Guest Column | August 17, 2022

Provider Compliance Tips Amid Increasing Patient Access Rights

By Elizabeth A. Delahoussaye, RHIA, CHPS

Elizabeth-Delahoussaye
Elizabeth A. Delahoussaye

Last month, the HHS Office for Civil Rights (OCR) shared details of 11 HIPAA Right of Access resolutions. Each resolution involved a settlement payment to resolve HIPAA Privacy Rule violations allegations, whereby many covered entities were further required to undertake standard corrective action plans. OCR, which enforces federal civil rights laws that protect the rights of individuals and entities from unlawful discrimination based on race, color, national origin, disability, age, or sex in health and human services, is the main body that receives patient right of access complaints and helps providers with HIPAA compliance.

The information blocking rule, issued in 2020 as part of the 21st Century Cures Act, prevents any practice that is likely to interfere with accessing, exchanging, or using electronic health information (EHI), with some limitations. This rule gives patients the right to request and/or obtain their health data from providers efficiently, enabling greater access to information and more control over their health decisions. As additional requirements will take effect in October, unprepared providers are growing concerned about enforcement, implications, and monetary fines. Strategies for maintaining compliance are critical as they relate to regulatory updates and the release of patient information.

Common reasons for noncompliance

Patient right of access to data, or more specifically EHI, can be tricky to navigate, so failing to fulfill a medical records request is not out of the ordinary. Noncompliance often results from unintentional inconsistencies in either policy or practice. As an expert in HIPAA and privacy issues, I’ve noticed the following common mistakes as well as failings regarding civil rights adoption plans and investigations:

  • The provider doesn’t resolve the complaint.
  • The provider doesn’t know what the patient is allowed to have and, therefore, doesn’t understand what acceptable documentation is. 
  • The provider doesn’t supply the correct information.
  • The provider doesn’t follow the direction and education of the OCR by updating policy and procedures to ensure compliance.
  • The provider doesn’t ensure relevant staff members understand and have access to the entire designated record set.
  • The provider fails to meet the requirement for timeliness of access. (Typically, 30 calendar days to comply with a patient record request, but this may vary by state.) 
  • The provider doesn’t ensure the facility forms for patient release are clear.
  • The provider charges the patient an incorrect fee for the reproduction of records.

Generally speaking, providers should outline detailed policies for handling regulatory complaints and patient data requests and ensure that all elements of designated records sets are identified and retrievable.

OCR guidance for assistance

Providers are not alone as they navigate the compliance waters of patient access. The OCR remains a resource, guide, and advocate for effective communication between patient and provider. If a patient feels his rights are in violation and files a complaint, the OCR will respond in one of three ways:

  • Conduct an informal phone call to gather information about the complaint, offer advice, and supply training to help the provider provide the necessary information. If the provider follows this direction successfully, the complaint is closed.
  • Offer technical assistance as a more formal means of inquiry and communication whereby OCR reviews documentation and may offer education. This is a more stringent warning, calling for diligence and awareness from the provider.
  • Issue a data request, a more detailed response for severe issues or those that are common for a particular provider.

Regardless of the response, OCR investigators are resources that help providers resolve issues and maintain compliance. Recent regulatory changes highlight the importance of giving patients better and more timely access to their own health information.

Elizabeth A. Delahoussaye, RHIA, CHPS, is the Chief Privacy Officer for Ciox.