HIPAA Survival Guide Newsletter, February 2021

HIPAA Enforcement is Alive & Well

Introduction

Of all the things that bring joy to Compliance Officers, this isn't one of them. The article describes one of many incidents where HHS has resumed imposing Civil Monetary Penalties. Examples of penalties include issues such as Access to Records, Authorizations, Confidential Communications, as well as Impermissible Uses and Disclosures of protected health information. Banner Health (“BH”) of Phoenix, Arizona is the target of this article that describes the HHS penalty whereby BH delayed access to valid medical records requests.

This case began in 2018 when HHS received a complaint from an Attorney on behalf of a client who requested access to their medical records. Banner Medical Center took 6 months to provide the records. In another case at BH, a patient requested an e-copy of their medical records which also took 6 months for the patient to receive them. There’s no doubt that the delay in providing patient records, after their valid requests, was a situation in which BH failed to provide timely access to requested records.

Consequently, HHS opened an investigation that lasted from Feb 2019 to Mar 2020 and ultimately imposed a $200,000 penalty with a Corrective Action Plan (“CAP”). The term of the CAP does not end until HHS notifies BH that it has determined that the breach has been cured.

What did the CAP include?

Of course, the CAP begins with the requirement that BH review and revise (as necessary) its policies, procedures, and other communications, including their “Patient Request for Records” policy. BH was also required to provide such policies and procedures to HHS within sixty (60) days of the Effective Date for review and approval. Subsequently, BH needed to implement these policies within 30 days of approval.

In addition, BH needed to provide HHS with its training materials for approval and to update training to reflect changes in Federal law or HHS guidance, including any issues discovered during audits. BH also had to address and apply appropriate sanctions against the BH workforce members who failed to comply with these policies and procedures. If BH determined that a member of its workforce failed to comply, BH was required to notify HHS in writing within thirty (30) days. When there are workforce sanctions for lack of adherence to policies and procedures, BH had to provide HHS with a complete description of the event, persons involved, policies and procedures implicated, and a description of actions taken to address the matter.

The Law

The interim final rule regarding enforcement, published on Oct. 30, 2009, in the Federal Register, uses the same language as the previous enforcement rule, stating: “Willful neglect means conscious, intentional failure or reckless indifference to the obligation to comply with the administrative simplification provision violated.”

Sec. 13410. Improved Enforcement. Noncompliance due to Willful Neglect. Investigation is required and there will be a formal examination of any complaint of a violation of facts for a complaint that indicates the complaint was due to willful neglect.

Moreover, “Not later than 3 years after the date of the enactment of this title, the Secretary shall establish by regulation and based on the recommendations submitted under paragraph (2), a methodology under which an individual who is harmed by an act that constitutes an offense referred to in paragraph (1) may receive a percentage of any civil monetary penalty or monetary settlement collected with respect to such offense.”

In summary, BH is required to maintain for inspection and copying, and provide to HHS, upon request, all documents, and records relating to compliance with this CAP for six (6) years

from the Effective Date. Most organizations do not have processes in place to handle these types of requests from patients: Access to PHI, Modification of PHI, Disclosure of PHI. Unfortunately, an organization as large as BH was unable to comply and suffered the consequences.