.st0{fill:#FFFFFF;}

Podcast

5 More Patient’s Rights Cases – Ep 335 

 December 17, 2021

By  Donna Grindle

Share0
Tweet0
Share0

Patient Right of Access

OCR has released resolutions to five cases in its HIPAA Patient Right of Access Initiative. This brings the total cases to 25 since the initiative began. These cases continue to underscore the importance of this initiative.

A 5 star review is all we ask from our listeners.
1x
Apple PodcastsGoogle PodcastPlayer EmbedShare Review Us on Apple PodcastsListen in a New WindowDownloadSoundCloudStitcherSubscribe on AndroidSubscribe via RSSSpotify
Free HIPAA Training
Subscribe to the weekly email update from HMWH

I have read and agreed to your Privacy Policy

In this episode:

5 More Patient’s Rights Cases – Ep 335

Today’s Episode is brought to you by:

Kardon

and

HIPAA for MSPs with Security First IT

 Subscribe on Apple Podcast. Share us on Social Media. Rate us wherever you find the opportunity. 

Upcoming Events:

The HIPAA Boot Camp Virtual Edition Feb 22-24, 2022

Sign up now.

The Privacy and Security Boot Camp

3.5 day In Person Event

Sep 12, 13, 14 and 15

More details coming soon…

Learn about offerings from the Kardon Club

and HIPAA for MSPs!

Share Help Me With HIPAA with one person this week!

Thanks to our donors. We appreciate your support!

If you would like to donate to the cause you can do that at HelpMeWithHIPAA.com

Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA

If you see a couple of numbers on the left side you can click that and go directly to that part of the audio. Get the best of both worlds from the show notes to the audio and back!

HIPAA Say What!?!

[07:20] Here is a case that I found that involves insider threats of a supply chain vendor, Ubiquiti. Let’s just say, you cannot assume everything will be ok.

Ubiquiti is a company that creates routers, switches, WiFi access points, video cameras and other equipment that you can connect to your network. Well, a former employee of Ubiquity, Nicholas Sharp, was arrested and charged with data theft and attempting to extort his employer while posing as a whistleblower and an anonymous hacker.

Former Ubiquiti dev charged for trying to extort his employer

Posing as an “anonymous hacker,” Sharp stole gigabytes of confidential data from Ubiquity and then set a $2 million ransom demand to not release the data. The FBI searched his home and it was discovered that the VPN connection that he was using to hide from detection dropped its connection, it exposed his home IP address. The company had found a way to recover their data from this “anonymous hacking” attempt anyway, so they didn’t have to pay the money. Sharp then calls the media as a whistleblower saying that the company downplayed the incident that was clearly a malicious attack.

As a result of this incident and all the misleading articles, Ubiquity stock dropped 20%, a $4 billion drop in market capitalization. Sharp is being charged with 4 counts facing a 37 year prison sentence.

There are a few points to be taken from this incident. Insiders are a threat. They could be after money or want revenge because they are disgruntled in some way. Also, you should not assume this would never happen to one of your supply chain vendors. And, finally, you can be smart and stupid at the same time.

5 More Patient’s Rights Cases

[18:09] HHS and OCR have released 5 more patient rights of access cases, which makes it a total of 25 cases so far. The core reason HIPAA exists is to protect patients rights. The Privacy Rule is about patient care and providing patients with access to their medical records. OCR created this initiative under the HIPAA Privacy Rule to support individuals’ right to timely access to their health records at a reasonable cost.

And here we have the first release from the new OCR Director, Lisa J Pino.

Five enforcement actions hold healthcare providers accountable for HIPAA Right of Access

Timely access to your health records is a powerful tool in staying healthy, patient privacy and it is your right under law. OCR will continue its enforcement actions by holding covered entities responsible for their HIPAA compliance and pursue civil money penalties for violations that are not addressed.OCR Director Lisa J. Pino

The net of the Patient Right of Access Initiative is that after a practice receives a request for medical records from a patient, the practice, absent an extension, has 30 days to provide the patient with their records in a timely manner.

Let’s look at the 5 new cases released.

ASPM – Advanced Spine & Pain Management – $32,150 – 2 year CAP

[21:48] A patient alleged that ASPM failed to provide him with timely access to his protected health information (PHI). HHS’s investigation found that on November 25, 2019, the patient submitted to ASPM, in person, a written request seeking access to his PHI. ASPM acknowledged it received the patient’s request on the same date. ASPM did not send the patient a copy of his PHI until March 19, 2020.

HHS expects practice’s to provide records in a timely manner once a request has been received. The settlement amount of $32,150 is not a drop in the bucket compared to the effort that they’ll have to put into their two year cap.

Denver Retina Center – $30,000 – 2 year CAP

[23:40] A patient alleged that she requested her medical records from DRC in December 2018. The patient also stated that she had filed a previous complaint with HHS on March 11, 2018, (HHS Transaction Number 19-335955) which was closed by providing technical assistance to DRC. HHS received evidence of the patient’s request for access from DRC, dated January 2, 2019.

HHS notified DRC of its investigation in a letter, dated July 18, 2019. In its response, DRC admitted it was aware of the patient’s request and it was late in responding to her, but DRC never confirmed the date of the patient’s request. DRC provided evidence that it sent via FedEx the medical records on July 26, 2019, to the patient. In addition, after reviewing DRC’s policies and procedures, HHS concluded that it did not have compliant access policies and procedures under the Privacy Rule.

So, you think that creating policies and procedures that they are supposed to have is a part of their 2 year CAP? I think so.

Dr. Robert Glaser – Notice of Proposed Determination and Notice of Final Determination – $100,000

[26:57] A cardiovascular disease and internal medicine doctor in New Hyde Park, NY, did not cooperate with OCR’s investigation or respond to OCR’s data requests after failing to provide a patient with a copy of their medical record. They flat out denied the patient access to their own records and refused to cooperate with OCR. Dr. Glaser waived his right to a hearing and did not contest the findings of OCR’s Notice of Proposed Determination. Accordingly, OCR closed this case by issuing a civil money penalty of $100,000.

I don’t think we will have heard that last of this case. It seems likely that this practice, or the physician, will simply ignore the civil money penalty too. This is not only a case involving a HIPAA violation, but it is also ignoring federal oversight and violates the information blocking rules. Stay tuned.

Monte Nido – Rainrock Treatment Center, LLC dba Monte Nido Rainrock – $160,000 – 1 year CAP

[39:08] A licensed provider of residential eating disorder treatment services in Eugene, OR, has taken corrective actions including one year of monitoring and has paid OCR $160,000 to settle a potential violation of the HIPAA Privacy Rule’s right of access standard.

On December 4, 2019, January 28, 2020, and February 20, 2020, OCR received complaints against Monte Nido from a patient. The patient alleged that Monte Nido failed to provide her with a copy of her medical records in response to her October 1, 2019 and November 21, 2019 access requests. The Covered Entity did not send the requested records until May 22, 2020.

We haven’t seen a 1 year CAP in a long time. Seems like maybe the practice realized their mistake and were taking corrective actions on their own. So, maybe OCR is giving them a break, but they will want to see the fruits of their labor in 1 year.

Wake Health Medical Group – $10,000 – 2 year CAP

[42:22] On December 19, 2020, OCR received a complaint alleging that Wake Health Medical Group had not provided a patient with a copy of her medical records despite making a request in person on June 27, 2019, and paying a fee of $25 for the records. During the course of the investigation, OCR learned via a phone call on April 15, 2021 with the Receptionist at Wake Health Medical Group that Wake Health Medical Group charges its patients a flat fee of $25 for a copy of their medical records. To date, Wake Health Medical Group has failed to provide the patient with a copy of her medical records.

First, you cannot charge a flat fee of $25 for a copy of medical records without proving how you came up with that amount. At the top of Wake’s CAP it says that they need to revise and identify the method for calculating a reasonable cost base fee for access to PHI. It gives them the details of what they’re supposed to do and how they do it right in the CAP.

Go to top

Keep in mind that the patient is at the center of these Patient Right of Access problems. Do the right thing for your patient. Don’t completely ignore the enforcers that are technically representing the patient. They are trying to do their job in representing the patient and making sure the patient gets the records they request.

Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word. As always, send in your questions and ideas!

HIPAA is not about compliance,

it’s about patient care.TM

Listener Survey

Special thanks to our sponsors Security First IT and Kardon.

 

Share 0
Tweet 0
Share 0

HelpMeWithHIPAA.com Is A
Collaborative Project

Created & Sponsored By: