Rita Bowen (rbowen@mrocorp.org) is VP of Privacy, Compliance, and HIM Policy, MRO, Norristown, PA.
The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule generally requires HIPAA covered entities—health plans and most healthcare providers—to provide individuals, upon request, with access to protected health information (PHI) about them in one or more “designated record sets” maintained by or for the covered entity.[1] This includes the right to inspect and/or obtain a copy and the right to direct the covered entity to transmit a copy to a designated person or entity of the individual’s choice. This right applies as long as the covered entity, or its business associate, maintains the information, regardless of the date the information was created, and whether the information is maintained in paper or electronic systems on-site, remotely, or is archived.
Providing patients access to their PHI is a top priority. Patients need secure, timely access to their medical information to make informed decisions and manage their own care. The ever-increasing enforcement actions by the Office for Civil Rights (OCR) at the U.S. Department of Health & Human Services are intended to empower patients and hold healthcare providers accountable for failure to meet HIPAA requirements. This article provides valuable insights and guidance to help organizations prepare for full compliance.
OCR focus on patient right of access
The OCR’s HIPAA Audits Industry Report[2] released in late December 2020 stated that 89% of audited covered entities failed to show they were correctly implementing the individual right of access. The report noted many compliance gaps, including insufficient policies and procedures for providing access. For example, the OCR found that some policies incorrectly stated that the covered entity could deny access to PHI, and other policies lacked guidance around providing requests for information to a designated third party.
Overall, these covered entities are largely operating on their own and do not have access to a security or compliance officer who has the knowledge and experience needed to understand and create policies to ensure compliance. Because release of information (ROI) is such a detailed and intricate process, all covered entities must ensure compliance with the standards. One way to achieve that goal is to have a specific department dedicated to the effort under the guidance of professionals with expertise to properly implement and enforce policies and procedures. It is essential to designate staff who are specifically responsible to learn the guidelines, implement policies and procedures required to follow the guidelines, ultimately enforce the guidelines, and continually assess and adjust as needed.
Designated record set
The HIPAA Privacy Rule established the concept of a designated record set (DRS) as the foundation of a patient’s right of access to PHI. A designated record set is defined at 45 C.F.R. § 164.501 as “a group of records maintained by or for a covered entity,” including the following:
-
“Medical records and billing records about individuals maintained by or for a covered healthcare provider;
-
“Enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or
-
“Other records that are used, in whole or in part, by or for the covered entity to make decisions about individuals.”[3]
Because the definition is expansive, a covered entity is generally left to define which records are part of the DRS. Therefore, variations in how healthcare organizations interpret their DRSs can cause frustration among patients and their representatives attempting to obtain PHI according to the patient right of access.
Current landscape and penalties
In March 2021, the OCR announced the 18th settlement of an enforcement action in its HIPAA Right of Access Initiative.[4] The purpose of this initiative is to support individuals’ right to timely access of their health records at a reasonable cost under the HIPAA Privacy Rule. These settlements have steadily increased over the past two years, resulting in civil monetary penalties (CMPs) and corrective action plans with significant financial impact on covered entities. The reasons for the resolutions to date include the following:
-
Failed to respond according to timelines, and at reasonable cost, to the patient request for access to their record;
-
Refused patient access to inspect and receive a copy;
-
Form and format to directed third party refused;
-
Films not provided as requested by patient;
-
Patient representative not recognized; and
-
DRS not used, fetal monitor strips not provided.
Given the heightened OCR activity during 2021, the focus on patient access is increasingly critical. Enforcement actions are designed to send a message to the healthcare industry about the importance and necessity of compliance with the HIPAA rules. The OCR considers a variety of factors in determining the amount of a settlement, such as the nature and extent of the potential HIPAA violation; the nature and extent of the harm resulting from the potential HIPAA violation; the entity’s history of HIPAA compliance; the financial condition of the entity, including its size and the impact of the COVID-19 public health emergency; and other matters as justice may require.
Resolutions due to rigorous enforcement
Resolutions to date indicate that the Right of Access Initiative is proving effective through rigorous enforcement. The first resolution of the year ordered one of the largest US health systems to undertake a corrective action plan that includes two years of monitoring in addition to a monetary settlement of $200,000.[5]
The second resolution of 2021 required a private, nonprofit health system in Nevada to take corrective actions and pay $75,000 to settle a potential violation of the HIPAA Privacy Rule right of access standard.[6] In that case, OCR received a complaint in February 2019 alleging that the health system failed to provide timely response to a patient’s request that an electronic copy of her PHI, including billing records, be sent to a third party.
Of the 18 CMPs so far, 7 were linked to behavioral health. This is due in part to the tendency for people to be guarded and overthink the rules in this area. In fact, a special consent or authorization is not required to release behavioral health records. Furthermore, all CMPs involved either smaller facilities (16) or outlying clinical practice sites (2) that manage their own requests and send to a central repository. All these cases indicate the need for a central repository staffed by professionals who understand the release of information process and know how to apply the rules and regulations. When implementing the Privacy Rule, covered entities and their business associates have the responsibility to:
-
Understand what information is subject to the right of access, such as psychotherapy notes.
-
Confirm the authority of “personal representative” to act on behalf of an individual.
-
Know the procedures for receiving and responding to requests, including written request requirements, verifying the authority of requesting parties, timeliness of response, grounds for denying a request, and fees that can be charged for approved requests.
To assist covered entities and business associates, the OCR provides a summary of right of access issues, as well as a set of frequently asked questions.[7]
Components of an effective compliance program
To avoid actions due to noncompliance, healthcare providers of all sizes must take necessary measures to respect the right of patients to have timely access to their medical records. Best practice is to establish a multidisciplinary compliance team, including representation from privacy and security, compliance, health information management (HIM), operations, legal, physicians, patient experience, and others required for specific areas of focus. This group should review resolution agreements and CMPs applied for privacy and security, and assess internal compliance policy to determine the need for adjustments, particularly related to patient access.
An effective compliance program will include relatively simple policies that ensure proper training and documentation to minimize the risk of OCR enforcement action and its severity. Providers should also consider the possibility of sanctions under state law governing patient access to records. In some cases, state law may be more stringent than HIPAA concerning the right to access. In that case, additional modifications to policies and procedures are needed to provide compliant access.
To support your organization’s efforts to ensure compliance with right of access, here are six steps to take if you have not already done so:
-
Establish a multidisciplinary team and update your compliance program. Review your internal policies and procedures.
-
Document your actions to show evidence of efforts to comply.
-
Create a compliance officer role to keep a watchful eye on the ever-changing regulatory climate and disseminate information.
-
Conduct a gap analysis to document and prove that you have no intent to engage in blocking patients from accessing their medical records.
-
Use the CMP action plans as your blueprint. Crosswalk these plans to your current policies and procedures.
-
Keep patient access top of mind and stay up to date on OCR settlements.
Proposed changes to the HIPAA Privacy Rule
The purpose of the proposed modifications to the HIPAA Privacy Rule[8] is to improve patient access to PHI and increase permissible PHI disclosure with the intent of improving care coordination and case management, and ultimately reducing healthcare costs. However, a final rule that mirrors the notice of proposed rulemaking (NPRM) would fundamentally transform the existing industry model for delivering ROI services to the detriment of hospitals, other healthcare providers, and their patients. One major proposed change involves the cost shift to covered entities associated with the following:
-
Patient requests to inspect and copy their records when “readily available” during an office visit. This could create privacy and security issues along with financial burden. What equipment and space, such as viewing stations, will be required when PHI is requested for review? And more clarity is needed on how to determine when PHI is “readily available.”
-
Requests to copy PHI on electronic media such as CDs and mail, but only labor can be charged. What cost impact will this have? What are the compliance concerns? Consider that CDs are often the main copy format for medical images stored electronically in medical imaging picture archiving and communication systems.
-
Fee change related to patient-directed third-party requests. Specifically, when an individual directs an electronic copy of their PHI in an electronic health record be sent to a third party, the fee that can be charged is a reasonable cost-based fee, limited to labor only. This contrasts with all other patient-directed third-party requests where the fees are not subject to fee limitations.
As the need for interoperability continues to grow, these Privacy Rule changes reflect the move toward ease of access by individuals. While this change is necessary, and welcome in many respects, an individual’s privacy must be protected. Finding the proper balance between patient access and compliance will be a challenge as certain safeguards move away. In addition, there must be continued recognition of the cost to provide information as we migrate more seamlessly to interoperability.
If your organization did not respond to the NPRM,[9] we encourage you to visit the U.S. Department of Health & Human Services website and review the responses that were submitted.[10] Then follow up with your state and federal representatives to voice your concerns regarding the economic impact and any other potential issues.
Intersection of patient access and patient experience
Patient experience is central to every aspect of healthcare. Ensuring that patients have timely access to their own medical information empowers them to take charge of their healthcare decisions. With the implementation of value-based care initiatives, the roles of compliance officers and patient experience officers have become interconnected.
Patients expect and deserve easy, compliant access to critical information when needed for quality care. Communication between compliance and patient experience officers is necessary to meet the patient’s needs according to HIPAA compliance and other applicable facility policies. Together, they have a shared responsibility to ensure compliant patient access and improve the patient experience. The focus on patient access and enforcement actions sends a message to the healthcare industry to prioritize compliance with the HIPAA rules.
Takeaways
-
An effective compliance program includes policies that ensure proper training and documentation to minimize the risk of Office for Civil rights (OCR) enforcement action and its severity.
-
OCR settlements are not limited to large health systems. Providers of all sizes must ensure patients’ right of timely access to their medical records.
-
Civil monetary penalties indicate the need for a central repository staffed by professionals who understand the release of information process and know how to apply the rules and regulations.
-
Proposed changes to the Privacy Rule are intended to improve patient access to protected health information and improve care coordination and case management.
-
Patient access and patient experience officers share responsibility to ensure compliant access to protected health information and improve patient experience.