Patient Right of Access – what does this really mean?

HIPAA Privacy Rule

Patients’ right of access has extreme consequences if they are not handled properly. It starts the moment a patient makes this request. HIPAA prohibits unreasonable measures when patients request access to their medical records.

Most practices think this request MUST be in writing. Although this is ideal, sometimes it can cause a problem when the patient is not able to come to the office. The first alternative we are thinking of is using a fax machine or an email account. What do you do if they do not have access to any of these options? One method you can use is to verify the number you have on file and call them back at that number. Then asking for the last 4 of their social security number, or another identifying information.

Keep in mind there is a time limit to this! Currently you have up to 30 days to comply with this request, and one 30-day extension (if you advise the patient/representative that you will need more time and you give them a date when they will be available). We do not recommend waiting until the “29th” day. You should respond as soon as possible. NOTE: We expect this time frame to be reduced to 15 days, with one 15-day extension this year. The reason I can’t stress the importance of this enough is due to the fines that have been assessed for non-compliance.

As of today, there have been 45 cases resolved under the OCR’s HIPAA Right of Access Initiative. Only a few fines were under $10K, most of the fines were upwards of $25K to $200K. Some of these fines were small dental practices and even cash practices for plastic surgery. The latest is $80K from UnitedHealthcare. No practice or health plan is immune!

Should your practice be investigated by the OCR because of ONE incident, they will investigate ALL areas of HIPAA compliance. It is important to stay on top of ALL areas. Don’t forget to review your website too!

The OCR sent out ANOTHER reminder about online tracking technologies. This is the 3rd notice, and includes the letters sent to hospitals and telehealth providers. They are actively reviewing healthcare websites. They specifically state the use of Meta/Facebook pixels and Google Analytics could be a violation.

https://www.hhs.gov/sites/default/files/ocr-ftc-letters-re-use-online-tracking-technologies.pdf

If you use any online technology that collects personal identifiers, you must have a business associate agreement in place. With that said, be very careful with what you do with this information. It only takes one patient complaint to start an investigation.

If you would like us to review your website, use the contact us page.

Click here to find out more how our online HIPAA Keeper™ can help your organization with HIPAA Compliance.

“Simplifying HIPAA through Automation, Education, and Support”

About Suze Shaffer

Suze Shaffer is the owner and president of Aris Medical Solutions. She specializes in HIPAA compliance, risk management, and cyber security. She believes that by educating her clients in understanding why and what needs to be done to protect their practice they have a better outcome.

Suze has been instrumental in helping clients nationwide with risk management, implementing privacy and security rule policies and procedures, and ultimately protecting patient data. She includes state and federal regulatory requirements to ensure clients are protected in all areas.

She has spoken at numerous conferences and functions. She continues to educate organizations how to minimize the risks of data breaches. HIPAA compliance is not an option, it is mandatory for every organization that comes in contact with protected health information to have reasonable and appropriate security measures in place. Unfortunately, most organizations don’t realize they are not compliant until they suffer a data breach or they are faced with an audit or investigation.

Did you know that the Office for Civil Rights (OCR) is the agency that investigates data breaches? Have you seen the heavy fines that have been imposed for non-compliance?

All 50 states now have their own set of privacy laws and the State's Attorney General may also investigate privacy violations!

Share This HIPAA Blog

The OCR and FTC are investigating online tracking technologies

August 1, 2023

HIPAA Compliance Officer Responsibilities

October 2, 2023
©2024 Aris Medical Solutions – HIPAA Risk Management | HIPAA Compliance Consultants | All Rights Reserved | Terms and Conditions | Privacy Policy
The content and images on this website is owned by Aris Medical Solutions and their owners. Do not copy any content or images without our consent.
Powered by Bandwise LLC