A recent announcement by the Dental Board of California has reinforced the notion that having a breach of security, such as a hacker’s gaining access to all of your patient records and using them to commit identity theft or losing an unencrypted laptop, would not be not the only way that a covered entity or a business associate could suffer a financial penalty. Privacy rights violations can also result in fines, whether by the Department of Health and Human Services (“HHS”) or state disciplinary authorities.

That recent report by the California Dental Board noted that dentists were failing to provide to patients copies of their dental records within the time frame provided in both state laws and the HIPAA Privacy Rule. Under the California Health and Safety Code Section 12300-123149.5, patients have the right to the following:

• Inspect records during business hours within five (5) days of presenting a written request.
• Receive copies of records within 15 days of presenting a written request.
• Receive X-rays or tracings within 15 days of presenting a written request.

The HIPAA Privacy Rule requires covered entities to provide to patients access (to inspect and to copy) their records within 30 days of submitting such a request. In the event that more time is required before the health information could be released, the covered entity must give an explanation of the delay within that 30-day time frame, and the patient must be granted access to the requested medical record within 60 days. 45 C.F.R. §164.524(b)(2). Both jurisdictions allow the practice to charge a reasonable, cost-based fee. The practice should not, however, deny access for failure to pay for the health services rendered.

Because California gives patients the right of access sooner than does HIPAA, it affords patients a greater privacy right than does HIPAA and, thus, California law controls. The right to access one’s records is every bit as much a privacy right as is confidentiality. The Board noted that failure to provide copies of dental records before the 15-day deadline is one of the five most commonly cited violations of state laws. It explained that “Citations may be used when patient harm is not found, but the quality of care provided to the consumer is substandard.” The Board can issue fines of up to $500 per day to a maximum of $5,000 for failure to provide copies of dental records to patients within the 15-day deadline.

This state fine may pale when compared to the civil money penalty (“CMP”) (what HIPAA calls fines) imposed against Cignet Health for failure to provide 41 patients copies of their records, even after having been ordered to do so by the HHS Office for Civil Rights (“OCR”). The CMP, not a settlement in lieu thereof, was for $4.3 million dollars. Parenthetically, Cignet is no longer in business.

HHS has stated that failure to give access in a timely fashion will be stressed in 2019 enforcement actions. One could perhaps not be at fault if a very sophisticated hacker gained access, but something as simple as providing to patients something that they have both a federal and a state right to is inexcusable. If whatever or whoever you use to maintain your patient records routinely cannot seem to get the records to your patients in a timely manner, you may want to consider including the records system in your next risk analysis, initial or update, and take into account these very high CMPs. You will likely decide that you may need a reasonable and appropriate new system or reasonable and appropriate upgrades to your current system.

HIPAA does provide for exceptions to the right of access, such as if the information is copyright protected or the access is reasonably likely to result in death or serious bodily injury to a named individual or to the public. See 45 C.F.R. §164.524(a)(2) (non-reviewable grounds for denial) and 45 C.F.R. §164.524(a)(3) (reviewable grounds for denial).

Because of the threat of a sanction for failure to provide access or because of the harm inherent in giving access when improper, a covered entity should either have a policy specific to granting patients access or have such provisions in an overall release of information policy so that staff can process such requests properly and take proper action thereon. Remember to keep written documentation of having implemented such a policy, the written policy itself, the written risk analysis that caused you to implement such a policy, and written records of having trained appropriate workforce members (such as staff, volunteers, students, and so forth). Keep all of these records documenting compliance for at least the six years required under HIPAA.

Alice here: Yes, once again, I am here to try to sell things to keep you and us in business. If you need help with your risk analysis, either initially or for an update, Jon Tomes has written a Risk Analysis ToolKit to provide the structure and tools to help you complete the requirement under HIPAA. You and your risk analysis team can fill it out and document your decisions as to what is reasonable and appropriate for you to adopt in the way of policies and procedures and be done with it. Or you could send your completed risk analysis to Jon to review and render his professional opinion as the country’s leading HIPAA expert (IMO) as to whether it is sufficient to keep you from getting that free trip to Leavenworth or that very expensive trip to the bank. If you have Jon’s Compliance Guide to HIPAA and the DHHS Regulations, 6^th edition, with the accompanying HIPAA Documents Resources Center CD, also 6^th edition, you can find the Risk Analysis ToolKit on the CD. It is also available with a review by Jon at https://www.veteranspress.com/product/hipaa-risk-analysis-toolkit. Also, Jon Tomes presented a webinar recently on “How to Do a HIPAA and HITECH Risk Analysis.” You can buy a recording of it at https://www.complianceiq.com/trainings/LiveWebinar/2255/how-to-do-a-hipaa-and-hitech-risk-analysis. Jon is also writing a Risk Analysis Update ToolKit, which will be available for you in the near future on the Premium Member section of our website. Please stay tuned for our announcement when it is up and running for you there. Also, include in your risk analysis the lack of a business associate agreement if you are considering hiring a business associate or a downstream business associate.

If you need guidance on how to draft the policies and procedures that your risk analysis or your newly updated risk analysis has shown are reasonable and appropriate for your organization, Jon has also written The Complete HIPAA Policies and Procedures Guide, with the accompanying Cd of several dozen HIPAA policies and procedures templates for you to adapt to your situation. That book also contains a chapter by me on how to write in general, but more specifically on how to write a good policy.

Make sure that you train your entire workforce on HIPAA in general and on the HIPAA policies and procedures according to who needs to know what to perform their duties for you. If you need handy HIPAA training in general, consider Jon’s training video and training manual in either of two forms available here: https://www.veteranspress.com/product/basic-hipaa-training-video-dvd-workbookor https://www.veteranspress.com/product/online-hipaa-training-video-certification. Or you could hire Jon to present HIPAA training onsite to your workforce. Just contact him at jon@veteranspress.com or 816-527-3858.

Keep your written documentation of all of these HIPAA compliance efforts where you can find them easily and quickly if HHS shows up demanding your HIPAA compliance documentation. We recommend keeping all of it in Your Happy HIPAA Book. Jon included tabs in the three-ring binder for everything that you need to document and a checklist for each tab. I recommend adding the date that you check off each item in each checklist, as one of our clients suggested to us.

If you have had a security incident that you were unsure as to what exactly to do about, or if you are concerned that you may have one, consider reading Jon’s book How to Handle HIPAA and HITECH Act Breaches, Complaints, and Investigations: Everything You Need to Know.

A sample business associate agreement policy and a sample business associate agreement are posted in the Premium Member section of our website at www.veteranspress.com.

As always, thanks for reading Jon’s blog, buying his books and other HIPAA compliance tools, attending our seminars and webinars, and hiring Jon for HIPAA consulting and training. We wish you every success with your HIPAA compliance efforts.