Health DataOCR Continues its Focus on Patient Access Rights

OCR Continues its Focus on Patient Access Rights

The Beckage Health Law team continues to monitor OCR developments that relate to patient access rights.  In 2020, it became clear that patient right of access to records is a significant priority of the Office of Civil Rights (OCR), under the Department of Health and Human Services (HHS).  Just last month OCR reported on a settlement, audit results, and proposed rules, all focused on patient access to records. 

For example, on December 22nd, OCR announced the settlement of its 13th investigation focused on health records access.  The investigation followed a patient complaint to the OCR after the patient was unable to obtain records from his primary care provider on two separate occasions in 2019.  Emphasizing the importance of workforce training and documentation, the OCR issued a $36,000 fine and required the provider to update its Designated Record Set Policy as part of the Corrective Action Plan. 

In December, we also saw the release of an audit report on health industry compliance for audits conducted during 2016-2017.  The December 17, 2020 report reveals findings for audits of randomly selected entities and business associates.  Of note, most organizations failed to include appropriate content in plain language in their Notice of Privacy Practices, and often missing content related to individual rights.  Moreover, the report notes that many entities did not have appropriate policies, procedures, and documentation to demonstrate compliance with rules about how to respond to requests for records.

Finally, as described more fully in Beckage’s recent blog posted about HHS proposed rules OCR proposed amending the HIPAA Rule, including amendments to expand patients’ rights to access records, increase transparency about these rights, and shorten providers’ time to respond to records. 

These three developments reaffirm OCR’s strong commitment to enforce the patient access rules, which we expect will continue in 2021. 

Beckage health law attorneys work with hospitals, health care providers and business associates to develop a compliance program tailored to mitigate risk.  Our team has significant experience in OCR enforcement matters and investigations.  We recommend that clients prioritize a review of their Notice of Privacy Practices and as well as patient access policies to help mitigate risk.  Reach out to our Beckage Health Law team for assistance analyzing these and other regulatory and legislative matters. 

*Attorney advertising. Prior results to not guarantee a similar outcome.

Subscribe to our newsletter.

RansomwareRansomware Activity Targeting the Healthcare and Public Health Sector

Ransomware Activity Targeting the Healthcare and Public Health Sector

Beckage is notifying organizations in the healthcare sector of a potential threat that may occur this weekend. We will continue to monitor this situation and provide updates as they occur.

Late last night the Federal Bureau of Investigations (FBI), Department of Health and Human Services (HHS), and the Cybersecurity and Infrastructure Security Agency (CISA) issued a warning about an imminent cybercrime threat to hospitals and healthcare providers. These organizations have credible information to suggest that there will be a widespread Ryuk ransomware attack this weekend. The threat is currently being investigated by the FBI, DHS and the NSA’s Cybersecurity Threat Operations Center.

What We Know

The cybercrime organization Ryuk is targeting the Healthcare and Public Health sector with Trickbot malware that may lead to ransomware attacks, data theft, and the disruption of healthcare services, a particularly concerning possibility considering the nation is still grappling with the COVID-19 pandemic.

Based on what we know about Ryuk, it is possible that the targeted healthcare entities have already implemented the encryption malware on healthcare organizations’ systems and the threat actors just have not commanded it to activate.  Given the threat, we urge all healthcare organizations to review the measures recommended by the FBI as consider some practical incident response measures.

What To Do Next

Beckage recommends that hospitals and healthcare providers implement several preventative steps to safeguard their organization including of the following measures: reviewing current incident response protocols and processes within the next 24 hours, and carefully crafting internal drafting internal and external messaging and FAQs with an experienced data breach attorney to help minimize legal risk as well as making sure employees know who to contact if they have reason to believe there is suspicious activity.

Beckage is available to discuss additional best practices that should be taken over the next 24 to 72 hours. Our team will continue to monitor this for new developments and provides updates as appropriate.  If an attack is detected and additional resources are needed, Beckage can be reached using our 24/7 Data Breach Hotline at 844-502-9363.

*Attorney advertising. Past outcomes do not predict future results.

Subscribe to our Newsletter.

2019 Year in Review_ Beckage Blog Top 52019 Year in Review: Beckage Blog Top 5

2019 Year in Review: Beckage Blog Top 5

The end of the year is finally upon us. As the year draws to a close, we look back over our most popular blog posts of 2019. From understanding New York’s SHIELD Act to website accessibility claims under the Americans with Disabilities Act and gearing up for the California Consumer Protection Act (CCPA), it has certainly been a great year for the Beckage team. We pride ourselves on producing informative and timely content to our community in this fast-moving legal landscape. For this reason, we have picked out our very best blog posts from 2019 just in case you missed any of our top posts. We thank you all for your continued support, Happy Holidays from all of us!

Read More