through the donation of blood and plasma two preparations can be made: Convalescent plasma and hyperimmune immunoglobulin. Convalescent plasma and hyperimmune immunoglobulin have both been used to successfully treat patients who have contracted other viral respiratory diseases. Given the severity of COVID-19 and the high mortality rate, these treatments could be vital for patients who are struggling to fight the infection. Research studies are now underway to test whether antibody treatments are effective against COVID-19.

To participate in these programs, patients who have previously been diagnosed with COVID-19 will need to be contacted and asked if they are willing to donate blood and plasma, but is this contact permitted by the HIPAA Privacy Rule?

On June 12, 2020, the Department of Health and Human Services’ Office for Civil Rights issued guidance to healthcare providers on the HIPAA Privacy Rule and contacting COVID-19 patients to request blood and plasma donations.

OCR explained that the HIPAA Privacy Rule does not prohibit healthcare providers from contacting COVID-19 patients to request blood and plasma donations and prior authorization from the patient is not required.

Healthcare providers can contact patients to advise them about the opportunities for donating blood and plasma to support the response to COVID-19 to improve other patents’ chances of beating the disease.

HIPAA covered entities and business associates acting on their behalf can use or disclose PHI for the purpose of treatment, payment, and healthcare operations, without first receiving authorization to do so from a patient. Requesting a donation of blood or plasma does not fall into the category of treatment, as the blood/plasma will not be used to treat the patient, instead it is being used for population-based health care operations to improve health, case management, and care-coordination, which are included in the definition of healthcare operations.

There is some confusion over whether contacting patients to solicit blood donations would constitute marketing communications, which are generally not permitted by the HIPAA Privacy Rule without prior authorization from a patient.

In this case, an exception to the Privacy Rule’s Marketing provision applies. “A covered health care provider is permitted to make such communication for the covered entity’s population-based case management and related health care operations activities, provided that the covered entity receives no direct or indirect payment from, or on behalf of, the third party whose service is being described in the communication (e.g., a blood and plasma donation center),” explained OCR in the guidance.

An authorization is required from a patient before PHI can be disclosed to a third party, such as a blood and plasma donation center, to allow a COVID-19 patient to be contacted to request blood and plasma donations for the donation center’s own purposes.

The post Guidance on Contacting COVID-19 Patients to Request Blood and Plasma Donations appeared first on HIPAA Journal.

Safe Partner Inc. Confirmed as HIPAA Compliant

Posted by HIPAA Journal

Compliancy Group has announced that Safe Partner Inc. has demonstrated it has implemented an effective HIPAA compliance program and has successfully completed its proprietary 6-stage HIPAA risk analysis and remediation process.

Safe Partner Inc. is a Belmont, CA-based boutique software development and consulting company that provides a full range of software services, from design to development, implementation, and ongoing customer support. The company was formed in 1995 and works with clients in a wide range of industry sectors, including healthcare. Some of the software solutions developed by the company interact with healthcare data, which means the company is classed as a business associate and must comply with HIPAA Rules.

To ensure that no aspect of HIPAA compliance was missed, Safe Partner Inc sought assistance from Compliancy Group. Assisted by the company’s compliance coaches and using the firm’s HIPAA compliance tracking software solution, The Guard, Safe Partner Inc was able to demonstrate its HIPAA compliance program covered all aspects of the HIPAA Privacy, Security, Omnibus, and Breach Notification Rules. The company also conducted a comprehensive risk analysis to identify all potential risks to the confidentiality, integrity, and availability of protected health information, and ensured risks were effectively mitigated in accordance with the requirements of the HIPAA Security Rule.

After demonstrating to Compliancy Group that its policies and procedures met the minimum standards required by HIPAA, the company’s good faith effort toward HIPAA compliance was recognized and the company was awarded the Compliancy Group HIPAA Seal of Compliance.

The HIPAA Seal of Compliance helps the company differentiate its services and demonstrates to current and future clients that Safe Partner Inc. is committed to ensuring the privacy and security of any healthcare data provided to the company or accessible through its software solutions.

The post Safe Partner Inc. Confirmed as HIPAA Compliant appeared first on HIPAA Journal.

Healthcare Workers in Michigan and Illinois Fired for HIPAA Violations

Posted by HIPAA Journal

Ann & Robert H. Lurie Children’s Hospital of Chicago has terminated an employee for improperly accessing the medical records of patients without authorization over a period of 15 months.

The privacy violations were identified by the hospital on March 5, 2020. The employee’s access to hospital systems was immediately terminated while the investigation was conducted. After reviewing access logs, the hospital found that the employee had accessed the medical records of 4,824 patients without authorization between November 2018 and February 2020.

The types of information accessed by the employee included names, addresses, dates of birth, diagnoses, medications, appointments, and medical procedures. No health insurance information, financial information, or Social Security numbers were accessed.

No reason as been given as to why the medical records were accessed, but the hospital says it does not believe the employee obtained, misused, or disclosed the information to anyone else. The hospital said the employee no longer works at the hospital.

This is not the first incident of its type to occur at Lurie Children’s Hospital. A similar incident was discovered in November 2019, when the hospital learned that a former employee accessed the medical records of patients without authorization between September 2018 and September 2019.

Mercy Health Fires Nurse for Multiple Privacy Violations

Mercy Health has also recently taken action against an employee for alleged violations of the HIPAA Privacy Rule. A nurse at Hackley Hospital in Muskegon, MI was terminated on April 3, 2020. The termination came shortly after the nurse raised concerns in media interviews about the level of preparedness of the hospital for the COVID-19 pandemic and how the alleged lack of preparedness put safety at risk. The nurse contacted the Michigan Nurses Association Labor Union, which claimed that Mercy Health fired the nurse for speaking out. The Labor Union also filed a charge with the National Labor Relations Board.

“Howe’s termination came on the evening of April 3, days after he had publicly raised concerns about lack of appropriate PPE and the need for improved screening measures to keep nurses and healthcare workers safe during the COVID-19 pandemic,” said the Labor Union in an April 21, 2020 press release.

10 days after the nurse was fired, and one day after the press release was issued by the Labor Union, Mercy Health released a press release of its own stating the nurse was fired for multiple violations of HIPAA Rules. Mercy Health said it does not usually share details about employment matters related to its workers but was compelled to speak out due to the “misinformation campaign” led by the Labor Union.

Mercy Health claims the fired nurse, Justin Howe, was terminated for accessing the medical records of multiple patients over a period of several days. The records were for not for patients receiving treatment at the campus where the nurse worked and there was no legitimate work reason for accessing those records. Mercy Health claims that Howe was not the only nurse terminated for improper medical record access.

According to Mercy Health’s press release, “We have mechanisms in place to monitor for inappropriate access of privileged information. As part of this review process, Mr. Howe along with others were terminated for the same. This investigative effort is still in process.”

The post Healthcare Workers in Michigan and Illinois Fired for HIPAA Violations appeared first on HIPAA Journal.

OCR Issues Guidance on Media and Film Crew Access to Healthcare Facilities

Posted by HIPAA Journal

The HHS’ Office for Civil Rights (OCR) has issued guidance to healthcare providers to remind them that the HIPAA Privacy Rule does not allow the media and film crews to access healthcare facilities where patients’ protected health information is accessible unless written authorization has been obtained from the patients concerned in advance. A public health emergency does not change the requirements of the HIPAA Privacy Rule, which remains in effect in emergency situations.

OCR has made this clear in the past with enforcement actions against Boston Medical Center, Brigham and Women’s Hospital, and Massachusetts General Hospital in 2018 after it was discovered they had given film crews access to their facilities without first obtaining authorization from patients. They were fined a total of $999,000 for the HIPAA violations.

OCR has issued Notices of Enforcement Discretion during the coronavirus pandemic and will not be imposing sanctions and financial penalties on HIPAA-covered entities for certain violations of HIPAA Rules. Penalties can and will be imposed on covered entities for violations of HIPAA Rules not covered by the Notices of Enforcement Discretion, such as unauthorized disclosures to the media.

In the latest guidance, OCR explains that protected health information includes written, electronic, oral, and other visual and audio forms of health information which must be protected against unauthorized access and disclosure. In all cases, HIPAA authorizations must be obtained from patients in advance, before the film crews are granted access to the facilities. It is not permissible for film crews to simply mask the identities of patients in video footage, such as blurring faces before broadcast.

The HIPAA Privacy Rule does not prohibit film crews from entering healthcare facilities. Provided HIPAA authorizations have been obtained in advance from all patients who are in or will be in the areas accessed by the film crews, filming is permitted. However, in such situations, reasonable safeguards must still be put in place to protect against unauthorized disclosures of PHI, including measures such as privacy screens on computer monitors to prevent electronic PHI from being viewed. Screens must also be used to ensure patients who have not signed HIPAA authorizations are not filmed.

“The last thing hospital patients need to worry about during the COVID-19 crisis is a film crew walking around their bed shooting ‘B-roll,’” said Roger Severino, OCR Director.  “Hospitals and health care providers must get authorization from patients before giving the media access to their medical information; obscuring faces after the fact just doesn’t cut it.”

The post OCR Issues Guidance on Media and Film Crew Access to Healthcare Facilities appeared first on HIPAA Journal.

Ciitizen HIPAA Right of Access Study Shows Significant Improvement in Compliance

Posted by HIPAA Journal

There has been a significant improvement in compliance with the HIPAA Right of Access, according to the latest Patient Record Scorecard Report from Ciitizen.

To compile the report, Ciitizen conducted a study of 820 healthcare providers to assess how well each responded to patient requests for copies of their healthcare data. A wide range of healthcare providers were assessed for the study, from single physician practices to large, integrated healthcare delivery systems.

The HIPAA Privacy Rule gives patients the right to request a copy of their healthcare data from their providers. Request must be submitted in writing and healthcare providers are required to provide the patient with a copy of the health data in a designated record set within 30 days to the request being submitted. The data must be provided in the format requested by the patient if the PHI is readily producible in that format. In cases where data cannot be provided in the requested format, the provider should give the patient a printed copy of their healthcare data or provide the data in an alternative format, as agreed with the patient.

For each study, requests for copies of healthcare data are sent to healthcare providers by Ciitizen users. The provider then receives a rating from 1-5 based on their response. A 1-star rating represents a non-HIPAA-compliant response. 2-stars are awarded when requests are eventually resolved satisfactorily, but only after multiple escalations to supervisors. A 3-star rating is given when the request is satisfied with minimal intervention, and a 4-star rating is given to providers that are fully compliant and have a seamless response. A 5-star rating is reserved for providers with a patient-focused process who go above and beyond the requirements of HIPAA.

Previous studies revealed a majority of providers (51%) were not compliant with the HIPAA Right of Access. The latest study saw that percentage fall to 27%. The percentage of providers awarded 4 stars for their responses increased from 40% to 67%, and the percentage of providers awarded 5 stars increased from 20% to 28%.

There was further good news from this year’s study. Under HIPAA, healthcare providers are permitted to charge patients a reasonable, cost-based fee for producing the records, but only 6% of the 820 healthcare providers charged fees.

In previous studies, many healthcare providers required patients to complete a standard form, yet this year, most providers accepted any form of written request and did not require patients to complete a particular form before the request was processed.

The latest study saw a significant increase in assessments, which may have accounted, in part, for the improvements in compliance. 51 providers were assessed for the first Patient Record Scorecard report, 210 in the second, and 820 in the third. Ciitizen points out that the percentage of non-compliant providers in those studies did correlate with a separate study conducted on 3,000 providers, which suggests that the improvements made are genuine.

Ciitizen attributes the improvements in compliance to three main factors. A greater emphasis has been placed on the right of individuals to obtain copies of their healthcare data following the publication of new rules by the HHS’ Centers for Medicare and Medicaid Services and the HHS’ Office of the National Coordinator for Health IT, which make it easier for patients to obtain copies of their healthcare data.

There has also bee a positive influence of release of information (ROI) vendors. ROI vendors process patient requests on behalf of covered entities and help those entities comply with the HIPAA Right of Access. Finally, the HHS’ Office for Civil Rights launched a HIPAA Right of Access enforcement initiative last year. Under that initiative, two penalties of $85,000 were imposed on covered entities that failed to comply with requests from patients to provide copies of their PHI.

The Ciitizen Patient Record Scorecard Reports and the website sit up by Ciitizen that shows the scores of each provider may also have played a role in encouraging healthcare providers to comply with this important aspect of HIPAA.

The post Ciitizen HIPAA Right of Access Study Shows Significant Improvement in Compliance appeared first on HIPAA Journal.