3 tips to stay in compliance with HIPAA patient access, data security regulations

Doctor computer medical records
Practices should be aware of and comply with regulations about patients' right to access their health records. (Getty/BrianAJackson)

NEW ORLEANS—The federal Office for Civil Rights (OCR) is ramping up its focus on the Right of Access Initiative, which ensures patients timely access to their medical records.

Potential enforcement actions by OCR could impact physician practices, according to Robert Tennant, speaking at the Medical Group Management Association (MGMA) annual conference.

In a health IT policy update, Tennant, director of health information technology policy for MGMA’s government affairs, offered some tips to practice managers on complying with privacy, patient access and data security regulations under the Health Insurance Portability and Accountability Act (HIPAA).

Product Spotlight

Top-Rated Mobile App for Health Insurance Members

Zipari’s Mobile App is the smarter, easier, and better way for payers to engage members on the go and directly in the palm of their hands. Members can find the right doctors, receive notifications, send messages, view claims, track spending, talk to a nurse, download ID card, and more. It’s ready to install and launch in a few months.

Ensure patients’ right to timely access to their medical records. OCR, which enforces HIPAA privacy and security regulations, is focusing on the issue. “OCR is starting to get a little more aggressive,” Tennant said about privacy and security enforcement.

In September, OCR settled its first case involving the right of access provision of HIPAA—enforcement action that signals a new direction for the agency, he said.

In meetings, OCR Director Roger Severino has indicated this is going to be an area of focus for the agency, Tennant said. The first fine delivered by OCR centered around an expectant mother’s request for information on her unborn child. Bayfront Health St. Petersburg, a Florida hospital, agreed to pay an $85,000 fine for failure to supply the medical record until more than nine months after the patient’s first request.

The fine was the first enforcement action taken under the Right of Access Initiative launched earlier this year to combat information blocking at healthcare facilities. The initiative promises to vigorously enforce the rights of patients to receive copies of their medical records promptly and without being overcharged.

HIPAA rules generally require covered healthcare providers to provide medical records within 30 days of the request, and providers can only charge a reasonable cost-based fee. The right to patient records extends to parents who seek medical information about their minor children, and in this case, a mother who sought prenatal health records about her child, OCR said.

RELATED: 32M patient records breached in 2019. That's double all of 2018, Protenus reports

Be sure to back up patient data offsite. “That’s the most important thing,” Tennant said, in reviewing a checklist of items to protect a practice’s security. For instance, it has become inexpensive to store data in the cloud, he said. Practices need to store data offsite in case there is a fire or flood and those data are destroyed. Or, in the case of a ransomware attack, a practice could be left unable to access data.

Be careful how physicians are accessing and using data. HIPAA requires practices to conduct a complete security risk assessment to focus on vulnerable areas, and practices should look at new security risks, Tennant said. 

For instance, practices should be careful about allowing physicians remote access to electronic health records, he said. If a doctor is accessing a record from his or her home computer, that will likely pose a security risk.

In conducting a complete risk assessment, practice managers should talk to peers and vendors about potential risks and document the assessment. Another issue might be having physicians texting back and forth and sharing patient information. In that case, practices should invest in a secure texting platform to ensure patient privacy, he said.

Suggested Articles

Employment growth in the healthcare industry cooled off in July as the sector added fewer jobs than in June as COVID-19 continues to spread.

A new study found that more than half of doctors don't believe drug-resistant superbugs are a major concern for their practice.

Blue Shield of California is teaming up with Cricket Health to offer coordinated care to members with late-stage and end-stage renal disease.