Patients’ right of access has extreme consequences if they are not handled properly. It starts the moment a patient makes this request. HIPAA prohibits unreasonable measures when patients request access to their medical records.
Most practices think this request MUST be in writing. Although this is ideal, sometimes it can cause a problem when the patient is not able to come to the office. The first alternative we are thinking of is using a fax machine or an email account. What do you do if they do not have access to any of these options? One method you can use is to verify the number you have on file and call them back at that number. Then asking for the last 4 of their social security number, or another identifying information.
Keep in mind there is a time limit to this! Currently you have up to 30 days to comply with this request, and one 30-day extension (if you advise the patient/representative that you will need more time and you give them a date when they will be available). We do not recommend waiting until the “29th” day. You should respond as soon as possible. NOTE: We expect this time frame to be reduced to 15 days, with one 15-day extension this year. The reason I can’t stress the importance of this enough is due to the fines that have been assessed for non-compliance.
As of today, there have been 45 cases resolved under the OCR’s HIPAA Right of Access Initiative. Only a few fines were under $10K, most of the fines were upwards of $25K to $200K. Some of these fines were small dental practices and even cash practices for plastic surgery. The latest is $80K from UnitedHealthcare. No practice or health plan is immune!
Should your practice be investigated by the OCR because of ONE incident, they will investigate ALL areas of HIPAA compliance. It is important to stay on top of ALL areas. Don’t forget to review your website too!
The OCR sent out ANOTHER reminder about online tracking technologies. This is the 3rd notice, and includes the letters sent to hospitals and telehealth providers. They are actively reviewing healthcare websites. They specifically state the use of Meta/Facebook pixels and Google Analytics could be a violation.
https://www.hhs.gov/sites/default/files/ocr-ftc-letters-re-use-online-tracking-technologies.pdf
If you use any online technology that collects personal identifiers, you must have a business associate agreement in place. With that said, be very careful with what you do with this information. It only takes one patient complaint to start an investigation.
If you would like us to review your website, use the contact us page.
Click here to find out more how our online HIPAA Keeper™ can help your organization with HIPAA Compliance.
“Simplifying HIPAA through Automation, Education, and Support”
