3 tips to stay in compliance with HIPAA patient access, data security regulations

NEW ORLEANS—The federal Office for Civil Rights (OCR) is ramping up its focus on the Right of Access Initiative, which ensures patients timely access to their medical records.

Potential enforcement actions by OCR could impact physician practices, according to Robert Tennant, speaking at the Medical Group Management Association (MGMA) annual conference.

In a health IT policy update, Tennant, director of health information technology policy for MGMA’s government affairs, offered some tips to practice managers on complying with privacy, patient access and data security regulations under the Health Insurance Portability and Accountability Act (HIPAA).

Ensure patients’ right to timely access to their medical records. OCR, which enforces HIPAA privacy and security regulations, is focusing on the issue. “OCR is starting to get a little more aggressive,” Tennant said about privacy and security enforcement.

In September, OCR settled its first case involving the right of access provision of HIPAA—enforcement action that signals a new direction for the agency, he said.

In meetings, OCR Director Roger Severino has indicated this is going to be an area of focus for the agency, Tennant said. The first fine delivered by OCR centered around an expectant mother’s request for information on her unborn child. Bayfront Health St. Petersburg, a Florida hospital, agreed to pay an $85,000 fine for failure to supply the medical record until more than nine months after the patient’s first request.

The fine was the first enforcement action taken under the Right of Access Initiative launched earlier this year to combat information blocking at healthcare facilities. The initiative promises to vigorously enforce the rights of patients to receive copies of their medical records promptly and without being overcharged.

HIPAA rules generally require covered healthcare providers to provide medical records within 30 days of the request, and providers can only charge a reasonable cost-based fee. The right to patient records extends to parents who seek medical information about their minor children, and in this case, a mother who sought prenatal health records about her child, OCR said.

RELATED: 32M patient records breached in 2019. That's double all of 2018, Protenus reports

Be sure to back up patient data offsite. “That’s the most important thing,” Tennant said, in reviewing a checklist of items to protect a practice’s security. For instance, it has become inexpensive to store data in the cloud, he said. Practices need to store data offsite in case there is a fire or flood and those data are destroyed. Or, in the case of a ransomware attack, a practice could be left unable to access data.

Be careful how physicians are accessing and using data. HIPAA requires practices to conduct a complete security risk assessment to focus on vulnerable areas, and practices should look at new security risks, Tennant said. 

For instance, practices should be careful about allowing physicians remote access to electronic health records, he said. If a doctor is accessing a record from his or her home computer, that will likely pose a security risk.

In conducting a complete risk assessment, practice managers should talk to peers and vendors about potential risks and document the assessment. Another issue might be having physicians texting back and forth and sharing patient information. In that case, practices should invest in a secure texting platform to ensure patient privacy, he said.