When we discuss HIPAA most of the articles have been on security and breaches, but HIPAA goes well beyond privacy and security. One aspect of the HIPAA rule is the “Right of Access”.
OCR (The Office for Civil Rights – the branch of HHS the enforces HIPAA) is enforcing this law even more strongly since the 21 Century Cures Act was published. OCR has begun to levy fines against organizations that are in violation of the “Right of Access” rule.
What is the Right of Access Rule?
When a request is made for access to medical records, HIPAA-covered entities must provide access or supply a copy of the requested medical records as soon as possible, but no later than 30 days after the request is received.
Each state may have its own requirements on responding to a request for medical records, but the HIPAA regulations are probably the most stringent. Under HIPAA you MUST provide a patient with access to their requested records or a copy of the records within 30 days of the request.
Back in the days of paper this was relatively simple. All we had to do was copy the paper chart and provide that copy to the patient. In the world of electronic records this can become much more complicated. Now the medical record can include:
- Your notes
- Laboratory reports
- Examinations that may be outside your notes
- Notes from referring doctors or reports from doctors you referred the patient to. Are these part of your note or are they technically part of the other doctors note?
- The data you may have pulled back from a drug benefit plan into your EHR
- Problem lists
- Medication lists
Now would be a very good time to develop an office manual and policy defining what we consider part of the medical record when a request comes in. For example, you may wish to determine that a generic request for medical records only includes encounter notes and anything that is not specifically requested is not sent out. How to define your medical record is a conversation best had with your medical malpractice carrier or health care attorney in your state.
Now that you have defined what will be provided when you get a request for a ‘medical record’ you must provide that information to the patient within 30 days. You also want to have clear documentation and proof that it was provided within the specified time period. If you are sending out paper copies or electronic copies on media (such as a flash drive), this is best done by requiring a signature and getting the signed slip back as proof of delivery. Another method of providing the requested information is to use a patient portal. To push the requested documents to the portal and send the patient a message that the documents are available for them gives you an electronic time stamp of when the documents were made available at the portal, and you would also have a time date stamp when the patient accessed the patient portal.
If the patient happens to come into the office to pick up the records, have them sign for the records along with a time and date on the form. If the patient sends somebody to pick up the forms, there creates another HIPAA issue to deal with:
- Is the person who is coming to pick up the forms one of the individuals you are allowed to share patient information with?
- If the patient is sending a third party, require that the individual have a signed letter from the patient authorizing them to receive the information.
- Compare the signature on the form to copies of the patient’s signature you have on other documents.
Providing patient information to an unauthorized individual is a HIPAA violation. You do not want to commit one type of HIPAA violation while trying to avoid a different type of HIPAA violation.
HIPAA is complex and goes well beyond just the privacy and security of the medical records at your practice. You need to have a HIPAA manual that addresses how you will deal with the various aspects of HIPAA and you need to have a consultant available to help you determine what to do with something unexpected happens.
Your job is to be a doctor, and when it comes to HIPAA, don’t try to do it yourself. Focus on the one activity that enables you to earn an income, treating patients and bring in a capable team of specialists to assist you for every other aspect of your practice.
For more information about TLD Systems, please visit the AdvancedMD Integration Partner Marketplace page.