Time For CEs, BAs To Take Right Of Access Seriously

Rivkin Radler LLP
Contact

Rivkin Radler LLP

A March 11 article in the Health Care Compliance Association’s Report on Patient Privacy, “In Wake of 16th OCR Settlement, Time For CEs, BAs to Take Right of Access Seriously,” discussed the Right of Access Initiative that the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) has been pursuing since 2019. Rivkin Radler’s Eric Fader was quoted extensively in the article.

The article stresses that it is past time for HIPAA covered entities and business associates to upgrade their policies and procedures and to take patients’ right of access to their medical records very seriously. Eric said that the message OCR is trying to send to providers with the right of access settlements is that “ignorance of your responsibilities under HIPAA is no excuse. Don’t tell us you’re too busy. You must train your workforce to respond timely to patients’ requests. Don’t pretend you didn’t know you had to do this, because we, the American Medical Association and other organizations, and mainstream news sources have all been talking about this for at least the past couple of years. And above all else, if we investigate you and you tell us you’ll do something, you’d better do it.” Eric added that “any provider that hasn’t reviewed its internal policies on providing access to patient records and made sure that their workforce knows how to speak to patients and process these requests really has no good excuse for noncompliance.”

Healthcare organizations have neglected the right of access, which led OCR to focus on it, Eric said. “The audits of HIPAA-covered entities and business associates that OCR has been doing for many years didn’t start out focusing on this problem,” he said. “However, it gradually became apparent, and in the past few years it has been recognized that the country’s health care costs can only be reduced through better coordination of care. It’s impossible to coordinate care among unrelated providers effectively if they don’t have timely access to patients’ records, including those records generated by other providers.”

Although OCR’s 16 publicized settlements have involved different fact situations, Eric pointed out that many followed similar patterns. “It’s usually the same basic facts,” he explained. “Patient requests records. Patient is ignored entirely or receives only a few of the records (perhaps copies of test results that need to be burned onto a CD are what is omitted). Patient complains to OCR. OCR contacts provider and reminds them of their obligation. Provider says they’ll provide the records. OCR closes the case without penalty. Provider still doesn’t provide the records. Patient complains again. OCR reopens the case, investigates, and fines the provider. OCR announces the settlement publicly, trying to maintain a steady drumbeat of settlements to gradually educate the public.”

The COVID-19 pandemic has played a role, Eric noted. “Many of the settlements—including one that a former client of my firm had to pay last year under the Right of Access Initiative—seem to have arisen out of violations that were caused, in part, by COVID-19. Many providers reduced office hours last year or had to furlough some administrative employees, and they simply didn’t have sufficient administrative support to respond to patient requests. My guess is that if a practice has one ‘front desk’ person and one administrative/billing person, and the latter is working from home some or all of the time where he/she may be less efficient, there will be a temptation to prioritize bills and follow-ups with insurance companies, and pay less attention to patients’ own requests for their records.”

“Many healthcare organizations, particularly smaller physician practices, worked with a HIPAA consultant or purchased an off-the-shelf manual of HIPAA policies and procedures many years ago, put the manual on the bookshelf, and since that time have been under the impression that they were in compliance with HIPAA,” Eric observed. “This is obviously not good enough.” He added that properly training and retraining the employer’s workforce no less than once per year is one of the most commonly overlooked HIPAA requirements, along with conducting periodic security risk assessments.

Eric and others quoted in the article agreed that providers should expect more enforcement on the right of access from OCR going forward.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Rivkin Radler LLP | Attorney Advertising

Written by:

Rivkin Radler LLP
Contact
more
less

Rivkin Radler LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.