E-News Exclusive

Patient Right of Access and the Path to Compliance

By Rita Bowen, MA, RHIA, CHPS, CHPC, SSGB

HIM professionals play an increasingly critical role in privacy and security, release of information (ROI), protected health information (PHI), disclosure management, interoperability, patient access, and more. Those in the health care industry need to keep informed about issues surrounding patient access to records and the ongoing path to compliance.

The HHS Office for Civil Rights (OCR) has conducted numerous investigations since 2019 due to patient complaints about not receiving timely access to their records. On November 30, 2021, the OCR announced the resolution of five investigations in its HIPAA Right of Access Initiative, bringing the total number of these enforcement actions to 25 since the initiative began.

To date, these cases can be stratified into four basic categories. This article examines each of these categories and clarifies where matters presently stand with regard to the patient’s right of access.

Failure to provide information from the defined designated record set (DRS). The need for a consistent description of the DRS is one of the biggest challenges we face going into 2022. According to HIPAA, a DRS is defined at 45 CFR 164.501 as a group of records maintained by or for a covered entity, including the following:

• Medical records and billing records about individuals maintained by or for a covered health care provider;
• Enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or
• Other records that are used, in whole or in part, by or for the covered entity to make decisions about individuals. This last category includes records that are used to make decisions about any individuals, ie, whether the records have been used to plan about the particular individual requesting access.

OCR found that one hospital failed to provide fetal heart monitor strips to a patient, a second hospital failed to provide diagnostic films to a patient, and a third hospital failed to send the patient’s records to a third party. Each of these cases involved multiple requests.

Provider organizations are having difficulty determining what the DRS includes and how to make it flow seamlessly from different systems. Any electronic health data used to make health care decisions about an individual should be easily accessible to that person. HIMSS, CHIME, AHIMA, AMIA, and others are working to define consistent content for the DRS in a way that supports and prioritizes patient access and interoperability.

Failure to properly recognize a patient’s personal representative. Consider the case of an adult patient with disabilities who designated a parent to act as the patient representative. Though the parent was the designated representative and had medical power of attorney, the parent was not recognized as the patient representative. A patient’s personal representative has the authority under state law to make health care decisions for the individual. The representative also has the right to access the patient’s PHI in a DRS and to direct the covered entity to transmit a copy of the PHI to a designated person or entity of the individual’s choice, upon request, consistent with the scope of such representation.

Failure to respond within the required time frame. Lack of timeliness continues to pose problems. In some cases, the covered entity failed to respond to the patient request for access according to established timelines, and at a reasonable cost. OCR found that one health system failed to provide a patient with access to the medical record until five months after the initial request. One issue cited by providers is the time required to pull records covering several decades. In such cases, facilities should review and update their record retention and destruction policies to ensure efficiency required for proper response time.

Timeliness

• Access must be provided within 30 calendar days from receipt of the individual’s request.
• A one-time extension of no more than 30 days beyond the original 30 calendar days is allowed.
• The covered entity must notify the individual in writing within the original 30 days of the reason for delay and the date by which the access to PHI will be provided.

Failure to recognize the difference between HIPAA authorization and right of access. The PHI that an individual would like to have disclosed to a third party under the HIPAA right of access could be disclosed by a covered entity pursuant to a valid HIPAA authorization. However, there are differences between the two types of disclosure. The primary difference is that right of access is a required disclosure, and a HIPAA authorization is a permitted disclosure.

Click to enlarge

Unfortunately, many covered entities continue to operate without the guidance of a security or compliance officer who has the expertise needed to implement policies that ensure compliance. Because ROI is such a detailed and intricate process, all covered entities must ensure compliance with the standards.

One way to achieve that goal is to designate a specific department to the effort and consider outsourcing management of the ROI process. By partnering with a knowledgeable vendor to centralize ROI, an organization can ensure that someone else is responsible to learn the guidelines, implement policies and procedures required to follow the guidelines, ultimately enforce the guidelines, and continually assess and adjust as needed. Further, centralized ROI supports efforts to ensure a positive patient experience by funneling information through a secure gateway.

As the focus on enforcements and penalties heightens, analysis of recent actions is essential to developing an effective compliance plan. Patient access will certainly remain a pressing priority for OCR enforcement well into the future.

Five Steps to Take If You Have Not Already Done So

• Review OCR resolution agreements and civil money penalties.
• Update your compliance program or create one.
• Document actions to show evidence of efforts to comply.
• Create a compliance officer role to monitor the ever-changing regulatory climate.
• Conduct a gap analysis to document that you have no intent to engage in blocking patients from accessing their medical records.

— Rita Bowen, MA, RHIA, CHPS, CHPC, SSGB, is vice president of privacy, compliance and HIM policy at MRO. In this role, she ensures new and existing client HIM policies and procedures are to code. Bowen also serves as the company’s privacy and compliance officer, assuring timely reporting of any disclosure incident. She is also responsible for reviewing legislation to assure industry response and compliance within MRO. Bowen has more than 40 years of experience in HIM, holding a variety of HIM director and consulting roles. Bowen currently sits on The Sequoia Project Board of Directors and is an active member of AHIMA. She served as AHIMA president and board chair, as a member of the Board of Directors for six years, and of the Council on Certification for three years. Bowen has also served on the AHIMA Foundation Board of Directors, serving as its board chair. She has been honored with AHIMA’s Triumph Award in the mentor category; she is also the recipient of the Distinguished Member Award from the Tennessee Health Information Management Association. Bowen is an established author and speaker on HIM topics and has taught HIM studies at Chattanooga State and the University of Tennessee Memphis.