In 2019, the OCR launched the Right of Access of Initiative “to support individuals’ right to timely access their health records at a reasonable cost under the HIPAA Privacy rule.” Since this initiative has been passed, there have been 27 investigations and settlements. OCR continues to commit to enforcing HIPAA and will continue to fine entities that are found to be in violation.
If you are not familiar with the Right of Access Rule, it’s time to get familiar with it. Learn more here: https://www.tldsystems.com/understanding-hipaa-right-access-rule.
One of these recent investigations against Jacob & Associates originated from a patient’s complaints. Patients now have the resources to hold their providers accountable to ensuring that their rights under HIPAA are being met. This patient requested access to access to her patient records annually 2013-2018. She was initially given an incomplete copy of her records and then in 2019 was finally given a fully copy of her records at a flat fee that was not cost-based. Furthermore Jacob & Associates was penalized for not have a designated privacy officer and an insufficient Notice of Privacy Practices. (https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/jacob-associates/index.html)
It is time to recognize that mistakes made years ago can still be audited and cost your office tens of thousands of dollars (in this case $28,000).
To emphasize it again, this investigation was triggered by a patient’s complaint. Under HIPAA your office should have a privacy officer. It does not matter if you are a large healthcare organization or a solo-practitioner, there must be a designated Privacy Officer. All staff must know who the Privacy Officer is. It is ideal for the Privacy Officer to be well-spoken so that they can respond to patients’ inquiries or concerns. Your office needs a HIPAA Privacy Manual that details how the office is maintaining patient records according to their rights under the Privacy Rule. The Privacy Manual should also include the Notice of Privacy Practices. Your Notice of Privacy Practices needs to be provided to each patient upon request and on your office’s website (if your office has a website.)
It is time to act. Designate a Privacy Officer and make sure all members of your staff know who that person is. Review your office’s documentation to ensure you have a sufficient Privacy Manual, Notice of Privacy Practices.
Not familiar with these items in your office, contact TLD Systems at (631) 403 6687 or info@tldsystems.com. Within the program, we identify the Privacy Officer and provider trainings and support to help you avoid patients triggering an audit. You also have access to the documents and resources that include an up to date Privacy Manual and NOPP.
Read Comments