The Industry’s Only SaaS-Delivered Enterprise DLP

Our unique approach to DLP allows for quick deployment and on-demand scalability, while providing full data visibility and no-compromise protection.

No-Compromise Data Protection is:

  • Cloud-Delivered
  • Cross Platform
  • Flexible Controls
DATAINSIDER

Digital Guardian's Blog

Five Health Providers Held Accountable for Violating HIPAA Right of Access

by Chris Brook on Thursday December 2, 2021

Contact Us
Free Demo
Chat

OCR has shown that its serious about patients being able to access their healthcare records – recently levied penalties serve as a reminder for organizations to know where PHI is at all times.

The Office for Civil Rights (OCR) at the United States Department of Health and Human Services (HHS) continues to levy financial penalties on healthcare organizations that fail to comply with its initiatives.

Healthcare facilities, doctors, and physicians have to comply with Federal healthcare laws and regulations, like the Health Insurance Portability and Accountability Act (HIPAA) or risk being imposed a civil money penalty.

HHS’ latest penalties involve HIPAA’s Right of Access Initiative. The HHS began enforcing its Privacy Rule back in 2003 for most HIPAA covered entities but didn’t begin enforcing its Right of Access Initiative, which supports a patient to timely access their health records at a reasonable cost, until 2019. Entities that violate the provision are usually culpable if it takes them longer than 30 days to send along health records or if they charge an exorbitant fee.

OCR announced on Tuesday that it settled with five offices, bringing the total number of HIPAA Right of Access enforcement actions up to 25.

Collectively, the organizations, which range from an eyecare center to a primary care physician office, were fined $332,100.

The most egregious violation appears to be against a New York-based cardiovascular disease and internal medicine doctor that was fined $100,000 after not sending requested records to a patient despite several requests from 2013 to 2017. The patient that requested their records still hadn't received them by March 2018 and the doctor in charge of the office failed to respond to letter and phone inquiries, forcing the federal government to impose the lofty penalty.

In at least four of the five incidents, the covered entity will be required to take corrective action to further prevent any HIPAA Right of Access violations.

While different from HIPAA Right of Access complaints, OCR typically sees the following five issues in complaints alleging a violation of its Privacy, Security, and Breach Notification Rules:

  • Impermissible uses and disclosures of protected health information;
  • Lack of safeguards of protected health information;
  • Lack of patient access to their protected health information;
  • Lack of administrative safeguards of electronic protected health information; and
  • Use or disclosure of more than the minimum necessary protected health information.

Implementing fixes for many of these - ensuring PHI is safeguarded, that it's not improperly disclosed, etc. - can go a long way in ensuring the HIPAA Right of Access Initiative, not to mention HIPAA itself, isn’t violated later down the line.

The settlements are yet another reminder for healthcare organizations to know where their patients’ data, especially protected health information, is at all times. While every organization's access policies and procedures vary, it’s critical to ensure data – wherever its stored - computers, servers, and storage devices – is classified, encrypted, and protected. I can help ensure an organization is in compliance with HIPAA too.

Tags: Healthcare

Recommended Resources


  • Why Data Classification is Foundational
  • How to Classify Your Data
  • Selling Data Classification to the Business
  • How to simplify the classification process
  • Why classification is important to your firm's security
  • How automation can expedite data classification

Chris Brook

Chris Brook is the editor of Data Insider. He is a technology journalist with a decade of experience writing about information security, hackers, and privacy. Chris has attended many infosec conferences and has interviewed hackers and security researchers. Prior to joining Digital Guardian he helped launch Threatpost, an independent news site which is a leading source of information about IT and business security for hundreds of thousands of professionals worldwide.