HIPAA Challenges: The OCR: Friend, Not Foe
By Elizabeth A. Delahoussaye, RHIA, CHPS
For The Record
Vol. 34 No. 2 P. 6
When addressing release of information concerns, avoid common mistakes and rely on an ally.
When a patient files a right of access complaint with the Office for Civil Rights (OCR), the agency may issue technical assistance to the provider. If the patient’s right of access is not granted—typically in the form of a medical records release—the OCR will again step in, sometimes with the issuance of fines, which in recent years have ranged from $3,500 to $200,000.
This process began in 2019 when the OCR director spoke at the National HIPAA Summit to express frustration with the number of complaints the division was receiving regarding patient right of access. While the OCR continued to issue technical assistance letters, patients were not receiving their records in a timely manner. At the time, OCR planned to issue civil monetary fines to correct the issue and reduce the large number of requests. Provider inaction has resulted in dozens of these monetary penalties for violations.
OCR violations are not uncommon—patient right of access can be tricky to navigate. Unintentional inconsistencies in either policy or practice can cause providers to be noncompliant with complicated regulatory requirements. In my role as a chief privacy officer, I’ve witnessed many documentation mistakes involving OCR violations and subsequent investigations.
Furthermore, the pandemic has led to numerous changes at provider organizations that are hampering release of information (ROI) operations. Staffing challenges, increased patient loads, and unexpected remote work environments are impacting the ability to meet patient requests in a timely manner.
It’s important to know that the OCR is there to assist and be a resource—preferring to work with providers rather than against them. Furthermore, there are proactive steps that organizations can take to avoid patient right of access penalties. It begins with a commitment to rigorous compliance to ROI matters. For HIM professionals, responsibilities lie not only in medical records but also in helping to meet the various demands of health information access as required by HIPAA.
Addressing Patient Complaints
Patients who believe their right of access has been violated can file complaints against their providers. OCR addresses complaints in one of the three following ways:
• An OCR representative will call the provider to get a quick summary of the situation and brainstorm ways the patient can acquire their information. The provider can use this impromptu discussion to gain support and guidance about the case. The conversation often leads to a conclusion, which the OCR will put in writing. Examples include a recommendation to communicate with the patient to clarify the request or to explain what records may be provided.
• The OCR can offer technical assistance, which is a more formal intervention. The OCR has reviewed what the patient submitted as their documentation for the complaint—deeming it adequate—and in response, it provides education about how and where the provider may have failed in providing access to information as requested. After giving this direction, the OCR will note the details in a technical assistance letter indicating that the case is now closed. But don’t be misled—this is not a “get-out-of-jail-free card.” Optimally, providers will use this opportunity to evaluate policies and procedures that potentially prompted the complaint and close those gaps so the issue does not repeat itself.
• The OCR can issue a data request, a document to the provider detailing the complaint and requesting information about the provider’s policies. This tends to be the approach if the issue at hand is severe or repeated. In the last two years, these data requests have become more detailed, including calls for financial information from the provider, a request that is likely related to the potential fines that may be imposed should the situation not be resolved.
It’s important that providers have a response strategy in place for data requests and even technical assistance. Policies should include contacting the patient directly to fully understand the complaint and document the conversation. This will “score points” with the OCR and possibly help avoid substantial monetary penalties.
Remember the OCR assigns an investigator to every technical assistance citation. This person is a resource to the provider organization to help clarify violations, understand the provider’s perspective, and offer guidance on pesky compliance gaps for a smoother future. The ultimate goal is resolution of the patient’s complaint—there is simply no need to turn a cold shoulder to the investigator or the OCR at large.
Common Technical Assistance Faux Pas
No provider wants to suffer financial consequences as a result of failing to heed the advice of an OCR investigator. Also, keep in mind that the patient may very well file a second complaint. It’s important to release the information to the patient in a timely manner. Otherwise, the OCR will likely decide the provider is not compliant under the Privacy Rule.
The following are the primary reasons why this may be the OCR’s conclusion:
• The provider doesn’t resolve the complaint that resulted in the technical assistance.
• The provider is unaware of what the patient (or the patient’s representative) is allowed to have and, as a result, doesn’t understand the requirements for acceptable documentation.
• The provider doesn’t follow the direction and education of the OCR by updating policy and procedures to ensure compliance with the privacy rules.
• The provider doesn’t provide the correct information to the patient’s representative.
• The provider doesn’t ensure staff understands and has access to the entire designated record set.
• The provider doesn’t understand the importance of timeliness of access. (They have 30 calendar days to comply with a patient record request.)
• The provider doesn’t ensure the facility forms for patient release are clear. (They should indicate the specific records and whether there are multiple facilities from which the patient is requesting information.)
• The provider charges an incorrect fee for reproducing records directly to patients.
How to Avoid Violations
Providers can set themselves up for success by educating staff regarding access to information issues. Start by consulting with the organization’s legal department to establish clarity on all access policies and procedures. For example, staff should be aware of who has the right to a patient’s information (the patient or a personal representative).
Ensure various departments understand what’s contained in the designated record set—any documentation the provider has utilized during the continuation of care for that patient—and where this documentation can be found to ensure complete access by the patient.
Provider entities also must take the time to investigate all technical assistance thoroughly. Research what exactly prompted the filing of the patient complaint and close any gaps to ensure the issue does not occur again. If there was a valid reason for denying the patient access, communicate that to the OCR.
HIM leaders and professionals help set the tone for the provider organization’s approach to ROI. As medical records requests continue to evolve, providers must learn to evolve, too. Apply a proactive, communicative, and thorough approach, and don’t be shy about taking advantage of an opportunity to leverage the OCR’s assistance throughout the process.
— Elizabeth A. Delahoussaye, RHIA, CHPS, is chief privacy officer at Ciox Health. With more than 20 years of health care experience, she is responsible for all aspects of the company’s privacy functions, planning and directing of compliance functions, and ensuring the organization is compliant with all federal and state regulations.