Shift in OCR HIPAA enforcement focus?10.31.19
In a recent conference hosted by the Office of Civil Rights for HHS, Director Roger Severino expressed OCR’s intent to vigorously enforce patient rights. Director Severino also commented on OCR’s active role in promoting healthcare initiatives such as the regulatory sprint to coordinated care.
This divergence from traditional HIPAA privacy and security enforcement and the use of its enforcement authority to advance federal healthcare initiatives are confirmed by 2 of OCR’s recent actions.
In early September, OCR announced its settlement with Bayfront Health St. Petersburg for $85,000 and corrective action with one year of monitoring by OCR. A HIPAA complaint alleging failure to provide timely and complete access to records triggered the investigation. “Providing patients with their health information not only lowers costs and leads to better health outcomes, it’s the law,” Severino said in the release. “We aim to hold the health care industry accountable for ignoring peoples’ rights to access their medical records and those of their kids.”
HIPAA prohibits retaliation against patients who file complaints with OCR and the Affordable Care Act prohibits discrimination in access to healthcare. On October 30, OCR announced a resolution reached with Florida Orthopaedic Institute arising from an HHS complaint filed against the surgery provider based on the provider’s cancellation of surgery because of the patient’s HIV positive status and subsequent dismissal of the patient from the practice after it received notification of the patient’s complaint filed with HHS. Enforcement included multiple corrective actions encompassing HIPAA and the ACA non-discrimination requirements. This is an example of OCR’s commitment to promoting the full implementation of the National HIV/AIDS Strategy and the President's HIV Initiative. "Patients with HIV have the right to nondiscriminatory health care which includes the right to file complaints with OCR without fear of retaliation," Severino said.
However, this additional focus should not be considered a retreat from OCR’s privacy and security enforcement activity. In late October, OCR imposed a civil money penalty of $2.15 million against Jackson Health System based on “a HIPAA compliance program that had been in disarray for a number of years.” This one of only a handful of civil money penalties imposed by OCR since 2003.
These enforcement actions highlight the need to assess additional areas of compliance that may have been pushed aside in our reach for better cybersecurity protections:
- Does your organization have policies and procedures addressing patients’ rights to access their records in accordance with HIPAA?
- Does your organization have a non-discrimination policy that prohibits retaliation against patients and addresses requirements under Section 1557 of the ACA?
- Does your organization have patient dismissal policies that protect against discrimination?
- Does your organization provide training to its employees addressing these specific policies?
- Have you conducted a HIPAA Gap analysis to identify potential areas for compliance improvement?
- And as always at the top of the OCR’s list, is your Security Risk Analysis comprehensive, enterprise-wide and updated with changes in the organization and information technology environment?