Check Request Status610-994-7500

PHI disclosure legal issues, part 5: Removing barriers to patient access, continued

 

FINAL Sara's Blog - Part 4 of 5 picture

In the previous post of our five-part Legal Issues blog series, we explored the FAQs that the United States Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has published in recent months concerning patient access to Protected Health Information (PHI). The FAQs were generated in response to recent studies and OCR investigations that found patients often face obstacles when trying to access their health information from hospitals and physician practices.

The last post described potential barriers in the request stage of the Release of Information (ROI) process for patients, which you can read here . This post, the final in our Legal Issues series, will focus on the release stage of the process.

Provide patients with access to their “designated record set”
HIPAA entitles patient access to their “designated record set” which consists of a broad array of health information including: medical and billing records; insurance information; clinical laboratory test results; medical imaging; wellness and disease management program files; and clinical case notes. The OCR’s FAQs provide guidance on what should be considered part of a designated record set and should be reviewed by providers to ensure compliance.

Deliver PHI in the requested format
Under HIPAA, patients are entitled to receive copies of their PHI in the form and format they request. If that’s not feasible, the PHI must be in a readable format agreed to by the provider and patient. Thus, if a patient requests copies of their electronically-stored PHI in the same format, a provider should offer the requested PHI copies in an email, on a CD-ROM, or in another electronic method. The same rule applies if the patient requests copies of their PHI be delivered on paper.

Release PHI within 30 days of receipt of their request
A major focus of the OCR’s recent FAQs is the importance of providing patients with access to their PHI within 30 days of receipt of the request. If a rare long turnaround time is unavoidable, the provider must notify the patient of the delay, explain why it has occurred, and when the patient should expect to receive copies of their PHI.

Providers should review their turnaround times and make sure they are in line. Having a form letter prepared in the event that there is a delay is also a good idea.

I hope you enjoyed reading the posts in this Legal Issue series as much as I enjoyed writing them. To be sure you never miss a new post, you can subscribe to MRO’s blog below.

This blog post is made available by MRO’s general counsel for educational purposes only, as well as to give general information and a general understanding of the law, not to provide specific legal advice. This blog post does not create an attorney-client relationship between the reader and MRO’s privacy and compliance counsel. This blog post should not be used as a substitute for competent legal advice from a licensed professional attorney in your state.

Sign Up for Future Blog Posts

Read More

PHI disclosure legal issues, part 4: Removing barriers to patient access

 

FINAL Sara's Blog - Part 4 of 5 picture

Over the past few months, the United States Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has published several FAQs related to patient access to Protected Health Information (PHI). These FAQs were generated in response to recent studies and OCR investigations that found that patients often face obstacles when trying to access their health information from hospitals and physician practices.

In continuation with our Legal Issues blog series, parts four and five will explore ways providers can avoid patient complaints being filed against them with the OCR regarding PHI access that could lead to investigations and possible enforcement actions. Part four is about removing obstacles from patients requesting their PHI, while part five will look at how providers can properly disclose patients’ information.

HIPAA-compliant authorization not required
HIPAA-compliant authorizations are required when a third party is requesting access to a patient’s PHI. However, a patient or a patient’s authorized representatives (see below) does not need to provide a HIPAA-compliant authorization to obtain access to the patient’s own PHI. A patient can simply submit their request in writing to their healthcare provider, provided that the request contains enough information for the healthcare provider to verify the patient’s identity.

Providers can require that patients use a specific form to request access to their PHI, but the form cannot create an access obstacle. Healthcare providers need to review what documentation they are requiring patients to provide to release their information and ensure that access is not obstructed.

Honor the personal representative’s Release of Information (ROI) request
Under HIPAA, a patient’s personal representative has the same right as the patient to access the patient’s PHI. Examples of personal representatives include healthcare power of attorneys and the parents/guardians of minor children.

Providers should ensure, however, that the personal representative’s request includes information regarding his or her authority to act on behalf of the patient, such as a healthcare power of attorney executed in accordance with applicable state law. Medical providers should make sure their policies do not create a barrier to access for personal representatives.

In light of the OCR’s recent FAQs, healthcare providers should make efforts towards enhancing their patient request policies and procedures to ensure they are providing patients with timely access to their PHI. At MRO, we are dedicated to providing patients with timely access to their PHI and have recently launched a new Patient Advocate Program to guide patients through the ROI process.

In the final segment of our Legal Issues blog series, we’ll take a look at how providers can ensure proper and compliant disclosure of patient information. Don’t want to miss part five? Sign up for future MRO blog posts below.

This blog post is made available by MRO’s general counsel for educational purposes only, as well as to give general information and a general understanding of the law, not to provide specific legal advice. This blog post does not create an attorney-client relationship between the reader and MRO’s privacy and compliance counsel. This blog post should not be used as a substitute for competent legal advice from a licensed professional attorney in your state.

Sign Up for Future Blog Posts

Read More

MRO and AHIMA celebrate you: the Health Information Professional

Blog 26 photo - P&S month Hynes

Because privacy and security is at the heart of our business activities, MRO is proud to be the premier sponsor of AHIMA’s Privacy and Security Month in April. We’re kicking off the month by celebrating Health Information Professional (HIP) Week, held April 3 – 9 with the theme: “Accurate Information, Quality Care.”

This theme hits home for us at MRO, as we are committed to delivering the highest levels of accuracy and quality in Release of Information (ROI). As a confirmation of this commitment, in early 2016, MRO was named the KLAS Category Leader for ROI services in the 2015/2016 “Best in KLAS” report. This is the third consecutive year that MRO was rated #1, and another year in which our focus on service quality was recognized by KLAS.

With each passing year, MRO continues to grow and advance as a result of our clients’ candid feedback to KLAS and MRO management. We also benefit from their excellent references and unwavering commitment to HIM professional principles and our business partnerships. We would like to take a moment to express how truly grateful we are to our clients: Thank you!

Giving back to the HIM community
As part of our privacy and security celebration, we are also sponsoring AHIMA’s Virtual Privacy and Security Academy, which is designed to advance the knowledge of industry professionals. This three-part series occurring throughout the year will provide individuals with the most up-to-date information on privacy and security and the impact of existing laws and regulations. Not only are we a sponsor, but we are also very proud to announce that MRO’s own industry leaders are presenting these sessions.

• Advanced Breach Management: Wednesday, April 27, 10 am – 12 pm Central
• HIPAA Compliance for Business Associates: Wednesday, August 17, 10 am – 12 pm Central
• Business Associate and Subcontractor Management: Wednesday, November 9, 10 am – 12 pm Central

You can register to attend a single session or all three sessions in the AHIMA store, and if you are unable to attend live, recorded formats will be shared after each event.

In honor of Privacy and Security Month, HIP Week and our appreciation of the HIM community, MRO is happy to offer clients and friends who sign up for these sessions a 15 percent discount off the AHIMA member price. To receive more details about the Academy sessions and our discount promo codes, please complete the below form (scroll to the bottom of the blog page). It’s a small token of thanks from us to a group of dedicated, hard-working professionals who uphold the highest standards of integrity across the industry and who perform their duties masterfully throughout the year. We hope these educational sessions help safeguard your organizations and strengthen your career.

Receive a 15% discount

To receive MRO’s promo codes to receive a 15% discount off your Virtual Privacy and Security Academy registration, please complete the form.

Read More