It has been a week (month?… year?) of uncertainty and nail-biting cliffhangers. However, we want to do our part to provide our readers with some resolution. In our last Compliance Article, we supplied you with yet another cliffhanger, promising to return to discuss the Office of Civil Rights (OCR) continued to focus on enforcement of Patient’s Right of Access under HIPAA. We know you have all been on the edges of your seats and we are back in this segment to make good on that promise.
PREVIOUSLY ON “OUR IDEAS – COMPLIANCE EDITION”
In our last segment, we discussed how the OCR had indicated a return to standard operations following the publication of a series of settlements under the HIPAA Privacy and Security Rules. We focused then on the importance of the (annual) security risk assessment as the first step in managing your organization’s risk profile.
Of course, while data breaches and security concerns tend to predominate HIPAA headlines, there is much more that goes into HIPAA compliance. Therefore, in this article, we are going to pivot to an often-neglected component of the HIPAA regulations: A Patient’s right of access to his or her designated record set and the duty of covered entities to provide the same in a timely and complete manner.
This topic is timely for two reasons. First, OCR has identified Patient Right of Access as a focus of enforcement starting in 2019. Since announcing their initiative a year and a half ago, OCR has settled nine investigations; six of which were concluded in the past two months. For providers, being aware of your responsibility to provide timely and complete access to requested records is therefore of great practical importance. Also, as indicated by OCR’s evaluation of this initiative (and from our own collective experiences as patients or advocates for patients), this is also an area where (painting with a broad brush) improvement is needed. We’ll just say from the outset–twenty-two months (and only after the direct involvement of OCR) is too long for a patient to receive requested records (more on that case to follow).
Secondly, timely access to one’s medical record and the ability to direct its exchange and disclosure to providers and other third parties is essential in order for patients to be informed and empowered navigators of their health care. Aside from that (and really, isn’t that enough?), the interoperability of health data across relevant providers and care delivery systems is essential not only to the quality of care but as a prerequisite for the delivery of value-based care. For this reason, at the same time that OCR launched its enforcement initiative in an effort to improve outreach on and compliance with this issue, the Department of Health and Human Services (DHHS) was also developing its now finalized regulatory updates to HIPAA focusing on Patient Access and Interoperability. OCR’s focus on enforcing existing regulations, starting over a year ago, therefore constituted the vanguard in a broader movement that focuses on improving a patient’s ability to readily direct the disclosure of his or her health record by removing operational, technical, and “cultural” barriers.
With that thesis on why this is important, let’s look at the Right of Access under HIPAA.
DEFINING AND UNDERSTANDING RIGHT OF ACCESS
Under the Privacy Rule, individuals have the right to review and receive copies of their health records (defined as the “designated record set”) upon request. Providers and other covered entities may require that patients and their authorized representatives make these requests in writing and may take “reasonable” steps to verify the identity and/or authority of the person making the request. However, the rule requires that the covered entity provide the requested access (or respond explaining the need for an extension) within thirty days from the date of the request. Where copies are requested (as opposed to merely access to inspect the records), covered entities may charge a reasonable fee, however, this fee is restricted to the actual cost associated with creating the copies.
OCR LOOKS UNDER THE RIGHT OF ACCESS ROCK: SCENARIOS FROM RECENT SETTLEMENTS
“For too long, healthcare providers have slow-walked their duty to provide patients their medical records out of a sleepy bureaucratic inertia. We hope our shift to the imposition of corrective actions and settlements under our Right of Access Initiative will finally wake up healthcare providers to their obligations under the law,”
-Roger Severino, Director of the Office of Civil Rights, December 2019
As indicated earlier in this article, problems with adherence to the Right of Access provisions under HIPAA aren’t a new problem. Indeed, prior to the launch of the Right of Access Initiative in 2019, failure to comply with the right of access obligations was the third most frequently cited complaint resulting in an investigation by OCR.
Examination of recent settlements illustrates the breadth of the problem, as experienced by patients, as well as how seriously OCR is now taking these complaints.
The case of St. Joseph Hospital and Medical Center, a hospital-based in Phoenix, Arizona, stands out as one example of the hurdles parents and other authorized representatives encounter when seeking the medical records of minors. In this case, the complainant, a mother, first requested a copy of her son’s medical records in January 2018. Despite repeated follow-ups, the Hospital did not provide the complainant with all of the requested records. It was only after OCR got involved in April 2018, and then the passage of yet another year, that the complete recordset was turned over to the requestor in December 2019, nearly two years after the initial request.
As part of the resolution of this case, the Hospital agreed to a payment of $160,000 and will be subject to a corrective action plan and two years of monitoring by OCR.
The St. Joseph Hospital and Medical Center settlement is tied for the longest period for an outstanding record request to date, however, it isn’t far outside the average of other cases. In fact, of the nine Right of Access settlements to date, four reflect a waiting period of over a year since the initial request. While this is an admittedly select sample size, we suspect that this isn’t an isolated instance.
A second point worth noting is that the OCR is pursuing enforcement actions vigorously across the board, and not only restricting financial settlements with the larger covered entities. This is notable, not least when you consider that half of the six settlements this year have been with mental health providers. This is notable because Right of Access excludes psychotherapy notes (when not maintained as part of other records and are, instead, maintained by the therapist for his or her own reference) from the designated record set subject to a patient’s right of access. This exception may lend itself to confusion and is the sort of area where, in the past, OCR may have been more disposed to address it through technical assistance and guidance. Pursuing settlements in these instances further demonstrates the Department’s commitment to “vigorously” enforcing the law and protecting patient’s right of access.
LOOKING FORWARD: INTEROPERABILITY
OCR’s Patient Right of Access enforcement initiative isn’t operating in a vacuum. Instead, it should be understood as a multi-pronged effort to encourage interoperability across networks and providers. As CMS Administrator Seema Varma stated in her 2019 keynote address at HIMSS (Healthcare Information Management Systems Society), “Technology and the sharing of data underpin the entire payment mechanisms in healthcare.” HIPAA compliance (or more specifically, a defensive misunderstanding or misapplication of HIPAA Privacy and Security regulations) is frequently cited as a barrier to the proper dissemination of health information across providers in the course of treatment of patients, and (as demonstrated by the OCRs enforcement initiative) even as it relates to patient-directed disclosures and management. Addressing this barrier is fundamental to creating a system that can support alternative payment models to simple fee-for-service. That is why DHHS updated regulations creating positive duties towards data exchange and technical interoperability are such a big deal.
Patient Right of Access – whether it is in the context of the enforcement of standing rights or as a statement of an underlying value, is at the center of this movement.
To learn more about these Final Rules, please watch me and my colleague Peter Freeman in our (snazzily titled) webinar: A Revolutionary Recalibration: HIPAA and Interoperability.