HIPAA (Health Insurance Portability and Accountability Act of 1996) compliance has always been an issue that plagues companies. In many cases, companies are failing to comply to HIPAA, but no action is being taken because it is either unknown, or it hasn’t become an issue yet. In a recent patient record scorecard released by Ciitizen, they found that while patient record access on the patient side is becoming more and more available, HIPAA compliance is currently at approximately 49%. This means that 51% of all companies included in the scorecard of about 200 companies attained a score of 2/5 stars or lower. This scorecard found that a majority of these companies failed to provide the right to inspect or obtain a copy of their health information upon requesting it.
The bigger issue of this non-compliance comes when a breach occurs within a company that is still not complying to HIPAA. On November 27, 2019, Sentara Hospitals based out of Virginia and North Carolina came to a settlement with the Office for Civil Rights for a sum of $2.175 million for failure to notify the OCR and the patients of a breach of patient information. Sentara sent out approximately 577 billing statements to the incorrect addresses, which included patient names, account numbers, and dates of service. Sentara then proceeded to notify a total of eight individuals of the breach. Among other HIPAA regulatory issues that were found, Sentara settled for the aforementioned amount, as well as a two-year monitoring plan, and the requirement to notify the OCR within 15 days for any potential breach.
Another case back in September of 2019 was with Bayfront Health based in St. Petersburg. Bayfront Health failed to provide a mother with access to the fetal heart monitor records of her unborn child. The first request the mother made was in October 2017, and in August 2018, she made a complaint to the OCR of the lack of access. Under HIPAA, patients are guaranteed access to the records within 30 days and under reasonable fees. Bayfront agreed to a corrective action plan similar to Sentara, as well as a $85,000 penalty.
Overall, HIPAA compliance is a major issue within the healthcare industry, but luckily we are seeing a massive improvement in patient information provision in order to comply with the rules set in place by HIPAA. As we move into 2020 and people become more aware of the importance of cyber security and it’s surrounding regulations, potentially we will see more healthcare providers complying with HIPAA.
Written by: Michael Smith