HIPAA violations tiers

Twenty-Five Fines and Counting


Since 2019, the Office for Civil Rights (OCR), the HIPAA enforcement arm of the Department of Health and Human Services, has been enforcing violations of the rights of patients to have timely access to their medical records. Most recently they levied five fines against various organizations for violations of patients’ rights. These fines included a $100,000 fine against a solo practitioner. As we have stated before, right of access violations are no joke – and they can occur very easily.

The most important piece to know about this is providers have a timeline by which to respond to a patient’s request for records. It gets more complicated when you factor in that states often have shorter deadlines. Also, it’s not just that you have to comply, but you also have to be able to convey the information in the format requested.

By now, most healthcare organizations are prepared for this. However, the fines occur when in-place processes fail, and sadly, they fail often.

We encourage you to review your records request process and sure up any weak links. We recommend having redundancy in the process to eliminate a single point of failure. If one employee is absent, those requests need to be visible and actionable for others.

We haven’t heard a lot from OCR regarding HIPAA enforcement since the start of COVID, but these fines are a reminder the wheels are still turning and you can’t allow yourself to slack on the rules.

On that same note, if you haven’t completed a security risk assessment this year, it’s not too late. Maintain your compliance while you still can by giving us a call.

Have a successful week.