It’s All About Access
So with all the talk about the OCR HIPAA Audit program, and the initial findings that have been reported, we are brought right back to basics. Among other things, the KPMG auditors are looking at the privacy practices we were putting into place back nearly 10 years ago. And the OCR has recently issued a memo on patients' right of access to their protected health information (PHI), encouraging patients to actively participate in their own medical care. Patient rights are supreme.
Even so, one area of repeated deficiency found by the auditors relates to an absence of policies and procedures around patient access to their PHI. Does that surprise you? Or perhaps it resonates with you?
Practices generally are required to allow patients to see or receive a copy of their PHI within a designated period of time. Under HIPAA, the deadline is 30 days, unless an extension of time is requested. State laws will vary. In Maine, patients whose specially-protected category of Mental Health information is impacted by the Maine Rights of Recipients of Mental Health Services (“Rights Rules”), may review their information with supervision within 3 business days. Likewise, a Meaningful Use Core Measure also requires proof that more than 50 percent of all patients who request an electronic copy of their PHI are provided it within 3 business days.
Under the HITECH Interim Final Rule, covered entities, such as medical and other clinical practices, that maintain PHI electronically, are required to provide patients with their record in electronic format, or transmit the data to a designated entity or individual at the patient’s request. These few words in the HITECH Act creates a sizable change for the operations of a practice or health care organization, especially where the entity is in a hybrid state, meaning that the PHI is kept in paper, electronic and/or other formats. Do you provide the electronic record on a flash drive, on a CD? Are you able to transmit the electronic record securely?
Note that HITECH only allows for the labor costs associated with providing electronic PHI electronically, while state law tends to cover the costs associated with paper copying fees.
Does your practice have a patient access policy and process that is being followed for PHI in varying formats? How are requests by personal representatives handled? When was the last time this area of your organization was monitored for compliance? Are you aware of the high enforcement penalties associated with lack of compliance?
In light of the OCR’s emphasis on HIPAA patient rights, the new audit programs under HITECH, and now under the recently announced CMS Meaningful Use Attestation Audits, being sure that you have a practice in place, including a process for denial of access if necessary (for example, if there is a risk of harm by providing access to the record) has never been more necessary. Be sure to record your efforts, as well as all requests and responses, to prove your actions and good faith. And know that you are doing the right thing for the patients, for your practice's reputation, and for your bottom line.
No comments:
Post a Comment