Patient's Rights to Access. $115,000 penalty. Let's talk HIPAA.

Case: Ambulance company was given a written request for medical and billing records. Company ignored request for over 200 days. ?Reason: patient had an outstanding ?account balance. A complaint was filed with? Dept. of HHS’ Office of Civil Rights for a possible HIPAA violation. The ?requested records were finally provided 370 days after the initial request was submitted.

?

Office of Civil Rights issued a fine? of? $115,000.

??

4 ?important points ?you should consider:

?

1.?? Any company that directly provides or contracts with a medical provider is a HIPAA covered entity if that company collects, stores, or uses PHI (protected health information). Ambulance companies are HIPAA covered entities.

?

2.?? HIPAA applies to personal medical information as well as billing information. Billing and payment information become PHI when it’s possible to link it to an individual by one of 18 identifiers. Identifiers include demographic information, like name, address, date of birth, and Social Security number, as well as health plan information, practice account numbers, and medical records. PHI can also include serial numbers and other identifiers on medical devices, photos, IP addresses, and fingerprints (45 CFR 164.502 (b), 164.514 (d), and 164.522). ?

?

3.?? ??The HIPAA Right of Access is an important provision of the HIPAA Privacy Rule and requires patients to be provided with a copy of their records, on request, within 30 days of submitting that request. In certain circumstances, a 30-day extension is permitted.?

HIPAA Right to Access is defined at 45 CFR 164.501. ?

Also, a medical provider cannot deny ?at patient a? copy of their medical records because they have not paid for the services received.

?

4.?? ?State Attorneys General can also impose financial penalties on HIPAA-covered entities and business associates for violations of the HIPAA Rules. Alternatively, financial penalties can be imposed if a breach of ePHI violates state laws.?

?

This is an actual case from the Office of Civil Rights (OCR). OCR’s investigation determined that there had been a violation of the HIPAA Right of Access. ?Result: $115,200 civil monetary penalty to the HHS’ Office for Civil Rights (OCR).? OCR’s penalty amount was calculated on a daily basis from December 1, 2018, to February 28, 2019.? The daily penalty was based on the date of the original request to the date the medical/billing records were received.

?

?

?

?

?

?