HIPAA Blog

[ Monday, October 12, 2020 ]

 

More OCR fines for failure to provide access: As I noted earlier, OCR has been on a tear lately, fining covered entities for failing to grant patients access to their PHI.  Last week, they announced their eighth access-related settlement this year, with Phoenix-based Dignity Health's St. Joseph Hospital paying a $160,000 fine.

In addition to laying down rules on when PHI can be used or disclosed, and rules on how PHI must be secured, HIPAA also grants individuals 6 specific rights with respect to covered entities.  While the right to receive a Notice of Privacy Practices is really the most important (it's the disclosure of the rules of the road that the covered entity will abide by), the second most important is probably access.  With a few carefully-carved exceptions, patients have the right to access their PHI if it's held by a covered entity.  The covered entity may have the right to own and control its own business records, but the information contained in those records also belongs to the patient.  Covered entities who jealously guard the information and "block" it from being obtained when needed might also have issues under the recent data-blocking rules.  More to come on that front. . . . 


UPDATE: Number 9: NY Spine Medicine pays $100,000 fine for failure to provide a patient with timely access to her medical records.  These are substantial fines for doing what are pretty stupid things.  

UPDATED again to fix the link


Jeff [9:31 AM]

Comments: Post a Comment
http://www.blogger.com/template-edit.g?blogID=3380636 Blogger: HIPAA Blog - Edit your Template