OCR levies another access penalty


Last year the Office for Civil Rights announced they would be particularly enforcing HIPAA right to access provisions against providers. Twelve violations later, they continue to make their point – if your patient requests their records, you better respond promptly. OCR is serious about enforcing patient rights.

OCR Right To Access PenaltyUnder section 45 CFR § 164.524 of the HIPAA Privacy Rule, the law mandates that patients have a right to their medical records. There are several provisions within this section that detail patient rights, and your obligations as a provider. One such provision is whether the patient must make the request in writing. If this is your policy, and you don’t notify your patient in advance that this is your policy, that could be a violation. Your Notice of Privacy Practices is a good place to state your policy on this.

Another provision is how much time you have to respond. The federal law allows a provider 30 days to respond to the patient’s request. However, many states have shorter timeframes. In California, for example, the required response time is 5 days. Note that this is not how much time you have to provide the records, but rather to respond to the request. Keep in mind, if you don’t provide the records within that window, you could be held accountable for a timeliness violation and find yourself in the headlines. 

This recent penalty is a reminder that despite the chaos and uncertainty we are all experiencing, there are still laws we need to abide by, or our situation could be made worse.

Finally, be on the lookout for Black Friday and other holiday-related phishing email attempts. Emails that look like they came from a retailer where the sender name has been spoofed, for example, are common right now.

Happy Thanksgiving to everyone. I hope you’re all able to enjoy time with loved ones over the next few days. 

If you have any questions or if you are concerned about your organization’s cybersecurity, give us a call at (800) 970-0402. We’ll be happy to help.

For more HIPAA information, download our ebook – The Ultimate HIPAA Compliance Handbook.

The HIPAA Security Rule requires the implementation of a security awareness and training program for all members of its workforce (including management). Have your team sign up for weekly HIPAA Security Reminder to help stay compliant.