When it comes to pleasing patients, what hospital or physician wouldn’t want five stars? For decades, provider organizations and others have had to prove their mettle through HEDIS ratings and patient satisfaction surveys. But how they were doing when it comes to HIPAA compliance was anybody’s guess, except for the rare organization that publicly faced sanctions imposed by the HHS Office for Civil Rights (OCR).
As RPP was going to press, OCR announced its first settlement agreement over a records access request OCR said was fulfilled months late (for more information, see http://bit.ly/2lMrP3i). The October issue will explore this settlement agreement, for $85,000 with a health system in St. Pete, Florida, in more detail.
The settlement comes on the heels of the “Patient Record Scorecard,” a new initiative to rate how well covered entities (CEs) comply with the right of access to medical records, guaranteed under the privacy rule. The early results of this fledgling effort are not so good and could give OCR more easy enforcement targets, although the developers of the scorecard say that’s not their goal. Of 51 organizations that received a records request, just nine rated five stars as part of the project launched by Ciitizen Corp., a health care records startup firm initially focused on assisting patients with cancer. Among the aspects measured were how quickly records were sent and whether patients were able to get them in the “form and format” of their choosing, as required under HIPAA.
Founded by former Apple Health Director Anil Sethi, Ciitizen also has at its helm Deven McGraw as chief regulatory officer. McGraw left her position as OCR’s deputy director for health information privacy to join Ciitizen in 2017 (“HIPAA Doesn’t Mean ‘No’: McGraw Shares OCR Insights as She Joins Records Start-Up,” RPP 17, no. 11.)
RPP has documented problems with access compliance at least since 2014, and even the Government Accountability Office has chimed in (“GAO Opens Pandora’s Box of Records Access, Finds Variable Fees, Widespread Frustration,” RPP 18, no. 6.)
Ciitizen released the scores for the 51 organizations in August, then provided a quick update early this month. To bolster its findings, Ciitizen also conducted a phone survey of 3,000 CEs to see if their processes showed they were likely or unlikely to be compliant in handling a records request; those groups didn’t fare much better.
Four Major Access-Related Tasks
The 51 organizations were awarded stars based on compliance with the four related components of filling access requests. These also provide a handy cheat sheet for providers to check their own practices.
“Provider accepts requests by email or fax: Providers may not create a barrier to access by requiring patients to submit requests in person or by mail.
“Records were sent in the format requested to the patient’s designated recipient: The provider sends the records in the format the patient requests, which is in digital form by email (or upload to portal) for text, CD for images), and sends it to the third party designated by the patient.
“Records were sent within 30 days: The provider responds to the request within 30 days of receipt (or, if within 30 days they provided a written statement of reasons for the delay and the date by which the records would be provided, the records were received within 60 days of receipt of the request).
“No unreasonable fees charged for the request: Providers may only charge reasonable, cost-based (i.e., minimal) fees to cover labor costs of copying and supplies.”