HIPAA Compliance News

MDLive Faces Class Action Lawsuit Over Alleged Patient Privacy Violations

Posted by HIPAA Journal

A class action lawsuit has been filed against the telemedicine company MDLive claiming the company violated the privacy of patients by disclosing sensitive medical information to a third party without informing or obtaining consent from patients.

Patients are required to enter in a range of sensitive information into the MDLive app; however, during the first 15 minutes of use, the app takes screenshots of the data entered by users. According to the lawsuit, an average of 60 screenshots are taken during the first 15 minutes – the time it typically takes a user to register for an account. Those screenshots are then sent to an Israeli company called Test Fairy, which conducts quality control tests.

The lawsuit alleges patients are not informed that their information is disclosed to a third-party company. All data entered into the app can also be viewed by MDLive employees, even though there is no reason for those employees to be able to view the data.

Users of the app enter their medical information during setup in order to find local healthcare providers. The types of information entered by users includes sensitive data such as health conditions, recent medical procedures, behavioral health histories, family medical histories and details of allergies. According to the lawsuit, the screenshots are “covertly” sent to Test Fairy “in near real time.”

The lawsuit suggests patients using the app are likely to assume their data will be kept confidential and that reasonable security measures will be employed to prevent disclosures. However, the lawsuit states that “Contrary to those expectations, MDLive fails to adequately restrict access to patients’ medical information and instead grants unnecessary and broad permissions to its employees, agents, and third parties.”

The lawsuit was filed by the Illinois law firm Edelson PC with app user Joan Richards named as the plaintiff. Typically, for a lawsuit to succeed, an unauthorized disclosure of medical information must result in harm being caused.

Edelson PC attorney Chris Dore said, “Our complaint alleges that the harm is complete at the point that this information is collected without permission.”

MDLive says the lawsuit is “baseless,” that no data breach has occurred, HIPAA Rules have not been violated, and any data entered into the app is safe. While data are disclosed to authorized third parties, those third parties are “bound by contractual obligations and applicable laws.” MDLive also claims any information disclosed is only used for the purpose for which that disclosure is made.

MDLive is seeking to have the lawsuit dismissed.

The post MDLive Faces Class Action Lawsuit Over Alleged Patient Privacy Violations appeared first on HIPAA Journal.

Wireless Health Services Provider Settles HIPAA Violations with OCR for $2.5 Million

Posted by HIPAA Journal

2016 was a record year for HIPAA settlements, but 2017 is looking like it will see last year’s record smashed. There have already been six HIPAA settlements announced so far this year, and hot on the heels of the $31,000 settlement announced last week comes another major HIPAA fine.

A $2.5 million settlement has been agreed with CardioNet to resolve HIPAA violations. CardioNet is a Pennsylvania-based provider of remote mobile monitoring and rapid response services to patients at risk for cardiac arrhythmias.

Settlement have previously been agreed with healthcare providers, health plans, and business associates of covered entities, but this is the first-time OCR has settled potential HIPAA violations with a wireless health services provider.

While OCR has not previously fined a wireless health services provider for violating HIPAA Rules, the same cannot be said of the violations discovered. Numerous settlements have previously been agreed with covered entities after OCR discovered risk analysis and risk management failures.

In this case, the settlement relates to a data breach reported to OCR in January 2012. In 2011, an employee of CardioNet left a laptop computer in a vehicle that was left outside that individual’s home. The laptop computer was stolen, resulting in the impermissible disclosure of 1,391 patients’ electronic protected health information (ePHI).

As is customary following all breaches involving the theft or exposure of more than 500 individuals’ PHI, OCR conducted an investigation to determine whether the breach was a direct result of violations of HIPAA Rules.

In this case, a risk analysis has been performed, but OCR investigators determined that the risk analysis was not comprehensive – a violation of 45 C.F.R. § 164.308(a)(1). Also, at the time of the breach, there were inadequacies in CardioNet’s risk management process.

By 2011, all HIPAA-covered entities were required to comply with the HIPAA Security Rule, yet CardioNet’s HIPAA policies and procedures were still only in draft form and had not yet been implemented. OCR requested final copies of policies and procedures covering the safeguarding of ePHI stored on mobile devices, yet CardioNet was unable to produce any HIPAA-compliant documentation regarding the implementation of ePHI safeguards for mobile devices.

CardioNet was also determined to have violated 45 C.F.R. § 164.310(d)(1) by failing to implement policies and procedures covering the receipt and removal of hardware containing ePHI and for the failure to implement encryption – or another equivalent safeguard – to prevent the exposure of ePHI stored on mobile devices.

Any laptop computer or other mobile device that is used to store the ePHI of patients is vulnerable to theft or loss. When those devices are removed from the premises of a HIPAA-covered entity, the risk of theft or loss increases considerably. Covered entities must therefore implement appropriate safeguards to ensure that in the event of loss or theft of those devices, ePHI remains protected.

OCR Director, Roger Severino, said the “failure to implement mobile device security by Covered Entities and Business Associates puts individuals’ sensitive health information at risk. This disregard for security can result in a serious breach, which affects each individual whose information is left unprotected.”

The latest HIPAA settlement should send a strong message to covered entities that the failure to comply with HIPAA Rules can prove very costly. Also, that it is not only hospitals and health plans that run the risk of a significant financial penalty for failing to comply with HIPAA Rules.

2017 HIPAA Settlements

The other HIPAA settlements agreed between OCR and covered entities in 2017 are:

  • The Center for Children’s Digestive Health- $31,000
  • Metro Community Provider Network – $400,000
  • Memorial Healthcare System – $5.5 million
  • Children’s Medical Center of Dallas- $3.2 million
  • MAPFRE Life Insurance Company of Puerto Rico – $2.2 million
  • Presense Health – $475,000

The post Wireless Health Services Provider Settles HIPAA Violations with OCR for $2.5 Million appeared first on HIPAA Journal.

Patient Records Must be Disclosed by Organ Procurement Organization, Rules Supreme Court Judge

Posted by HIPAA Journal

A New York Supreme Court Judge has recently ruled that patient records held by the New York Organ Donor Network must be turned over to a plaintiff and that the request cannot be denied based on HIPAA.

Patrick McMahon claims he was fired from his position of Transplant Coordinator by the New York Organ Donor Network following complaints he made about organ harvesting from four patients who were still showing clear signs of life and had not been declared legally dead.

The New York Organ Donor Network maintains the plaintiff was fired for poor performance while he was still a probationary employee. The allegations about the procurement of organs have been denied.

McMahon requested the New York Organ Donor Network turn over the medical records of the four patients as they are ‘material and necessary’ to show the patients showed signs of brain activity at the time the organs were harvested.  The New York Organ Donor Network had previously denied McMahon’s request, instead providing contact details of the patients’ next of kin, informing McMahon that he needed to obtain consent forms allowing the release of the information.

McMahon claims he attempted to obtain consent forms, but despite diligent attempts, was unable to obtain the authorizations. Without access to the medical records of patients, McMahon is unable to provide the proof related to his asserted cause of action.

McMahon argued that the New York Organ Donor Network is not a HIPAA-covered entity and therefore would not be in breach of HIPAA-Rules by turning over the patients’ records.

The New York Organ Donor Network confirmed that it is not an entity covered by HIPAA Rules, but that it has a duty to maintain patient confidentiality. The defendant also pointed out it has entered into memorandums of understanding (MOUs) with hospitals in which access to PHI was gained in order to facilitate the organ donation process. The New York Organ Donor Network says “it would defeat the purpose of HIPAA if it were required to comply with plaintiffs’ requests.”

While HIPAA Rules protect the privacy of patients, Manhattan Supreme Court Justice Arlene Bluth ruled that the New York Organ Donor Network is not a HIPAA-covered entity, and even if it were, HIPAA Rules do not prevent document disclosure. Bluth explained that organ procurement organizations (OPOs) are allowed to be provided with PHI and that MOUs “seek to assure the covered entities who provide information to defendant that protected health information will be kept confidential.” However, Bluth said, “MOUs between [the] defendant and certain hospitals do not compel this Court to deny plaintiffs motion.”

Bluth said, the “defendant failed to identify a federal regulation or case law that would prevent this Court from requiring disclosure,” and ruled the documents must be turned over as requested by the plaintiff.

Explaining the ruling, Bluth said “HHS could have promulgated a rule stating that any protected health information received by an OPO from a covered entity must remain subject to HIPAA’s privacy protections as if the OPO were a covered entity; HHS did not.” Bluth also pointed out that HHS could have included OPOs in its definition of covered entities but it did not.

Bluth explained that “Providing this information might negatively impact these MOUs. But that possibility merely underscores the need for additional federal regulations addressing OPOs and their relationship with HIPAA.”

The New York Organ Donor Network must turn over the patients’ records no later than April 26, 2017. McMahon has been prohibited from using the information in the medical records for anything other than litigation.

The post Patient Records Must be Disclosed by Organ Procurement Organization, Rules Supreme Court Judge appeared first on HIPAA Journal.

OCR Settlement Highlights Importance of Obtaining Signed Business Associate Agreements

Posted by HIPAA Journal

The Department of Health and Human Services’ Office for Civil Rights has sent another warning to HIPAA-covered entities about the need to obtain signed, HIPAA-compliant business associate agreements with all vendors prior to disclosing any protected health information.

Yesterday, OCR announced it has agreed to settle potential violations of the Health Insurance Portability and Accountability Act with The Center for Children’s Digestive Health (CCDH); a small 7-center pediatric subspecialty practice based in Park Ridge, Illinois.

On August 13, 2015, OCR conducted a HIPAA compliance review of CCDH following an investigation of FileFax Inc., which was contracted by CCDH to store inactive patient records. The FileFax investigation revealed the company had not signed a business associate agreement prior to being provided with patients’ PHI.

The subsequent compliance review of CCDH similarly revealed that no signed business associate agreement existed. CCDH had therefore impermissibly disclosed patients’ PHI to FileFax in violation of HIPAA Rules.

CCDH had provided paper records relating to 10,728 patients without officially advising FileFax, by means of a BAA, of the firm’s responsibilities to safeguard patients’ data. CCDH also received no HIPAA-compliant assurances that appropriate safeguards had been implemented to ensure the confidentiality, integrity, and availability of PHI prior to the disclosure.

FileFax had been storing documents containing the PHI of patients of CCDH since 2003, yet the earliest business associate agreement produced by CCDH and FileFax was dated October 12, 2015.

CCDH has agreed to pay OCR $31,000 to resolve the potential HIPAA violations and will adopt a corrective action plan that involves updating policies and procedures, conducting staff training on those policies and procedures and ensuring one or more employees are made responsible for ensuring HIPAA-compliant business associate agreements are obtained from all business associates.

HIPAA-covered entities are permitted to disclose the PHI of patients to their business associates; however, before any PHI is disclosed, the covered entity must enter into a contract with the business associate. The contract must explain the responsibilities the business associate has to ensure PHI is secured and safeguards are implemented to prevent unauthorized disclosures. The business associate must also be advised of the allowable uses and disclosures of PHI and must agree not to use or disclose any PHI unless required to do so under the terms of the contract or if required to do so by law.

The business associate must also be advised of the requirement to notify the covered entity in the event that any PHI is accidentally or deliberately accessed or disclosed along with the timescale for doing so. The business associate must also be advised that the failure to comply with HIPAA Rules can result in financial penalties being issued.

Further information on HIPAA Rules concerning business associate agreements can be viewed on this link.

2017 HIPAA Settlements

Last year, OCR issued one civil monetary penalty and agreed to settle potential HIPAA violations with 12 covered entities to resolve HIPAA violations – More than any other year since the HIPAA Enforcement Rule was introduced.

This year looks set to see even more HIPAA enforcement actions. The Center for Children’s Digestive Health HIPAA settlement is the sixth financial penalty in less than four months, bringing the total amount of HIPAA fines in 2017 to $11,806,000.  The other HIPAA settlements agreed between OCR and covered entities in 2017 are:

  • Metro Community Provider Network – $400,000
  • Memorial Healthcare System – $5.5 million
  • Children’s Medical Center of Dallas- $3.2 million
  • MAPFRE Life Insurance Company of Puerto Rico – $2.2 million
  • Presense Health – $475,000

The post OCR Settlement Highlights Importance of Obtaining Signed Business Associate Agreements appeared first on HIPAA Journal.

$400,000 HIPAA Penalty Agreed with Denver FQHC for Security Management Process Failures

Posted by HIPAA Journal

The Department of Health and Human Services’ Office for Civil Rights (OCR) has taken action against a Denver, CO-based federally-qualified health center (FQHC) for security management process failures that contributed to the organization experiencing a data breach in 2011.

Metro Community Provider Network (MCPN) has agreed to pay OCR $400,000 and adopt a robust corrective action plan to resolve all HIPAA compliance issues identified during the OCR investigation.

The incident that triggered the OCR investigation was a phishing attack that occurred on December 5, 2011. A hacker sent phishing emails to (MCPN) personnel, the responses to which enabled that individual to gain access to employees’ email accounts. Those accounts contained the electronic protected health information of 3,200 patients.

OCR investigates all breaches of more than 500 patient records to determine whether healthcare organizations have experienced a breach as a direct result of violations of HIPAA Rules. OCR notes that MCPN took the necessary action following the breach to prevent further phishing attacks from being successful; however, OCR investigators uncovered multiple violations of HIPAA Rules.

Phishing attacks on healthcare organizations are to be expected and it would be unreasonable to expect healthcare organizations to be able to reduce the risk of a successful phishing attack to zero. However, HIPAA-covered entities must take steps to identify potential risks and to take action to reduce risks to an appropriate level.

One of the fundamental elements of the HIPAA Security Rule is the risk analysis. The purpose of the risk analysis is to identify risks to the confidentiality, integrity, and availability of electronic protected health information. If a risk analysis is not conducted, HIPAA-covered entities will not be able to determine with any degree of certainty whether all risks have been identified. Appropriate measures to reduce those risks to acceptable levels would therefore be unlikely to be implemented.

While OCR confirmed that MCPN had conducted a risk analysis, it had not been performed until mid-February 2012, more than two months after the phishing attack had occurred. Further, that risk analysis and all subsequent risk analyses performed by MCPN did not meet the minimum requirements of the HIPAA Security Rule.

The lack of a risk analysis meant MCPN failed to identify all risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI that the organization held. MCPN also failed to implement a risk management plan to address risks identified in the risk analysis.

OCR also determined that MCPN had failed to implement appropriate security measures to reduce risks to a reasonable and acceptable level and policies and procedures to prevent, detect, contain, and correct security violations had also not been implemented.

When deciding an appropriate settlement, OCR took into consideration MCPN’s status as a FQHC and its financial position to ensure MCPN could maintain sufficient financial standing to continue to provide ongoing patient care. The HIPAA settlement could have been considerably higher.

This is the first HIPAA settlement announced since the appointment of Roger Severino as Director of OCR. Severino issued a statement about the settlement explaining “Patients seeking health care trust that their providers will safeguard and protect their health information…Compliance with the HIPAA Security Rule helps covered entities meet this important obligation to their patient communities.”

This is the fifth HIPAA settlement of 2017. OCR has previously agreed to settle potential violations of the Health Insurance Portability and Accountability with the following HIPAA-covered entities in 2017:

  • Memorial Healthcare System – $5.5 million
  • Children’s Medical Center of Dallas- $3.2 million
  • MAPFRE Life Insurance Company of Puerto Rico – $2.2 million
  • Presense Health – $475,000

The post $400,000 HIPAA Penalty Agreed with Denver FQHC for Security Management Process Failures appeared first on HIPAA Journal.

Roger Severino Named New Director of HHS’ Office for Civil Rights

Posted by HIPAA Journal

The Department of Health and Human Services’ Office for Civil Rights has a new leader. The Trump Administration has chosen former civil rights trial attorney Roger Severino to lead the HIPAA enforcement efforts of the Office for Civil Rights.

Severino joins OCR from the Heritage Foundation’s DeVos Center for Religion and Civil Society, Institute for Family, Community, and Opportunity, where he served as Director since May 2015.

A formal announcement about the appointment of the new OCR Director has yet to be issued; however, the Heritage Foundation has confirmed that Severino is no longer on the staff and his name has been added to the HHS website. A spokesperson for OCR has also confirmed that Severino will be the new director and Severino’s LinkedIn profile has also been updated to include his new position as OCR chief.

Severino has a background in civil rights litigation, having worked as a trial attorney for the Department of Justice for seven years in the Housing and Civil Enforcement division. During his time at the DOJ, Severino enforced the Fair Housing Act, Title II and Title VI of the Civil Rights Act of 1964 and the Religious Land Use and Institutionalized Persons Act. Severino has also worked as Legal Counsel for the Becket Fund for Religious Liberty between July 2003 and May 2008.

While Severino has civil rights experience and has spent time working in the section of the DOJ that enforces criminal HIPAA statutes, he does not appear to have much experience of privacy and security issues.

LGBT Groups Express Concern About New OCR Appointment

Many human rights organizations have expressed concern over the appointment of Severino as head of OCR due to the views he has previously expressed about transgender people and same-sex marriages. Severino has authored a number of reports in which he has spoken out in opposition of LGBT rights and pro-LGBT legislation. Severino has also spoken out against Planned Parenthood.

JoDee Winterhof, senior vice president of policy and political affairs at the Human Rights Campaign went as far as saying ‘There isn’t a more dangerous person to lead HHSGov’s Office for Civil Rights than LGBTQ opponent Roger Severino.”

Wade Henderson, president and CEO of The Leadership Conference on Civil and Human Right, said “The Office for Civil Rights at HHS is essential to ensuring that all people can lead healthy lives, free of discriminatory barriers. Section 1557 of the Affordable Care Act, which bans discrimination based on race, sex, disability and age in health programs and activities, is key to achieving this goal. Henderson went on to say, “Strong and experienced leadership at OCR committed to fully enforcing Section 1557 is therefore critical. Mr. Severino is not that leader.”

OCR is likely to be taken in a different direction under Severino’s leadership than it was under the directorship of Jocelyn Samuels. What impact Severino will have on OCR’s HIPAA enforcement activity and HIPAA guidance remains to be seen.

The post Roger Severino Named New Director of HHS’ Office for Civil Rights appeared first on HIPAA Journal.

Alleged Social Media Retaliation by Doctor Breached HIPAA Privacy Rule

Posted by HIPAA Journal

A physician at the Dr. O Medical and Wellness Center in San Antonio, Texas allegedly retaliated against a patient by posting a video of the individual clad only in underwear on Facebook and YouTube. The doctor’s actions, which appear to be a clear violation of the HIPAA Privacy Rule, have resulted in her being sanctioned by the Texas Medical Board following a complaint by the patient.

The patient, Clara Aragon-Delk, underwent a series of cosmetic surgery procedures starting in 2015. Non-invasive laser treatments were performed by Dr. Tinuade Olusegun-Gbadehan, and while consent was provided by the patient to have photographs and videos taken, authorization was only given for ‘anonymous use for the purposes of medical audit, education, and promotion.’

The images and video contained full face shots of the patient. Rather than protecting the patient’s privacy by pixelating the patient’s face, a video was posted to Olusegun-Gbadehan’s Facebook page without any attempt to protect the patient’s privacy.

From the video, it would appear that the patient was happy with the treatment, although around a month later the patient had changed her mind. The patient replied to the Facebook post saying “OK, I’ll make my Comment! Beware! Send me a personal message, and I’ll share my experience with this crap!”

There were subsequent email exchanges between the Dr. Olusegun-Gbadehan and the patient in which Aragon-Delk claims Dr. Olusegun-Gbadehan acted in an abusive and threatening manner.

Aragon-Delk claims Dr. Olusegun-Gbadehan said in one email, “I will damage your professional and you will be humiliated!” Olusegun-Gbadehan also said, others “will see your glowing testimonial and your body, enjoy your Hi-Def video. Enjoy as others will do the same.”

In the complaint filed with the Texas Medical Board, the patient claimed she suffered burns during the first procedure. She also claimed to have been overbilled. In response to the overbilling, the patient contacted a merchant processing company called Stripe regarding the disputed charges.

Two weeks ago, the Texas Medical Board ruled that Dr. Olusegun-Gbadehan had violated the patient’s privacy and acted in an unprofessional manner.

The Texas Medical Board said the posting of the video was a HIPAA violation and was unprofessional. The Board also ruled that an email containing the link to a posting of the video that was sent to the patient in an unsecured format was also a confidentiality breach and was unprofessional. Dr. Olusegun-Gbadehan also sent the video to the merchant processing company in response to the billing dispute as evidence that the patient initially appeared to be happy with the treatment, but this too was a violation of the patient’s privacy.

Dr. Olusegun-Gbadehan neither admits or denies the allegations, but the Texas Medical Board’s order was agreed to by Dr. Olusegun-Gbadehan to avoid a contested hearing, according to the San Antonio Express News.

The order requires Dr. Olusegun-Gbadehan to retake the Texas Medical Jurisprudence Examination within the next 12 months.

While the matter would appear to have been settled, the patient has now sued Dr. Olusegun-Gbadehan for mental anguish, physical pain, and suffering. Patients are not permitted to sue physicians for HIPAA violations as there is no private cause of action. Consequently, a health care liability claim has been filed under state law, claiming the publication of the video and subsequent correspondence via email were intended to damage the patient’s personal and professional reputation.

The post Alleged Social Media Retaliation by Doctor Breached HIPAA Privacy Rule appeared first on HIPAA Journal.

Updated HIPAA Compliance Audit Toolkit Issued by AHIMA

Posted by HIPAA Journal

Phase 2 of the Department of Health and Human Services’ Office for Civil Rights HIPAA compliance audits are now well underway. Late last year, covered entities were selected for desk audits and the first round of audits have now been completed. Now OCR has moved on to auditing business associates of covered entities.

At HIMSS17, OCR’s Deven McGraw explained that the full compliance audits, which were initially penciled in for Q1, 2017, are to be delayed. This gives covered entities more time to prepare.

The phase 2 HIPAA compliance desk audits were more detailed than the first phase of audits conducted in 2011/2012. The desk audits covered a broad range of requirements of the HIPAA Privacy, Security, and Breach Notification Rules, although they only consisted of a documentation check to demonstrate compliance.

The onsite audits will be much more thorough and will look much deeper into organizations’ compliance programs. Not only will covered entities be required to show auditors documentation demonstrating compliance with HIPAA Rules, OCR will be looking for evidence of HIPAA in action.

To help with the audit preparation process, the American Health Information Management Association (AHIMA) has updated its HIPAA audit readiness toolkit. The toolkit can be used by covered entities to assess their compliance efforts and determine whether they have all the necessary documentation, policies, and procedures in place to meet all Health Insurance Portability and Accountability Act requirements.

The new toolkit details the legal process of the HIPAA compliance audit program, OCR processes, and now incorporates the updated HIPAA audit protocol used by OCR in the second phase of the compliance audits.

The new toolkit contains HIPAA compliance checklists covering policies, procedures, and documentation that is likely to be requested by Office for Civil Rights auditors, together with a master policy template for the privacy and security rule compliance program.

AHIMA has also included tips and best practices that can be adopted by HIPAA-covered entities and their business associates to help them meet all of their responsibilities along with an HIPAA audit preparation guide.

AHIMA members can access the HIPAA audit readiness toolkit free of charge in the HIM Body of Knowledge section of the AHIMA website or through its web store.

The onsite audits may have been delayed, but covered entities should ensure they are ready for an audit. Even if the audits slip into 2018 as hinted by McGraw, OCR still investigates all breaches of more than 500 records. In the event of a data breach, OCR will require evidence of compliance with HIPAA Rules and heavy fines await organizations found not to have complied with the HIPAA Privacy, Security and Breach Notification Rules.

The post Updated HIPAA Compliance Audit Toolkit Issued by AHIMA appeared first on HIPAA Journal.

AHIMA Published New Resource Confirming Patients PHI Access Rights under HIPAA

Posted by HIPAA Journal

The Health Insurance Portability and Accountability Act (HIPAA) permits patients to obtain a copy of their medical records in electronic or paper form. Last year, the Department of Health and Human Services released a series of videos and documentation to explain patients’ right to access their health data.

Yesterday, the American Health Information Management Association (AHIMA) also published guidance – in the form of a slideshow – further explaining patients’ access rights, what to expect when requests are made to healthcare providers, possible fees, and the timescale for obtaining copies of PHI.

AHIMA explains that copies will not be provided immediately. Under HIPAA Rules, healthcare providers have up to 30 days to provide copies of medical records, although many will issue designated record sets well within that timeframe. However, in some cases, provided there is a justifiable reason for doing so, a healthcare provider may request a 30-day extension. In such cases, it may take up to 60 days for patients to obtain copies of their health data.

AHIMA has explained to whom healthcare providers are allowed to disclose the information: Patients or a nominated personal representative. In the case of the latter, guidance has been issued on who that person may be.

There are various models that can be adopted by healthcare providers for charging patients for copies of PHI. While the actual cost for providing copies of medical records may not be provided at the time the request is made, healthcare providers must advise patients of the approximate cost at the time the request is made. AHIMA points out that if electronic health data is being provided via a patient portal, a charge will not apply.

Since HIPAA serves to protect patient privacy, healthcare providers are required to verify the identity of the person making the request or a personal representative if one is used. A healthcare provider will therefore require a photographic ID to be produced prior to any records being released. A waiver will also need to be signed verifying identity.

AHIMA explains that obtaining copies of medical records is important. Access to health data improves patient engagement and empowers them to make more informed choices about their healthcare.

While providers should be able to obtain health data from other providers, that process is not always straightforward due to data incompatibility issues. It is therefore important that patients have complete copies of their medical records so they can provide complete sets to new providers. Doing so improves the coordination of care.

Patients should also check their health records for any errors and omissions – known allergies for instance. If an error or omission is discovered, a request to change the records should be submitted to the appropriate healthcare provider.

The AHIMA slideshow can be viewed here. Further information for patients on medical record access can be found in an accompanying blog post.

Penalties for Failing to Provide Patients with Copies of their Medical Records

Healthcare providers should be aware that failure to provide patients with copies of their medical records can result in a financial penalty for non-compliance with HIPAA Rules.

41 patients of Cignet Health of Prince George’s County in Maryland were denied access to their medical records and complained to OCR. The investigation revealed that the HIPAA Privacy Rule had been violated. Cignet eventually settled with OCR for more than $4.3 million.

AHIMA recommends that healthcare providers regularly review their policies and procedures for providing patients with copies of their medical records. Many healthcare providers have unintended barriers in place that make it difficult for patients to exercise their right to access their health data. Only by understanding HIPAA Rules on patient PHI access rights – and ensuring HIPAA Rules are followed – will healthcare providers be able to ensure that their patients enjoy the benefits that come from them taking a more active role in their healthcare.

The post AHIMA Published New Resource Confirming Patients PHI Access Rights under HIPAA appeared first on HIPAA Journal.