With the HHS Office for Civil Rights (OCR) laser focused on enforcement of HIPAA’s right of access, UofL Health in Louisville, Kentucky, figured the time was ripe to audit its policies and procedures for responding to requests for patient records. Its internal audit found a few things to improve, such as ensuring patient requests for medical records are uniformly fulfilled by the 30-day deadline and that authorizations are valid. The audit also raised the larger question of where the best place is for oversight of health information management.
“That was probably my biggest thought throughout it,” said Shelly Denham, senior vice president of compliance, risk & audit services. “Where does it make sense from a risk perspective?”
The HIPAA privacy rule guarantees patients the right to access (i.e., inspect and obtain a copy of) their medical and other records. Covered entities have 30 days to respond to a patient’s request for access, with an optional one-time 30-day extension. Covered entities and business associates operating on their behalf may charge patients a reasonable, cost-based fee, known as the patient rate, for a copy. (OCR’s proposed revisions to the privacy rule would “require that access be provided ‘as soon as practicable,’ but in no case later than 15 calendar days after receipt of the request, with the possibility of one 15-calendar-day extension.”)