Rita Bowen (rbowen@mrocorp.com) is Vice President, Privacy, Compliance and HIM Policy at MRO, Norristown, Pennsylvania.
Disruption is the new normal. As a global civilization dealing with a worldwide pandemic, we’ve adapted to shifting guidelines, researched dubious news proclamations, and discovered a newfound appreciation for the routine. These three skills converge to support compliance professionals as they monitor HIPAA Right of Access Rule guidelines, research new enforcement actions, and hold steadfast to proven risk mitigation strategies.
This article provides an analysis of the U.S. Department of Health & Human Services’ Office for Civil Rights (OCR) enforcement actions, outlines important areas for compliance in 2022, and shares the latest news on states’ push to enact their own consumer privacy laws. There are five valuable points for compliance professionals to adopt, research, and discover on their journey toward compliance with the HIPAA Right of Access Rule.
Analysis identifies five failure points
During the 2019 HIPAA Summit, OCR prioritized patient right of access to information as an enforcement priority. Since then, OCR has conducted numerous investigations due to patient complaints about not receiving timely access to their records.[1] With few exceptions, HIPAA provides patients or their personal representatives the right to access, inspect, and copy their protected health information (PHI).
OCR continues to announce the resolution of investigations to the HIPAA Right of Access Rule on its website. Thus far there have been 27 enforcement actions since the Right of Access Initiative began,[2] with fines ranging from $3,500 to $200,000 and one- to two-year corrective action plans.
To date, the cases fall into five categories of failure. It is important for compliance professionals to understand each of these areas and mitigate properly through awareness, education, and action.
1. Failure to provide information from the defined DRS
The need for a consistent description of the designated record set (DRS) is one of the biggest compliance challenges for 2022. While the Healthcare Information and Management Systems Society, College of Healthcare Information Management Executives, American Health Information Management Association, American Medical Informatics Association, and others continually work to define consistent content for the DRS, the basic definition is a group of records maintained by or for a covered entity that was used in the care of the patient or in the payment of the claim.[3] This includes items such as medical and billing records, health plan records, and records that are used to make decisions about any individuals.
OCR found that one hospital failed to provide fetal heart monitor strips to a patient.[4] This case involved multiple requests.
The important point for compliance professionals is that any electronic health data used to make healthcare decisions about an individual should be easily accessible to that person.
2. Failure to properly recognize a patient’s personal representative
A patient’s personal representative has the authority under state law to make healthcare decisions for the individual.[5] The representative also has the right to access the patient’s PHI in a DRS and to direct the covered entity to transmit a copy of the PHI to a designated person or entity of the individual’s choice, upon request, consistent with the scope of such representation. Analysis of enforcement actions uncovered cases of adult patients with disabilities who designated a parent to act as the patient representative but the parent was not recognized as such.
3. Failure to respond within the required time frame
Lack of timeliness was cited in several cases when the covered entity failed to respond to the patient request for access according to established timelines, and at a reasonable cost. OCR found that one health system failed to provide a patient with access to the medical record until five months after the initial request.[6] Records spanning several decades and/or multiple information systems are often the culprit in these cases. Review and update your record retention and destruction policies to mitigate risk of delayed response to patient requests.
4. Failure to recognize the difference between HIPAA authorization and right of access
The PHI that an individual would like to have disclosed to a third party under the HIPAA right of access could be disclosed by a covered entity pursuant to a valid HIPAA authorization. However, there are differences between the two types of disclosure.[7] The primary difference is that right of access is a required disclosure, and a HIPAA authorization is a permitted disclosure.
5. Failure to update compliance policies, procedures, and documentation
A thorough update of compliance policies is necessary, along with complete documentation of every effort taken to ensure compliance with HIPAA’s Right of Access Rule. When OCR enforcement actions occur, thorough documentation may be your most important asset.
While health information management (HIM) professionals are the preferred stewards of patients’ requests for records, compliance professionals remain key stakeholders in the effort to mitigate OCR enforcement action risk. To assist, the following section provides further details and explanations related to filling patient right-of-access requests.
Filling right-of-access requests
Right-of-access requests differ from HIPAA requests in five areas. Right-of-access requests:
-
Should be in the patient’s voice/first party, say who is to receive the information, provide the address for where the information is to be sent to the designated individual, and be signed by the patient.
-
Mandate that the covered entity must act on request no later than 30 days after the request is received, with one time extension allowed.
-
Include reasonable safeguards such as a requirement to send security—however, the individual can request transmission by an unsecure medium.
-
Limit fees as provided in 45 C.F.R. § 164.524(c)(4).
Covered entities may require use of the entity’s own supplied form, provided use of the form doesn’t create a barrier to the individual’s access or impose any type of delay. Furthermore, the entity should provide options for requesting PHI through means such as mail, email, fax, or portal. Access should be in the manner requested by the individual and provided in paper form when requested. The rule does make it clear that entities are not required to accept the security risk of using an individual’s own device to download any type of data.
Once armed with a stronger understanding of patient right-of-access requests, compliance professionals can focus on the third important point to know about HIPAA’s Right of Access Rule and the healthcare regulatory climate overall. Change is ahead.
Keep a watchful eye: Information blocking and state privacy laws
The patient access final rule will certainly remain a pressing priority for OCR enforcement well beyond 2022.[8] The steps listed earlier, in conjunction with focused efforts to monitor the HIPAA Right of Access Rule, are essential. This is especially true in light of the 21st Century Cures Act’s other mandate, the information blocking final rule,[9] and rumors of states pushing for their own privacy laws.
The Information Blocking Rule contained within the 21st Century Cures Act aims to improve access to health information and a connected healthcare ecosystem by establishing interoperability and anti-information blocking requirements.[10] In addition to the patient access final rule discussed throughout this article, information blocking rules push for better interoperability and data sharing across healthcare. The overarching goal is to achieve easier patient access to medical records and nationwide sharing of health information.
Ubiquitous sharing of health information has the potential to make a positive impact on every healthcare stakeholder if handled properly and securely. The 21st Century Cures Act and its accompanying final rules represent one of the most important opportunities to improve healthcare.
Micky Tripathi, National Coordinator for Health Information Technology at the Department of Health & Human Services, said at ViVE 2022, “The information blocking provisions of the Cures Act Final Rule are misnamed.”[11] Tripathi prefers to call them “information sharing” regulations. However, good information sharing is consented information sharing. Education and information governance are needed to achieve these goals and keep patients’ PHI private and secure.
Further clouding the waters of patient privacy compliance are recent actions by Massachusetts, Virginia, Colorado, and California regarding state-specific consumer privacy laws. In February, Massachusetts legislators advanced a data privacy bill intended to implement sweeping privacy provisions that would “make the Commonwealth a national leader in the regulation of data privacy and security,” according to The National Law Review.[12] Unfortunately, each state’s effort is unique. The laws and bills are far from uniform in their approach.
States’ laws pit privacy experts against technology developers in many cases. Will technology developers research all the varying state-based regulations and decide compliance isn’t worth it? Will the cost of compliance with disparate laws curtail much-needed digital advancements in healthcare? Contracts with providers for digital technologies are largely governed by HIPAA, but these new state laws could create a compliance nightmare.
Considering that 2022 continues to see congressional gridlock amid mid-term elections and continues to witness public anxiety about the economy and healthcare system, rapid action on healthcare regulations is doubtful. Context remains key while compliance professionals and HIM leaders move toward better monitoring and management of the HIPAA Right of Access Rule.
Four-point compliance checklist
-
Define your organization’s DRS and ensure that any electronic health data used to make healthcare decisions about an individual is easily accessible to that person.
-
Clarify definition of a patient’s personal representative and educate teams accordingly.
-
Review and update record retention and destruction policies to ensure efficiency required for proper response time.
-
Know the difference between HIPAA authorization and right of access.
Takeaways
-
Most HIPAA Right of Access Rule claims have come from patients.
-
There are five common areas of failure.
-
Patient right-of-access requests for records are different than HIPAA requests for records.
-
Awareness and education are needed.
-
Several states are pushing for state-specific consumer privacy laws.