Obligation to Comply With Release of Information Within 30 days

Did you know…

HIPAA requires that healthcare providers disclose within 30 days of receiving a request for release of information. This rule is enforced by the Federal Department of Health and Human Services!

Under the HIPAA Privacy Rule, patients, patients’ designees and patients’ personal representatives can see or be given a copy of the patients’ protected health information, including an electronic copy, with limited exceptions. In doing so, the patient or the personal representative may have to put their request in writing and pay for the cost of copying, mailing, or electronic media on which the information is provided, such as a CD or flash drive. In most cases, copies must be given to the patient within 30 days of his or her request.

The final rule is available for review at:

Any release requesting the release of mental health records or information must be compliant with section 5 of the Illinois Mental Health and Developmental Disabilities Confidentiality Act. If you wish to receive a free copy of a compliant release, please feel free to contact our office.

If you would like more information regarding this obligation or to consult with regard to any aspcts of your clinical or professional practice, please feel free to contact Jonathan Nye, J.D. at 847-279-0026.

Are you HIPAA compliant?

The September 23, 2013 deadline has come and gone — What have you done to protect yourself from HHS fines?

February 22, 2011, HHS imposed a $4.3 million civil money penalty against Cignet Health of Prince George County, Maryland (Cignet) for violations of the HIP AA Privacy Rule. $1.3 million of the penalty redressed the violation of 41 patients’ rights who were denied access to requested medical records within the statutorily proscribed 30 (and no later than60) days of the patient’s request.

On June 26,2012, the Alaska DHSS paid $1.7 million as a result of the theft of a USB hard drive possibly containing ePHI from a DHSS employee’s car. The enforcer’s noted their failure to do risk analysis, implement adequate risk management measures, workforce training or device and media controls, or address device and media encryption.

On September 17, 2012, the Mass. Eye and Ear Infirmary and Mass. Eye and Ear Associates Inc. paid $1.5 million as a result of the theft of an unencrypted personal laptop containing ePHI of MEEI patients and research subjects, which, in the government’s view, reflected “long-term, organizational disregard for the requirements of the Security Rule”

We can help you to:

  1. Develop, implement and maintain HIPAA Privacy policies, procedures, and forms
  2. Maintain regulatory and business accuracy
  3. Implement and maintain HIPAA records filing system
  4. Publish and maintain Notice of Privacy Policy and patient acknowledgment
  5. Implement safeguards to protect PHI from intentional or unintentional unauthorized uses and disclosures and limit incidental uses or disclosures
  6. Handle all complaints
  7. Mitigate the effects of any unauthorized use or disclosure or other violations
  8. Ensure all patients’ (and deceased patients’) HIPAA rights and requests are honored: access, amendment, confidential communication channels, restriction requests, authorizations, accountings, personal representative designations
  9. Handle access requests by law enforcement, subpoenas, court orders, and public purpose entities
  10. Ensure minimum necessary rule is applied
  11. Handle all workforce training and sanctions
  12. Ensure all Business Associates are identified and have signed Business Associates agreements
  13. Cooperate with any government privacy investigations

Contact us at 847-279-0026 for more information.