Did Procrastination Play a Part in HIPAA Privacy Breach?

We often see headlines about breaches of the HIPAA Security Rule, commonly for failures to adequately either (1) conduct & implement a Security Risk Assessment; or (2) protect electronic PHI.  The case of Bayfront Medical Center (“Bayfront”) however, reminds us that a covered entity must comply with HIPAA Privacy Rules too; in Bayfront’s case, entities must timely provide patients a copy of their medical records (and at reasonable cost) pursuant to 45 CFR § 164.524. Failure to do so cost Bayfront $85,000 plus the requirement to implement a corrective action plan (“CAP”).

On September 9^th, the Office for Civil Rights (“OCR”), the enforcement arm of the U.S. Department of Health and Human Services, announced its first settlement[1] with Bayfront, who breached “Right of Access” regulations. These regulations have been a 2019 focal point for OCR since they announced their intent to “vigorously” enforce patients’ rights to receive copies of their medical records in a timely manner. Bayfront’s case may be the first in a line of enforcement actions against covered entities (and their business associates!) for failure to abide by HIPAA’s Privacy guidelines respecting records access.

Generally, HIPAA requires a covered entity to provide medical records within thirty days of a request. Bayfront (a HIPAA “covered entity”), however, did not provide documents for nearly ten months. Bayfront’s CAP includes the following:

• Bayfront “must develop, maintain, and revise its policies and procedures (“P&P”) to comply with access provisions of the Privacy Rule.”
• The P&P must address Bayfront’s:
  • “designated record set policy;
  • training protocols;
  • sanctions against workforce personnel who fail to comply with the policies and procedures;
  • a process to review business associate performance regarding access requests and consequences for noncompliance;
  • and designation of an individual responsible for ensuring that business associate contracts are properly executed.”
• Once HHS approves, the P&P must be distributed to the workforce, who must certify that they have read, understand, and will follow policies.
• Bayfront’s training materials are subject to HHS review as well; and
• Bayfront workforce must receive training by specified deadlines.

It’s likely OCR will continue to focus on patients’ access rights in the near future; to learn more about your role as a covered entity or business associate, please join ComplianceDashboard’s free webinar next month to learn essential elements of the HIPAA Privacy Rule. Two additional webinars in November and December will follow reviewing the HIPPA Security Rule and Business Associate Agreements.

[1] The settlement agreement outlines the following: (1) the written request consisted of fetal heart monitor records (“Records”); (2) Bayfront first said Records could not be found; (3) the mother then secured counsel who again requested the Records; (4) Bayfront provided to counsel incomplete Records; (5) as a result of OCR’s investigation, Bayfront directly provided the mother with Records.