Written by: Michelle Johnston, CIPM, CIPP/US and Susie Kenerson, CIPP/US Compliance Privacy Officer at CSR Privacy Solutions, Inc.
The U.S. Department of Human Health and Services, Office for Civil Rights (“HHS”) enforces federal standards governing personal health information (“PHI”) or personally identifiable information under the Health Insurance Portability and Accountability Act’s (“HIPAA”) Privacy Rule, Security Rule and the Breach Notification Rule. HHS also has authority to conduct compliance reviews and investigations of complaints of violations of the HIPAA rules by covered entities and business associates.
In early 2019, HHS created an initiative to improve its enforcement of violations of patients’ access rights under HIPAA’s Privacy Rule. On September 6, 2019, HHS settled its first enforcement action against covered entity, Bayfront Health St. Petersburg (“Bayfront”) for a potential violation of a patient’s right of access. HHS settled with Bayfront for a monetary fee of $85,000 and entered into a corrective action plan (“CAP”) which specifies Bayfront’s obligations, including one (1) year of monitoring by the HHS and compliance documentation retention for six (6) years.
Under the CAP, Bayfront must:
A. Develop and maintain policies and procedures relating to data access rights (“access policies and procedures”), with the oversight of HHS, including:
B. Maintain and provide documentation to HHS, including:
Risk awareness through assessment of:
The settlement terms and requirements established between HHS and Bayfront highlight the importance of covered entities having policies and procedures in place as well as strict protocols for training and oversight of their employees and business associates to ensure they are following the established procedures.
Regular internal assessments of policies and procedures will identify any gaps in an organization’s compliance program and will ensure up to date processes are followed throughout an organization and by its business associates.
Risk evaluation through assessments and audits of internal processes and due diligence of business associates.
When responding to a data access request, it is imperative that the processes put in place by an organization are strictly followed, including getting any necessary information from relevant business associates contracted with the organization. Under HIPAA’s Privacy Rule, health organizations must respond to a patient’s access request as soon as possible, but no later than 30 calendar days from receiving the request.
Risk avoidance through use of tools to:
What will be the outcome and effects on the business should it fail to properly respond to a data access request? Violations of the requirements for a consumer’s access to their data can bring about steep monetary fines, but may also cause a business to have to implement policies and procedures under pressure if they are not already in place. This can be avoided and fine-tuned with planned preparation.
CSR Privacy Solutions, Inc. can ease the tension small to medium size businesses (SMB) may feel with implementing and keeping up to date with necessary policies and procedures. CSR Readiness® Pro is an award-winning bundle of privacy solutions that businesses use to mitigate the risk of data breach and consequences related to non-compliance associated with the handling of legally protected personal information.
CSR Readiness delivers a PROACTIVE solution, enabling small to medium size businesses (SMB) to assess their privacy systems and safeguards and presents them with suggested improvements for areas the program identifies as deficient. Many companies may still suffer a data breach – when this happens, Breach Reporting Service is the REACTIVE solution that provides privacy reporting for the SMB community. CSR-V3 is an automated vendor privacy risk reduction tool which documents your vendor management, verification and validation due diligence.