Gerry Blass, President & CEO, ComplyAssistant
Helen Oscislawski, Esq., Founder & Managing Partner, Attorneys at Oscislawski LLC
A February 1 article published in Briefings on HIPAA focuses on recent findings from the Office for Civil Rights’ much-anticipated 2016-2017 HIPAA Audits Industry Report released in December 2020. The article shines a light on some of the flaws and challenges in the way patient access to information has been handled over the years. The report features special commentary from Helen Oscislawski, Esq., managing partner of Oscislawski LLC in Princeton, New Jersey. Oscislawski has played a vital role in providing legal insight and counsel to ComplyAssistant.
The article mentions that 89% of audited covered entities (CEs) failed to show they were correctly implementing the individual right of access under HIPAA. This could happen in many ways, including:
- Inadequate documentation of access requests
- Inadequate or incorrect policies and procedures for providing access
- Lack of a clear, reasonable cost-based fee policy or application of blanket fees in violation of the standard
- Failure to properly identify the patient’s right to timely access by Notice of Privacy Practices (NPP)
The article states that per HIPAA, a CE must document and retain documentation on the following: designated record sets that are subject to access by individuals, and the titles of the persons or offices responsible for receiving and processing requests for access by individuals. According to Oscislawski, many organizations are not aware this is in effect. “Unless an organization has taken the time to learn what its specific obligations are concerning the individual right of access requirement, they likely would not have the documentation required.”
While not having the documentation on hand is one issue, having the wrong policies and procedures is another, including those necessary to manage risk.
Risk management reduces risk
Another main takeaway from the report highlights the fact that 94% of covered entities (CEs) and 88% of business associates (BAs) failed to implement appropriate risk management activities sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level.
Gerry Blass, President and CEO of ComplyAssistant, encourages CEs to familiarize themselves with the guidance provided by the Cybersecurity Act (CSA) 405D task group, which looked at typical threats for small, medium and large organizations. The end result of the effort is known as Health Industry Cybersecurity Practices (HICP). “We consider HICP to be excellent guidance for assessing threats, vulnerabilities, controls and residual risks, and for developing risk mitigation roadmaps, in line with HHS.”
Time to clarify misunderstood requirements
The article explains how it is very common for CEs to misunderstand requirements for both individual right of access and risk management. For example, providers often assume that patients must have complete authorization to request information, when in reality a verbal call is all that is required.
While some CEs may require individuals to submit written requests for access, it shouldn’t delay patients from getting access to their information. “An organization cannot demand that the person submit a signed HIPAA authorization before their protected health information (PHI) is released to them,” says Oscislawski. “For those organizations to implement a written request requirement, these parameters must be adhered to carefully.”
CEs that charge too much for the release of PHI and take too long to provide patients the information they need are also brought to light in the article. Oscislawski explains that “the issue of being permitted to charge individuals a reasonable, cost-based fee has been further complicated by lawsuits stemming from whether such HIPAA-capped charges would apply to third parties, such as personal injury attorneys.”
This concern, coupled with the delay in patients receiving their information in a timely manner, leads to a host of issues. The regulation calls for a 30-day turnaround time, but it can sometimes be misinterpreted by CEs as 60 days or longer.
In summary, the article is a reminder to organizations across the country that proper documentation and understanding of protocols is paramount for taking steps to better disseminate patient information from CEs to patients. Healthcare organizations of all sizes are encouraged to review the OCR’s website, which is a data haven of information and FAQs on patient access. There CEs can review the regulations and search for keywords to reinforce what is actually required. Additionally, providers are encouraged to check out the free tools provided by the OCR and Office of the National Coordinator for Health Information Technology, including ONC’s Improving the Health Records Request Process for Patients and the actual audit protocol, both available in the appendix of the report.