OCR Publishes Report on Hospital Reviews to Assess Privacy Protections for HIV/AIDS Patients
The Department of Health and Human Services’ Office for Civil Rights has published a new report on its National HIV/AIDS Compliance Review Initiative.
The National HIV/AIDS Compliance Review Initiative commenced in 2014 and involved compliance reviews at 12 hospitals in regions of the country which are experiencing the greatest numbers of new HIV infections. The compliance reviews took place at hospitals in Atlanta, Baltimore, Chicago, Dallas, Houston, Los Angeles, Miami, New York City, Philadelphia, San Francisco, Washington DC, and San Juan in Puerto Rico.
The aim of the compliance reviews was to ensure that individuals suffering from HIV and AIDS were being provided with equal access to medical services and programs and to ensure LEP individuals were provided with meaningful access. The reviews were also conducted to ensure hospitals were complying with the Health Insurance Portability and Accountability Act (HIPAA). Healthcare facilities must ensure that privacy protections are implemented to ensure individuals’ health information is appropriately secured and kept private and confidential.
The OCR also wants to encourage HIV/AIDS patients to take a greater role in their own healthcare. The OCR assessed whether Individuals’ access rights to their PHI could be exercised at each of the hospitals under review.
While all of the hospitals had policies and procedures in place to protect the health information of patients and ensure equal access to healthcare services, in some of the hospitals OCR discovered there was room for improvement. The OCR has now provided robust technical assistance to those hospitals to ensure that patient privacy is protected, patients’ rights can be exercised, and to ensure that there is no discrimination based on HIV status.
Between 2010 and 2015, the OCR has received 145 complaints of privacy or civil rights violations, all of which have been subject to investigations. 24 of those complaints have prompted full compliance reviews.
In February 2011, the OCR entered into a resolution agreement with the General Hospital Corporation and Massachusetts General Physicians Organization over Privacy Rule violations. The organizations were fined $1,000,000 for losing the protected health information of 192 individuals who were living with HIV.
With respect to health information privacy, the National HIV/AIDS Compliance Review Initiative report details a number of steps that hospitals must take to ensure the privacy of HIV/AIDS patients is protected:
The OCR requires all hospitals to:
- Appoint HIPAA Privacy and Security Officials to oversee the development of policies and procedures to protect the privacy of patients and secure their PHI.
- Develop and publish a Notice of Privacy Practices which explains how the PHI of patients will be used and how individuals can obtain a copy of their PHI and/or ePHI.
- To ensure that policies and procedures are developed and put in place to ensure that patients can be provided with access to their PHI, should they so wish. Policies must cover physical PHI and ePHI.
- Hospitals must conduct thorough organization-wide risk analyses to identify potential risks to the integrity, security, and availability of ePHI. A plan must be developed to address all identified vulnerabilities, and risks must be reduced to an acceptable level in a reasonable time frame.
- Appropriate security measures must be put in place to ensure that ePHI is protected at all times.
- In the event of a breach of ePHI or PHI, patients must be informed of the accidental disclosure or exposure of their health information within 60 days.
The OCR report can be viewed/downloaded on this link.
