by Rowan Report | Mar 31, 2025 | Admin, Clinical, HIPAA
by Devin Paullin, CGO at Skyscape Buzz
Ensuring HIPAA Compliance
Communications Requiring HIPAA Compliance
While patient communication requires HIPAA adherence, so does any discussion between other parties. Essentially, any time PHI is discussed, a degree of confidentiality must be involved. For example, the Health Insurance Portability and Accountability Act (HIPAA) requires that sensitive patient data be protected when shared or discussed among:
- Healthcare Providers and Patients
- Any time a caregiver, staff member, doctor, nurse, or any other employee communicates with a patient, resident, or client, outside of face-to-face meetings, it must be done securely in a way that meets HIPAA standards.
- Healthcare Professionals Among Themselves
- HIPAA compliance must be met when healthcare professionals discuss PHI within their department or collaborate with external departments.
- Healthcare Providers and Insurance Companies
- Insurance providers require patient details and sensitive PHI. Still, anything that makes information vulnerable to interception must be fully compliant with HIPAA standards.
- Healthcare Organizations and Third-Party Associates
- Third parties that need to handle PHI (e.g., IT consultants, collections agencies, or other vendors) must do so in a way that protects patient data. To safeguard communication, healthcare organizations should ask outside associates, vendors, or agencies to sign a business associate agreement (BAA) and/or Data Processing Agreement (DPA). This is a formal agreement to comply with HIPAA standards and ensure accountability.
- Healthcare Organizations and Public Health Authorities
- Some diseases or conditions require healthcare professionals to report to public health authorities (e.g. COVID-19 information during the pandemic). This communication requires stringent security measures and protection of PHI.
Why HIPAA Compliance Matters
In healthcare, effective communication is essential for providing high-quality care. However, without HIPAA compliance, the risk of data breaches increases. Implementing secure, HIPAA-compliant communication systems ensures the protection of Personal Health Information (PHI) while improving overall operational efficiency.
Key Benefits of HIPAA-Compliant Communication
- Protects Patient Privacy and Data Security
- HIPAA-compliant platforms use advanced encryption and access controls to prevent unauthorized access. This protects patient information, including medical histories, diagnoses, and test results.
- Enhances Communication Efficiency
- Secure messaging platforms streamline communication between patients, caregivers, and healthcare providers. These tools eliminate inefficient methods like phone calls and ensure real-time communication.
- Strengthens Collaborative Care
- Providing high-quality healthcare often involves a team of professionals working together. Whether it is a hospital placing a patient in rehabilitation or home care, coordinating with intake team, care team and providers,collaboration is key. HIPAA-compliant communication tools allow these professionals to securely share critical patient information, ensuring everyone has the details they need to deliver cohesive, well-informed care.
- Reduces Legal and Financial Risks
- Compliance with HIPAA regulations minimizes the risk of violations, protecting organizations from hefty fines and legal repercussions.
- Maintains Patient Trust
- Patients are more likely to engage openly with healthcare providers when they feel confident that their sensitive information is protected.
How to Ensure HIPAA Compliance in Communication
To comply with HIPAA regulations, healthcare organizations should adopt the following secure communication methods:
- Encrypted Emails
- Ensure emails containing PHI are encrypted and, in some cases, require patient consent.
- Secure Messaging Platforms
- Use platforms specifically designed for HIPAA compliance for text-based communication.
- HIPAA-Compliant Voice Calls and Telehealth
- Ensure voice and video communication channels are encrypted and secure.
- Patient Portals
- Provide secure portals with two-factor authentication for patients to access their medical information.
- Secure File Sharing
- Use encrypted systems for sharing patient documents and medical records.
Implementing HIPAA-Compliant Communication Platforms
Adopting a HIPAA-compliant communication platform requires a thorough evaluation of existing systems and policies. Organizations should consider the following steps:
- Conduct a Communication Audit
- Identify all channels currently used for healthcare communication and assess their compliance.
- Choose a Secure Platform
- Select an all-in-one communication solution designed to meet HIPAA standards.
- Establish Access Controls
- Implement role-based access to ensure only authorized personnel can view PHI.
- Provide Staff Training
- Educate employees on the importance of HIPAA compliance and how to use secure communication tools.
- Monitor and Evaluate
- Regularly assess communication practices to identify and address vulnerabilities.
HIPAA-compliant communication is not just a legal obligation—it’s a commitment to patient privacy, security, and high-quality care. By implementing secure communication platforms, healthcare organizations can enhance efficiency, foster trust, and reduce the risk of data breaches. Investing in compliance is an investment in the long-term success and reputation of your organization.
Devin Paullin is an award-winning innovator and executive in Healthcare Technology, having developed successful products, solutions, and partnerships in Life Sciences, Post-Acute Care, SDOH, and Long-Term industries.
He is currently Chief Growth Officer for Skyscape which provides Buzz, an all-in-one, real-time HIPAA-compliant clinical collaboration and communication platform that enables the entire staff (admins, operations, clinicians, caregivers, partners, patients, and families) with the tools to communicate securely, easily, in groups or one to one, and affordable, by any mode they choose. Visit Buzz or contact them to learn more about Buzz by Skyscape today.
©2024 by The Rowan Report, Peoria, AZ. All rights reserved. This article originally appeared in Healthcare at Home: The Rowan Report. One copy may be printed for personal use: further reproduction by permission only. editor@therowanreport.com
by Rowan Report | Mar 21, 2025 | Clinical, HIPAA, Regulatory
by Devin Paulin, Skyscape
The Critical Importance of HIPAA Compliance in Home Healthcare Communication
The Rise of Messaging Apps and Healthcare Communication
Nearly 44% of the global population (3.5 billion people) rely on messaging apps to communicate. Unfortunately, available consumer SMS, text, and even “secure” messaging apps like WhatsApp, Apple Message, or Google Messages do not come with safety and security features specifically required to be compliant in the healthcare industry.
Still, consumer SMS apps are quite often used for healthcare communication in which Personal Health Information (PHI) is shared, and many individuals don’t understand the level of risk or that this is a violation of the law.
HIPAA Compliance in Communication Advantages
Group and Individual texting are a proven, timesaving, real-time communication tool in healthcare, and must be done through a HIPAA-compliant messaging platform. Secure platforms can improve privacy and security while maintaining compliance in such a sensitive industry.
There are many reasons why HIPAA compliance is vital for secure communication in home healthcare.
HIPAA Compliance in Communication - Not Just for Doctors and Nurses
HIPAA compliance is not just for medical clinics and hospitals. HIPAA compliance extends to all types of services that hold healthcare information. Physical Therapy, Personal Care, Home Health, Wellness, Behavioral Health, Assisted Living, and many more all fall under HIPAA. Most importantly, ALL providers, staff members (full or part-time), contractors, and third-party partners who come in contact with PHI are subject to HIPAA law, violations, and fines.
We're too Small for Violations to be Noticed, Though
Wrong. We regularly speak to many owners and staff members of large and small Home Health Care, Assisted Living, Hospice and Palliative, Mobile Imaging, PT and Rehabilitation, and Behavioral Health across the country. Many openly operate under the false assumption that their business is too small to be noticed by the U.S. Department of Health and Human Services (HHS) and the Office for Civil Rights (OCR), who is responsible for enforcing the HIPAA Privacy and Security Rules. That is not how it works.
Complaints logged by those within or close to your business alert the OCR to possible HIPAA violations. These can be from current and former staff, patients, clients, business partners, or anyone who claims to have witnessed a HIPAA breach. This can include disgruntled employees and whistleblowers. Even for companies that are HIPAA compliant, any breach is to be reported by an employee assigned as the security officer.
HIPAA Compliance in Home Healthcare by Type
HIPAA mandates compliance for all communications involving PHI. Some key examples include:
- Provider-to-Patient Communication
- Secure platforms are necessary when caregivers contact patients outside of in-person visits.
- Provider-to-Provider Communication
- Sharing PHI within or between departments must meet HIPAA standards.
- Provider-to-Insurance Communication
- Insurance companies require sensitive patient data, which must be securely transmitted.
- Provider-to-Third-Party Communication
- Any third-party associates handling PHI must have a signed Business Associate Agreement (BAA) and adhere to HIPAA regulations.
- Provider-to-Public Health Authorities
- Reporting communicable diseases or pandemics requires secure communication.
Consequence of HIPAA Violations
HIPAA violations can have severe consequences, including:
- Financial Penalties
- Fines range from $100 to $50,000 per violation, depending on the level of negligence.
- Reputational Damage
- Data breaches erode patient trust, leading to a damaged reputation.
- Legal Consequences
- In cases of willful neglect, organizations may face lawsuits or criminal charges.
Understanding and adhering to HIPAA regulations is crucial in home healthcare. Compliance not only safeguards sensitive information but also strengthens patient trust and ensures ethical operations.
Devin Paullin is an award-winning innovator and executive in Healthcare Technology, having developed successful products, solutions, and partnerships in Life Sciences, Post-Acute Care, SDOH, and Long-Term industries.
He is currently Chief Growth Officer for Skyscape which provides Buzz, an all-in-one, real-time HIPAA-compliant clinical collaboration and communication platform that enables the entire staff (admins, operations, clinicians, caregivers, partners, patients, and families) with the tools to communicate securely, easily, in groups or one to one, and affordable, by any mode they choose. Visit Buzz or contact them to learn more about Buzz by Skyscape today.
©2024 by The Rowan Report, Peoria, AZ. All rights reserved. This article originally appeared in Healthcare at Home: The Rowan Report. One copy may be printed for personal use: further reproduction by permission only. editor@therowanreport.com
by Rowan Report | Jan 9, 2025 | CMS, Partner News, Regulatory
HHS OCR Proposes Updates to the HIPAA Security Rule to Respond to Emerging Threats
by Paul F. Schmeltzer and John F. Howard, Clark Hill PLC
On Dec. 27, the Department of Health and Human Services (HHS) issued proposed updates to the HIPAA Security Rule to address evolving cybersecurity threats in healthcare. Introduced through a Notice of Proposed Rulemaking (NPRM) by the Office for Civil Rights (OCR), the substantial updates aim to enhance the protection of electronic protected health information (ePHI) while aligning the two-decade-old regulations with current technological advancements. These changes are especially crucial in a healthcare environment increasingly reliant on electronic health records (EHRs), online patient portals, telehealth platforms, and interconnected medical devices.
Since its adoption in 2003, the HIPAA Security Rule has served as the foundation for safeguarding ePHI. However, the healthcare landscape has changed dramatically with the rise of cyber threats like ransomware, phishing attacks, and hacking incidents that result in data breaches. OCR’s investigations into HIPAA compliance across the healthcare industry have also revealed significant inconsistencies, underscoring the need for updated regulations that provide clarity and enforceability.
Revisiting “Addressable” vs. “Required” Specifications
Among the most significant aspects of the proposed changes in the NPRM is the reconsideration of the distinction between “required” and “addressable” implementation specifications, a hallmark of the original Security Rule that has often caused confusion. Required specifications must be implemented as outlined, with no exceptions. Addressable specifications, on the other hand, give entities the flexibility to evaluate their feasibility and adopt alternative measures if implementing the original specification is deemed unreasonable or inappropriate. This flexibility has often been relied on by mid and small-sized HIPAA-covered entities in their compliance efforts.
The NPRM proposes eliminating the concept of “addressable” implementation specifications and making all implementation specifications required, with limited exceptions. This includes reclassifying encryption of ePHI at rest and in transit as a required specification, reflecting its essential role in mitigating cyber risks and its widespread availability. Previously, entities could justify not using encryption if they documented their rationale and implemented alternative measures. The proposed change eliminates this flexibility, simplifying compliance expectations and reinforcing encryption as a baseline safeguard for ePHI. This same change would follow for other specifications under the rule, highlighting OCR’s desire to strengthen and simplify the Security Rule.
Strengthened Administrative Safeguards
The NPRM introduces several enhancements to administrative safeguards to address modern security risks. Comprehensive risk analysis remains a cornerstone of HIPAA compliance, but the proposed updates add specificity to these requirements. Entities will be required to maintain a detailed inventory of all technology assets that interact with ePHI and map how ePHI flows within their systems. This mapping ensures visibility into where sensitive data resides and how it is accessed, helping organizations proactively identify and address vulnerabilities. The inventory and map would then be required to be reviewed every 12 months as part of an entity’s risk assessment and risk management processes.
Incident response planning is also emphasized. Entities must develop robust written plans that include protocols for detecting, containing, and recovering from cyberattacks or breaches. These plans should be regularly updated to align with emerging threats and best practices. Workforce training requirements are also expanded under the NPRM, with a focus on providing comprehensive and role-specific education. These programs must address unique vulnerabilities tied to specific job functions and be updated regularly to combat threats like phishing and social engineering.
Strengthened Physical and Technical Safeguards
Physical and technical safeguards also receive significant attention in the NPRM. To secure ePHI, physical access to facilities and devices must be tightly controlled through advanced measures such as biometric authentication, badge systems, and video surveillance. These controls aim to protect ePHI from unauthorized access, theft, or tampering.
The NPRM proposes a definition of the term “multi-factor authentication” (MFA) that entities would be required to apply when implementing the proposed rule’s specific requirements for authenticating users’ identities through verification of at least two of three categories of factors of information about the user, such as passwords combined with biometrics, to secure access to systems containing ePHI. Additionally, the NPRM encourages using advanced threat detection tools like intrusion detection systems, AI-powered anomaly detection, and real-time breach alerts to proactively address security risks.
Addressing Challenges for Small and Rural Providers
HHS recognizes the unique challenges faced by smaller healthcare providers, particularly those in rural and tribal areas, where resources for implementing complex security measures are often limited. The NPRM seeks to provide scalability, allowing entities to implement solutions proportional to their size and complexity. Tailored guidance and tools are expected to support these providers, and regional collaborations are encouraged to pool resources and expertise for improved cybersecurity.
Implications for Stakeholders
For healthcare providers and business associates, the proposed updates necessitate significant investment in technology, training, and compliance infrastructure. Allocating budgets for tools like encryption and MFA, revising and drafting policies and procedures, and updating vendor contracts to ensure alignment with new standards are critical steps. Failure to comply with these updated requirements could lead to stricter enforcement actions and penalties. Fortunately, the proposed changes also remove some of the guesswork needed to comply with the Security Rule. Making areas where investment is needed easier to identify.
Patients stand to benefit significantly from the proposed changes, as stronger protections for sensitive health information can help rebuild trust in healthcare systems. By reducing the frequency and severity of breaches, the NPRM supports greater patient engagement and the adoption of digital health technologies. Regulators, equipped with clearer enforcement guidelines, will be better positioned to ensure compliance and address violations effectively.
Alignment with Broader Cybersecurity Efforts
The proposed updates align with national and international cybersecurity frameworks, including the NIST Cybersecurity Framework and the General Data Protection Regulation (GDPR). These alignments position the U.S. healthcare sector as a global leader in data security while promoting best practices like continuous monitoring, risk management, and strong encryption.
Implementation Timeline and Next Steps
The NPRM is to be published in the Federal Register on Jan. 6, 2025, after which a 60-day public comment period will follow. The final rule will take effect 60 days post-publication. Entities will have 180 days to achieve compliance, with additional time provided to update business associate agreements. The NPRM encourages stakeholders to provide feedback on the practicality and cost-effectiveness of the proposed changes during the comment period.
Conclusion: A Necessary Evolution in Cybersecurity
The proposed updates to the HIPAA Security Rule represent a critical step forward in securing ePHI against today’s sophisticated cyber threats. By reclassifying key specifications, enhancing safeguards, and providing greater clarity for compliance, the NPRM builds a robust framework for protecting both patients and providers. While these changes may pose challenges for some organizations, they are an essential evolution in safeguarding sensitive data in an increasingly digital world. As healthcare continues its digital transformation, these updates underscore the importance of cybersecurity as a cornerstone of quality care and public trust. Investment in a strong cybersecurity posture up front will prove valuable and ultimately save the entire healthcare industry in the long run.
This publication is intended for general informational purposes only and does not constitute legal advice or a solicitation to provide legal services. The information in this publication is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. Readers should not act upon this information without seeking professional legal counsel. The views and opinions expressed herein represent those of the individual author only and are not necessarily the views of Clark Hill PLC. Although we attempt to ensure that postings on our website are complete, accurate, and up to date, we assume no responsibility for their completeness, accuracy, or timeliness.
©2025 This article originally appeared on the Clark Hill website and is reprinted with permission.
by Elizabeth E. Hogue, Esq. | Aug 9, 2024 | Admin, Clinical, Regulatory
by Elizabeth E. Hogue, Esq.
HIPAA violation: Trent James Russell was convicted in federal Court on charges of obtaining another person’s health care information in violation of the Health Insurance Portability and Accountability Act (HIPAA). Russell was employed by an organ transplant organization. As a transplant coordinator, he had access to electronic medical records at George Washington University Hospital in Washington, DC.
In January of 2019, Russell accessed the medical records of U.S. Supreme Court Justice Ruth Bader Ginsburg even though Justice Ginsburg had not been referred as a possible organ donor. He took a screenshot of the records and then posted them on a message board called “4chan.” Ginsberg’s records quickly appeared on Twitter and YouTube, including her name and the exact dates and times when she received radiology, oncology, and surgical treatments at the Hospital between 2014 and 2018.
Hospital officials traced the search of Ginsburg’s records to one of Russell’s home computers. As soon as Russell was identified as a suspect, his access was denied by the Hospital. His request to have access restored was also denied.
The Cat Made me Violate HIPAA Laws
Russell initially told federal agents that his “cats had run across his keyboard.” He later characterized this statement as a “nervous joke.” Russell said that he had no idea how his computer searched terms that produced the Justice’s records and that “everyone makes typos.”
Online users who viewed Ginsberg’s records promoted various antisemitic conspiracy theories. One theory was that Ginsburg had died in late 2018 and that democrats were hiding her death in order to deny President Trump an opportunity to appoint her replacement. A search of Russell’s computer also revealed a search for the term “dirty jew.”
An FBI agent said that she found an image on Russell’s hard drive that mimicked a poster for the film “Weekend at Bernie’s.” The caption said “Weekend at Ginsburg’s” and showed leaders of the U.S. House of Representatives propping Ginsburg up from both sides in a morbid play on how the movie characters covered up Bernie’s death so that they could use his beach house.
Ignorance of HIPAA Law is not a Defense
But, he didn’t even have that. The Chief Executive Officer of the transplant organization at the time the access occurred testified that coordinators like Russell had “no business being inside the chart” of patients who had not been referred to the organization. The CEO said that Russell was certainly aware of this prohibition because of numerous agreements he signed with his employer and the extensive training he received.
There are several important takeaways from this case. First, it is important to note that Russell had extensive training about the requirements of the HIPAA Privacy Rule. He also agreed to comply with these requirements. The temptation is great, but employees must be reminded not to succumb. In addition, practitioners should take note of the fact that Russell was criminally prosecuted. Since he was convicted, he faces up to twenty-two years in prison and fines in the tens of thousands of dollars. Serious business!
Elizabeth Hogue is an attorney in private practice with extensive experience in health care. She represents clients across the U.S., including professional associations, managed care providers, hospitals, long-term care facilities, home health agencies, durable medical equipment companies, and hospices.
©2024 by The Rowan Report, Peoria, AZ. All rights reserved. This article originally appeared in Healthcare at Home: The Rowan Report. One copy may be printed for personal use: further reproduction by permission only. editor@therowanreport.com
©2024 Elizabeth E. Hogue, Esq. All rights reserved.
No portion of this material may be reproduced in any form without the advance written permission of the author.
by Kristin Rowan | Jun 13, 2024 | Admin, Editorial, Marketing, Privacy and Security
Access to Information: Pro & Con
The advent of social media has allowed millions upon millions of users worldwide to connect with distant friends and family, meet new people, and share information among followers. From Six Degrees in 1997 to BlueSky in 2023, social media has evolved over time. Some say social media has brought us closer together and created more opportunities for small business marketing and branding. Others argue it has replaced human interaction and created overuse of mobile devices, addictions to “likes”, and a host of fake news and propaganda. Whatever your particular outlook on social media, it’s probably here to stay.
Having a profile on a social media platform (or several as most people have), allows friends, family, and colleagues to connect quickly and easily. This easy access to user information can be great for social networking and branding. Recently, however, the social media platforms have started gathering the information from your profile to enhance the paid marketing campaigns you see in “Sponsored” posts. If you’ve never noticed it before, pay attention to how often a sponsored post appears on your social media feed that happens to match a recent browser search, email, or, scarily enough, conversation, you are part of.
Social Media Access to Outside Information
We’ve all seen the warning pop-ups on websites that read “This site uses cookies.” Cookies store your browser information and history, page visits, keyword searches, and other information. This information is accessible to other websites. This is why Amazon sends you an email for sale items you recently searched for, even if you didn’t search on Amazon. Most of us know we have the option to allow only necessary cookies and to opt out of everything else. However, most people rarely take this extra step. Rather than selecting from a list of allowable cookies, the default action is to “allow all.” We are just one click away from continuing our browsing, reading, or shopping.
PHI Information Accessed by Social Media
We accept that when we allow cookies, our information will be shared. However, when you share personal information with your doctor, you assume that information is not subject to the cookie preferences, even if the information is uploaded digitally. The federal Health Insurance Portability and Accountability Act (HIPAA), in fact, requires that this information not be shared. Ron Prosky that the Palm Beach Health Network, the largest health care network in Palm Beach County, Florida, did just that. Palm Beach Health Network allegedly used Meta’s pixel code in their website, allowing Facebook to target patients with personalized ads based on their medical condition and other sensitive information.
Similar lawsuits alleged the same action against Atrium Health in North Carolina and against Kaiser Permanente, both in April of 2024. Kaiser Permanente claimed an “accidental breach” after knowingly using website trackers from Microsoft, Meta, and Google. Kaiser alleged they were unaware that the website trackers would send private information. Website trackers gather information that includes the user’s name and IP address. This information does not necessarily violate HIPAA laws. However, because the “cookies” attach to the IP address, they follow the user around the web. This makes it fairly easy for the data to infer a diagnosis or illness and use that to market to patients.
A Word of Caution for Agencies Using Tracking Data
If your website is set up to track users through partner codes from Google Analytics, Facebook Pixel, or any other tech provider, you may be inadvertently sharing protected patient data with any of these companies.
If you are tracking landing page and link clicks through Google Analytics, you may be sharing sensitive data. Here is an easy to follow article to prevent sharing Personally Identifiable Information (PII).
A Word of Caution for all Social Media and Internet Users
The digital world is one in which we all live. Whether you are engaging with social media content, shopping in an app, or browsing online, protect your personal information.
Opt out of cookies whenever possible. If it’s not possible, limit access to only necessary cookies and don’t allow your information to be sold. Only use websites that are secure. Delete your browser history or use incognito mode as often as possible.
Kristin Rowan has been working at Healthcare at Home: The Rowan Report since 2008. She has a master’s degree in business administration and marketing and runs Girard Marketing Group, a multi-faceted boutique marketing firm specializing in event planning, sales, and marketing strategy. She has recently taken on the role of Editor of The Rowan Report and will add her voice to current Home Care topics as well as marketing tips for home care agencies. Connect with Kristin directly kristin@girardmarketinggroup.com or www.girardmarketinggroup.com
©2024 by The Rowan Report, Peoria, AZ. All rights reserved. This article originally appeared in Healthcare at Home: The Rowan Report. One copy may be printed for personal use: further reproduction by permission only. editor@therowanreport.com
by Elizabeth E. Hogue, Esq. | Apr 11, 2024 | Clinical, Regulatory
By Elizabeth E. Hogue, Esq.
A key purpose of the Health Insurance Portability and Accountability Act (HIPAA) is certainly to protect patient information. Another is to help ensure that patients have access to their health information. In fact, the Office of Civil Rights (OCR) of the U.S. Department of Health and Human Services, the primary enforcer of HIPAA, has focused on enforcement actions against providers that do not make information available to patients on a timely basis. OCR launched a right to access enforcement initiative in 2019 that is continuing.
Providers must give medical information to patients and their representatives within thirty days of requests. When they fail to do so, they may be subject to enforcement action by OCR. Following are two examples of recent enforcement actions.
OCR announced on April 1, 2024, that Essex Residential Care in New Jersey will pay a civil money penalty of $100,000 to resolve violation of HIPAA’s right of access standard. This is the 48th settlement reached under the right of access initiative. OCR received a complaint in May of 2020 from the personal representative of the estate of a patient who passed away. Following an investigation by OCR, the personal representative, who was the son of the patient, received the records in November of 2020. The provider did not contest the fine.
In another recent case, the daughter of a patient who passed away was appointed as the personal representative of her mother’s estate. She made multiple requests to Phoenix Healthcare for a copy of her mother’s medical records. She finally received the records one year after her initial request. Phoenix Healthcare initially received a civil money penalty of $250,000 for failure to provide timely access.
The provider appealed. An administrative law judge (ALJ) upheld the violation and ordered Phoenix to pay a civil money penalty of $75,000. The Departmental Appeals Board affirmed the ALJ’s decision. Then Phoenix agreed to settle for $35,000 and waived the right to further appeals. While it may seem in this case that the provider’s appeals significantly lowered its costs, it is important to note that the provider also undoubtedly expended significant resources on two appeals of OCR’s enforcement action.
Providers have placed a great deal of time and effort into the protection of healthcare information in compliance with HIPAA. Rightfully so, but providers seem to have lost sight of the fact that HIPAA is also about ensuring that patients and their representatives have timely access to their records. Now is the time for providers to conduct intensive education of staff members about HIPAA’s requirements regarding access in order to avoid enforcement actions like those described above.
©2024 Elizabeth E. Hogue, Esq. All rights reserved. No portion of this material may be reproduced in any form without the advance written permission of the author. For more information on how to get access to this or any other article, please contact The Rowan Report.
