News & Insights
blogShift in OCR HIPAA enforcement focus?
Oct 31, 2019
In a recent conference hosted by the Office of Civil Rights for HHS, Director Roger Severino expressed OCR’s intent to vigorously enforce patient rights. Director Severino also commented on OCR’s active role in promoting healthcare initiatives such as the regulatory sprint to coordinated care.
This divergence from traditional HIPAA privacy and security enforcement and the use of its enforcement authority to advance federal healthcare initiatives are confirmed by 2 of OCR’s recent actions.
In early September, OCR announced its settlement with Bayfront Health St. Petersburg for $85,000 and corrective action with one year of monitoring by OCR. A HIPAA complaint alleging failure to provide timely and complete access to records triggered the investigation. “Providing patients with their health information not only lowers costs and leads to better health outcomes, it’s the law,” Severino said in the release. “We aim to hold the health care industry accountable for ignoring peoples’ rights to access their medical records and those of their kids.”
HIPAA prohibits retaliation against patients who file complaints with OCR and the Affordable Care Act prohibits discrimination in access to healthcare. On October 30, OCR announced a resolution reached with Florida Orthopaedic Institute arising from an HHS complaint filed against the surgery provider based on the provider’s cancellation of surgery because of the patient’s HIV positive status and subsequent dismissal of the patient from the practice after it received notification of the patient’s complaint filed with HHS. Enforcement included multiple corrective actions encompassing HIPAA and the ACA non-discrimination requirements. This is an example of OCR’s commitment to promoting the full implementation of the National HIV/AIDS Strategy and the President's HIV Initiative. "Patients with HIV have the right to nondiscriminatory health care which includes the right to file complaints with OCR without fear of retaliation," Severino said.
However, this additional focus should not be considered a retreat from OCR’s privacy and security enforcement activity. In late October, OCR imposed a civil money penalty of $2.15 million against Jackson Health System based on “a HIPAA compliance program that had been in disarray for a number of years.” This one of only a handful of civil money penalties imposed by OCR since 2003.
These enforcement actions highlight the need to assess additional areas of compliance that may have been pushed aside in our reach for better cybersecurity protections:
Whether a current or prospective client, we are here to help your business thrive. Please send us a message and we will respond to your needs as soon as possible.
SEND US A MESSAGE