Hospitals & Health Systems

Exchange Services

Exchange Connector

Audit Manager

Institutional Audit Monitor

Professional Audit Monitor

Ambulatory and Physicians

Exchange Services

Audit Manager

Polaris MIPS Reporting

Exchange Forms Service

Accountable Care Organizations (ACO) Capabilities


Health Plan Capabilities

Webinar Recap: Patient Access and the Road to Compliance

March 10, 2021
MRO Privacy

Patient Access: Road to Compliance

Recently I presented Patient Access: Road to Compliance as part of the 2021 webinars hosted monthly by release of information specialist, MRO, this year. During the presentation, attendees learned about the latest Office for Civil Rights (OCR) enforcements and penalties resulting from the continued priority to allow patient access. Now and throughout the year, these valuable insights can help prepare organizations for full compliance.

OCR Crackdown on Patient Access

The OCR’s Industry Audit report released in late December 2020 stated that 89% of audited covered entities failed to show they were correctly implementing the individual right of access. The report noted many compliance gaps, including insufficient policies and procedures for providing access. For example, the OCR found that some policies incorrectly stated that the covered entity could deny access to Protected Health Information (PHI). Other policies lacked guidance around honoring requests for information to be provided to a designated third party.

Overall, these covered entities are largely operating on their own and do not have access to a security or compliance officer who has the detailed knowledge and experience needed to understand and create policies to ensure compliance. Because release of information (ROI) is such a detailed and intricate process, all covered entities must ensure compliance with the standards. One way to achieve that goal is to have a specific department dedicated to the effort and to also outsource the management of the ROI process. By partnering with a knowledgeable ROI vendor, an organization can ensure that someone else is responsible to learn the guidelines, implement policies and procedures required to follow the guidelines, ultimately enforce the guidelines, and continually assess and adjust as needed.

Current Landscape and Penalties

As of February 12, 2021, the OCR settled its 16th HIPAA Right of Access case after announcing in 2019 that it would crack down on supporting individuals’ right to timely access to their health records, at a reasonable cost under the HIPAA Privacy Rule.

These settlements are resulting in Civil Money Penalties (CMPs) and Corrective Action Plans (CAPs) that are largely impacting covered entities. To put it into perspective, these settlements are increasing in frequency over time:

  • 2019 – 2 cases
  • 2020 – 11 cases
  • 2021 – 3 cases to date

Some of the reasons why CMPs and CAPs were applied include:

  • Failed to respond according to timelines (and at reasonable cost) to the patient request for access to their record (8 cases)
  • Refused patient access to inspect and receive a copy (1 case)
  • Form and format to directed third party refused (2 cases)
  • Films not provided as requested by patient (1 case)
  • Patient representative not recognized (3 cases)
  • DRS not used; fetal monitor strips not provided (1 case)

Organizational Actions

If you are considering what your organization can do to ensure healthcare compliance, here are four steps to take if you have not already done so:

  • Update your compliance program, or create one.
  • Document your actions to show evidence of efforts to comply.
  • Create a compliance officer role to keep a watchful eye on the ever-changing regulatory climate.
  • Conduct a GAP analysis to document and prove that you have no intent to engage in blocking patients from accessing their medical records.

As we continue in 2021, it will be increasingly important to keep patient access top of mind, as there have been three settlements already.

Newsletter Sign-Up

Recent Posts

Elevate Your Quality Scores: A Guide to Maximize MIPS/MVP in 2024

Elevate Your Quality Scores: A Guide to Maximize MIPS/MVP in 2024

As the healthcare landscape continues to evolve, so do the challenges and opportunities presented by CMS’ Quality Payment Program (QPP). Since its inception in 2017, QPP has become increasingly complex, making it harder for providers to avoid penalties and maximize...

Choosing the Right QPP Reporting Method for MSSP ACOs in 2025

Choosing the Right QPP Reporting Method for MSSP ACOs in 2025

Navigating the Shift: Transitioning from CMS Web Interface to APP As the 2024 performance year ends, MSSP ACOs (Medicare Shared Savings Program Accountable Care Organizations) are bracing for new reporting obligations under the Quality Payment Program (QPP). The...