We’ve known that enforcement actions were going to pick up again, even though many regulations are still waived or modified during the public health emergency. In the past few months, several decisions have been rendered by the Office for Civil Rights (OCR) which prove the point. Hospitals and other healthcare organizations need remain cautious and cognizant of exactly which regulations are being enforced, and make sure that existing procedures and policies are being followed.
For example, OCR resolved a complaint against Prince George’s Hospital Center of the University of Maryland Medical System (UMMS). The complaint was raised by a woman who wanted to have a priest attend her critically injured husband during the pandemic. Despite the priest’s willingness to wear any necessary personal protective equipment (PPE), he was refused entry. UMMS implemented a new policy guaranteeing “adequate and lawful access to chaplains or clergy” in order to resolve the complaint.
A second religiously-based complaint was also resolved recently by OCR. In this complaint, filed by a civil rights group, a medical student at Staten Island University Hospital (SIUH) in New York City was ordered to shave his beard, which he kept for religious reasons. The hospital stated that this was in order to ensure his N95 respirator mask had a tight seal around his nose and mouth, even though he had passed a fit test. In resolving the complaint, SIUH provided the student with a Powered Air Purifying Respirator (PAPR) as a religious accommodation.
OCR also recently resolved a HIPAA-based complaint. Lifespan Health System Affiliated Covered Entity (Lifespan ACE) in Rhode Island agreed to pay OCR $1,040,000 and to implement a corrective action plan to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules related to the theft of an unencrypted laptop. Not only did the laptop contain electronic protected health information (ePHI) for 20,431 individuals, OCR found systemic noncompliance with HIPAA, including lack of encryption on laptops and a lack of device and media controls.
A Warning for Compliance
All these enforcement actions took place during the COVID-19 pandemic. The presence of the pandemic is not being taken as a reason for not proceeding with enforcement action. Compliance professionals need to be very aware of what regulations still apply, and how their organizations are continuing to stay within the scope of existing regulations.
See youCompli in Action
Easier, faster, more effective compliance is possible