Multiple themes run through settlement agreements with HHS Office for Civil Rights (OCR) in its Right of Access Initiative, and they offer health care organizations lessons for improving their own procedures and processes on access to protected health information (PHI), according to a HIPAA expert.

Setting up a system to provide patients with access to their medical records may sound simple, but it’s not, said Frank Ruelas, corporate responsibility officer at St. Joseph’s Hospital and Medical Center, which is part of CommonSpirit Health, at the Virtual 41st Annual HIPAA Summit Feb. 27.^[1]

“The request for access to PHI is not linear. It’s not from A, B, C, D in a straight line. It has curves and permutations and combinations that we need to be able to manage,” he said. “So, it should be no surprise that even our own process can sometimes come into question because of various factors—such as process flows and such as employee performance—which can lead to a less-than-desired outcome.”

In fact, there are specific places where the system tends to break down, and where a PHI request can slip through the cracks, Ruelas said (see related chart).^[2]

“We have to know that when someone wants their PHI, we need to prepare that PHI,” Ruelas said. “And then once we receive that request and it’s met the requirements that we need to move forward, then we need to aggregate that information [and] get it ready for presentation. Often you will hear the terms ‘form’ and ‘format,’ which refer to the form and format of the PHI that the requester has asked us to provide it in. And then we actually provide that access.”