Recently I presented Patient Access: Road to Compliance as part of the 2021 webinars hosted monthly by release of information specialist, MRO, this year. During the presentation, attendees learned about the latest Office for Civil Rights (OCR) enforcements and penalties resulting from the continued priority to allow patient access. Now and throughout the year, these valuable insights can help prepare organizations for full compliance.
OCR Crackdown on Patient Access
The OCR’s Industry Audit report released in late December 2020 stated that 89% of audited covered entities failed to show they were correctly implementing the individual right of access. The report noted many compliance gaps, including insufficient policies and procedures for providing access. For example, the OCR found that some policies incorrectly stated that the covered entity could deny access to Protected Health Information (PHI). Other policies lacked guidance around honoring requests for information to be provided to a designated third party.
Overall, these covered entities are largely operating on their own and do not have access to a security or compliance officer who has the detailed knowledge and experience needed to understand and create policies to ensure compliance. Because release of information (ROI) is such a detailed and intricate process, all covered entities must ensure compliance with the standards. One way to achieve that goal is to have a specific department dedicated to the effort and to also outsource the management of the ROI process. By partnering with a knowledgeable ROI vendor, an organization can ensure that someone else is responsible to learn the guidelines, implement policies and procedures required to follow the guidelines, ultimately enforce the guidelines, and continually assess and adjust as needed.
Current Landscape and Penalties
As of February 12, 2021, the OCR settled its 16th HIPAA Right of Access case after announcing in 2019 that it would crack down on supporting individuals’ right to timely access to their health records, at a reasonable cost under the HIPAA Privacy Rule.
These settlements are resulting in Civil Money Penalties (CMPs) and Corrective Action Plans (CAPs) that are largely impacting covered entities. To put it into perspective, these settlements are increasing in frequency over time:
- 2019 – 2 cases
- 2020 – 11 cases
- 2021 – 3 cases to date
Some of the reasons why CMPs and CAPs were applied include:
- Failed to respond according to timelines (and at reasonable cost) to the patient request for access to their record (8 cases)
- Refused patient access to inspect and receive a copy (1 case)
- Form and format to directed third party refused (2 cases)
- Films not provided as requested by patient (1 case)
- Patient representative not recognized (3 cases)
- DRS not used; fetal monitor strips not provided (1 case)
Organizational Actions
If you are considering what your organization can do to ensure healthcare compliance, here are four steps to take if you have not already done so:
- Update your compliance program, or create one.
- Document your actions to show evidence of efforts to comply.
- Create a compliance officer role to keep a watchful eye on the ever-changing regulatory climate.
- Conduct a GAP analysis to document and prove that you have no intent to engage in blocking patients from accessing their medical records.
As we continue in 2021, it will be increasingly important to keep patient access top of mind, as there have been three settlements already.