When a patient or a patient’s representative requests a copy of medical records it is very important to act promptly. Currently you have 30 days to comply with this request, and one 30-day extension (if you advise the patient/representative that you will need more time and you give them a date when they will be available). We expect this time frame to be reduced to 15 days, with one 15-day extension this year. The reason I can’t stress the importance of this enough is due to the fines that have been assessed for non-compliance. As of today, there have been 43 cases resolved under the OCR’s HIPAA Right of Access Initiative. Only a few fines were under $10K, most of the fines were upwards of $25K to $200K.
Another area that we must stress the importance of is disgruntled employees, patient complaints, and data breaches. Should your practice be investigated by the OCR because of ONE incident, they will investigate ALL areas of HIPAA compliance. It is important to stay on top of ALL areas. Don’t forget to review your website too!
One special note: If you use a Contact Us form on your website, you must use encryption on your website (https), to ensure the data transmitted is secure. Then you must review where these messages are delivered to and to which devices. Many website developers do not under the HIPAA rules and offer website features that may cause liability if not properly protected. Again, this also includes the devices utilized to receive the information and how this information is stored. If you do not receive very many of these messages, we recommend removing the liability.
In case you have not seen some examples of the fines, check out our Education Tab:
If you are using our HIPAA Keeper™ 7-step system, you are well ahead of many other practices with HIPAA documentation. If you are not using our system, Click here to find out more how our online HIPAA Keeper™ can help your organization with HIPAA Compliance.
Or to schedule a demo click the contact us tab and scroll down.
“Simplifying HIPAA through Automation, Education, and Support”
It is the start of a new year and one thing we know for sure; nothing stays the same. Rules change, technology changes, and we must keep up. We wrote about the new Information Blocking Rule last July, but we have found many practices still do not understand what this means to them.
When the EHR Meaningful Use criteria was introduced in 2013, CMS stated that practices did not have to implement specific technology if a patient requested their information in a format that they did not have in place. This has all changed with the Information Blocking Rule that was passed in 2021. Part of the Interoperability Standard requires medical providers and health information companies to share patient data upon patient request. This Rule makes it very clear when it comes to patients and the control they have over their information. This is also known as “right of access”.
In the past EHRs was hesitant to open their portals due to security issues. Now, it is required to have security measures in place and share the data. There are some exceptions, but be forewarned, they are vague, and could be misinterpreted.
Penalty guidelines are in place for IT operators and health information companies, they are still working on the guidelines for medical providers. This gives you a limited amount of time to get ready for heavy enforcement.
Patients are now permitted to request their information be made available in the format of their choice. This includes to a third-party app installed on their mobile devices. These apps should protect patient data by supporting secure access through authentication processes similar to what the financial industries use.
When a patient makes a request and you do not have the technology in place to grant their request, you are obligated to comply with their request if possible or contact your technology vendors to see if this can be accomplished. If you do not, this could be considered Information Blocking. We recommend contacting your EHR and starting a conversation with them to ensure they are working on interfaces with other EHRs and some of the most common mobile apps.
There are some companies working on this technology, from what I have heard, they are limited. I am sure more will be adding this service as we progress. Before you hire a company to “develop” an interface for you, read below.
NOTE: If a patient requests their medical provider to share their information with another entity that is not a covered entity or a business associate, the information is not subject to the HIPAA rules. For example, the covered entity would not have HIPAA responsibilities or liability if such an app that the patient designated to receive their ePHI later experiences a breach. If a patient requests a covered entity to send their ePHI using an unsecure method the covered entity must grant the disclosure if it is readily available in the form and format used by the app. However, it is highly recommended to advise the patient of the lack of security so they can make an informed decision.
On the other hand, if the app was developed for, or provided by or on behalf of the covered entity and it creates, receives, maintains, or transmits ePHI on behalf of the covered entity, the covered entity could be liable under the HIPAA Rules for a subsequent impermissible disclosure because of the business associate relationship between the covered entity and the app developer. For example, if the patient selects an app that the medical provider uses to provide services to their patients involving ePHI, the medical provider may be subject to liability under the HIPAA Rules if the app impermissibly discloses the ePHI received. If you choose to develop or work with a company that has developed an app, be sure to obtain a BA agreement and review their technology security to ensure they are following the HIPAA requirements.
As we venture into this new territory, there will bad actors trying to “jump” on the healthcare wagon. As always, do your research before using any new applications or vendors. Ask your colleagues and most of all, check out their credentials.
To find out more about how our online HIPAA Keeper™ can help your organization with HIPAA Compliance click here:
Medical professionals have had a rough year and a half. This has been trying times for so many and we have had to learn to adapt to new ways of running practices. I was hoping to be able to share some good news during this time of thankfulness and joyous season, but the Office for Civil Rights do not take breaks… This is not meant to be disrespectful but to inform you that when a patient files a complaint, the OCR takes that seriously and will open an investigation. So, during this holiday season, please stay vigilant to patient requests. Be sure to have the patient make the request in writing and no sticky notes allowed! DOCUMENTATION is your friend, not your enemy. Make sure this task is completed in a timely manner. These forms are included in your HIPAA compliance program if you do not have one already in use.
The Office for Civil Rights is VERY interested in how timely you answer a patient’s request to access their medical records. This is known as “Right of Access”. A patient has the “right” to request a copy of their medical records and this should be provided within 30 days, or if additional time is needed, a 30-day extension may be permitted if the patient has been notified of the reason and the delay with a date that the records will be made available.
In September the OCR announced the twentieth settlement for right of access violations. Earlier this month, they announced five more.
The Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) announced the resolution of five investigations in its Health Insurance Portability and Accountability Act (HIPAA) Right of Access Initiative, bringing the total number of these enforcement actions to twenty-five since the initiative began. OCR created this initiative to support individuals’ right to timely access their health records at a reasonable cost under the HIPAA Privacy Rule.
HIPAA gives people the right to see and get copies of their health information from their healthcare providers and health plans. After receiving a request, an entity that is regulated by HIPAA has, absent an extension, 30 days to provide an individual or their representative with their records in a timely manner.
“Timely access to your health records is a powerful tool in staying healthy, patient privacy and it is your right under law,” said OCR Director Lisa J. Pino. “OCR will continue its enforcement actions by holding covered entities responsible for their HIPAA compliance and pursue civil money penalties for violations that are not addressed.”
OCR has taken the following enforcement actions that underscore the importance and necessity of compliance with the HIPAA Right of Access:
Advanced Spine & Pain Management (ASPM), which provides management and treatment of chronic pain services in Cincinnati and Springboro, Ohio, has agreed to take corrective actions that include two years of monitoring, and has paid OCR $32,150 to settle a potential violation of the HIPAA Privacy Rule’s right of access standard.
Denver Retina Center, a provider of ophthalmological services in Denver, CO, has agreed to take corrective actions that includes one year of monitoring and has paid OCR $30,000 to settle a potential violation of the HIPAA Privacy Rule’s right of access standard.
Dr. Robert Glaser, a cardiovascular disease and internal medicine doctor in New Hyde Park, NY, did not cooperate with OCR’s investigation or respond to OCR’s data requests after failing to provide a patient with a copy of their medical record. Dr. Glaser waived his right to a hearing and did not contest the findings of OCR’s Notice of Proposed Determination. Accordingly, OCR closed this case by issuing a civil money penalty of $100,000.
Wake Health Medical Group, a provider of primary care and other health care services in Raleigh, NC, has agreed to take corrective actions and has paid OCR $10,000 to settle a potential violation of the HIPAA Privacy Rule’s right of access standard.
There are many other fines being assessed that can be reviewed on the HHS/OCR website. This is not meant to scare you but rather inform you what they are doing so you can stay safe and prosperous.
All of us at Aris Medical Solutions want to wish everyone a safe and wonderful holiday season. We do not take breaks either, we are here to help you!
To find out more about how our online HIPAA Keeper™ can help your organization with HIPAA Compliance click here:
Many covered entities struggle to understand what is “right of access” for individuals. Under HIPAA and the Omnibus Rule, a patient has the “right” to request a copy of their medical record in the format of their choice (if available). What this means is, a medical provider is not required to purchase special equipment or software to meet these requests. With that said, if a patient requests a CD or DVD of their medical records and you do not have a DVD drive, you would not necessarily be required to purchase one. Keep in mind, DVD drives are only about $25 and it would not be unreasonable for a practice to purchase one. Of course, the ideal situation would be to direct the patient to your EHR portal and download it themselves. However, you can’t require them to do so.
When a patient requests the right to access their PHI (protected health information), be sure to have the patient sign a written request and make note of the date. A provider has 30 days to supply the patient with this information. To extend the time, the covered entity must, within the initial 30 days, inform the individual in writing of the reasons for the delay and the date by which the covered entity will provide access. Keep in mind, only one extension is permitted per access request.
The next area of confusion is the fee limitation. Copying fees for medical records are set by individual states and typically refer to the cost of labor, printing, and delivery of paper or electronic data. The labor fee does not permit the provider to charge for the preparation of the data but labor costs could include skilled technical staff time spent to create and copy the electronic file, such as compiling, extracting, scanning and burning [PHI] to media.
The Flat Fee rate option is not cap, merely an option rather than calculating the actual cost of labor and printing. Many providers are utilizing this method since it is easier than calculating the actual costs.
On January 23, 2020, a federal court vacated the “third-party directive” within the individual right of access “insofar as it expands the HITECH Act’s third-party directive beyond requests for a copy of an electronic health record with respect to PHI (protected health information) in an electronic format.” Additionally, the fee limitation set forth at 45 C.F.R. § 164.524(c)(4) will apply only to a patient’s request for access to their own records, and does not apply to a patient’s request to transmit records to a third party.