Record Requests610-994-7500

Defining OCR Patient Access Guidelines

Five people are sitting in the waiting room of a doctor's office. Some of the people look tense or upset, and others look completely relaxed.

In the September issue of the Journal of AHIMA, some of my colleagues and I authored an article outlining the Office for Civil Rights’ (OCR) guidelines for patient access to health information. Providing individuals and their designated personal representatives easy access to their health information is prescribed by the HIPAA Privacy Rule, and is one of the OCR’s most important mandates. While the OCR’s guidance did not change HIPAA regulations, it is recommended procedure for audits.

The OCR is developing further clarifications and guidance to clear up challenges and confusion surrounding their frequently asked questions (FAQs) published in early 2016. During AHIMA’s 14th Annual Hill Day and Leadership Symposium, Deven McGraw, deputy director of the OCR, stated the initial clarification published on the OCR website still contained gray areas, stemming from the OCR’s desire to give patients more access to their health information, while promoting more engagement with health outcomes.

Patient requests for access to health information vs. third party requests

One area of confusion is the difference between a patient’s right to access health information and third-party Release of Information (ROI) requests requiring the patient’s signed authorization.

Requests for copiies of Protected Health Information (PHI) made by patients and their personal representatives – individuals with authority under applicable law to make healthcare decisions on behalf of the patient – do not need accompanying HIPAA-compliant authorizations. Only requests made by third parties must be accompanied by HIPAA-compliant authorizations.

Covered Entities (CEs), however, can require patients and their personal representatives to submit their requests for copies of PHI in writing, though they may not require patients and personal representatives to come onsite to their facility to request in person, nor can CEs require patients to submit their requests via web portal or through the mail. CEs can also require patients and their personal representatives to complete a designated form when requesting health information, “provided use of the form does not create a barrier to or unreasonably delay” patient access to PHI. Additionally, it is not recommended for providers to ask patients for a description of purpose regarding the information requested; while it is not prohibited to ask, denying access based on the answer is prohibited.

If a patient or their personal representative wants to direct a CE to send copies of the patient’s PHI to a designated third party, the request must be in writing, signed by the patient or the personal representative, and clearly identify the designated recipient and where to send the PHI.

Other dos and don’ts of patient access to health information were summarized in the Journal of AHIMA article.

 As the OCR continues to define guidance for patient access to health information, it is important for providers to allow patients easy access to their PHI.

Join our blog mailing list

Read More

Privacy and security series, part 3: Prevent ransomware from holding your organization hostage

Data Breach

For the second year in a row, cyberattacks were the leading cause of data breaches in healthcare, according the Ponemon Institute’s recently released “Sixth Annual Benchmark Study on Privacy & Security of Healthcare Data.”

Ransomware, malware and denial-of-service (DOS) attacks are the most common and growing cyber threats facing healthcare organizations, according to the study. Protecting your organization from an attack, however, is highly feasible if you pursue a rigorous and consistent program of employee training, testing and IT system updates.

Increase in cyberattacks led by ransomware and DOS

Most ransomware attacks—the hijacking and encrypting of an organization’s data by cybercriminals—are caused by employees clicking a malicious link in an email or opening a file that spreads a malware virus, effectively rendering data inaccessible.

The virus typically includes a ransom message demanding payment, frequently in bitcoins, to unencrypt the computer or server. Cybercriminals are aided by a “dark web” presence, where they can partner with other criminals to execute attacks.

Since data drives safe and effective healthcare decisions, organizations often pay the attackers’ ransom when operations are crippled. Ransomware, however, may also be considered a breach, although not all organizations have been reporting these types of attacks to the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR).

Educate staff and implement safeguards

OCR is currently working on guidance for reacting to and reporting ransomware, but there are three essential steps healthcare organizations should take today to help avoid becoming a victim:

  • Education: Employees should be trained about the threat of ransomware—not to click on suspicious links or attempt to access unknown flash drives, and to report suspicious emails.
  • Testing: Once a year phishing exercises to test employees’ training are not enough to prevent the next attack. These tests need to be continually repeated at random to drive employee compliance with security policies and procedures.
  • Updates: Organizations need to follow recommended IT-management practices, including implementing software patches, anti-virus updates and other software tools immediately as they become available.

At MRO, we seek to mitigate breach risk from all angles, from our Quality Assurance-infused Protected Health Information (PHI) disclosure management workflow to ensuring our staff is properly trained to avoid cyberattacks. Training quality is ensured through MRO Academy, our rigorous and required online educational and testing platform, with the most up-to-date HIPAA regulations and Release of Information (ROI) requirements at the federal, state and facility level. To learn more about MRO’s training and education programs, click here.

Join our blog mailing list

Read More

Privacy and security series part 2: Best practices in breach management

In recent years, Protected Health Information (PHI) breach prevention has become the watchword. However, with security threats like ransomware—and the recent electronic medical record (EMR) system hijackings in Texas, California and Maryland—it’s time to start thinking about what happens when prevention fails.

It is critical to have an appropriately timed and coordinated response in the wake of a breach. Having a response team in place, and meeting with them regularly, is the first step in breach management. Key members of the team include legal counsel, a privacy officer, IT personnel, a public relations liaison and a human resources representative. Also be sure to nominate a manager or incident team leader as part of the plan of action (POA) to avoid scrambling in the face of a breach.

We explored response management further in a special session of AHIMA’s Virtual Privacy and Security Academy, the first in an MRO-sponsored three-part series continuing throughout the year.

The following is a quick overview of some of the topics we discussed.

The first 24 hours are the most important

The first 24 hours after a breach are critical. It’s imperative to have an accurate and up-to-date call list to alert and activate key members of your organization, and to follow established response protocols.

If PHI is still at immediate breach risk, your first priority is to prevent any further incidents. As a next step, it’s important to gather as much information on the breach as possible, such as: what information got out, where did the information go, and who captured it. Notify business associates of the breach, inform local law enforcement, if necessary, and notify any other important parties, such as board members.

Communications team should help with notification

If a breach affects more than 500 patients, federal law states that public notification is required within 60 days. This can become especially tricky if you have patients in multiple states because 47 states have unique reporting laws, which are often more stringent than federal requirements. It is always best to follow the strictest approach.

Your public relations team will play an important role with patient notification. They must craft a uniform, comforting response that assures patients that authorities are investigating the issue, that identity theft protection services are freely available, and that they will continue to communicate updates.

If you’d like to attend AHIMA’s Virtual Privacy and Security Academy led by MRO’s own experts, there is a session on HIPAA Compliance for Business Associates in August, and on Business Associate and Subcontractor Management in November. MRO will happily take 15 percent off AHIMA member pricing to clients and friends who register for one or both of the Virtual Privacy and Security Academy sessions. Scroll down and complete the form below to learn more and to receive our discount promo codes. We hope to see you there.

Receive a 15% discount

To receive MRO’s promo codes to receive a 15% discount off your Virtual Privacy and Security Academy registration, please complete the form.

Read More

Privacy and security series, part 1: OCR protocols for phase 2 HIPAA audits

Audit photo for OCR audit blog

On March 21, 2016, the Director of the U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR), Jocelyn Samuels, announced the launch of Phase 2 of its HIPAA compliance audit program for covered entities and business associates. Expanding upon Phase 1 audits conducted in 2012, Phase 2 audits will use newly released audit protocols.

What to expect
Starting this month with limited-scope desk audits until July and on-site full compliance audits later in 2016, Phase 2 of the HIPAA audit program is now in effect. Additional details on what to expect from the audits are outlined in our previous Phase 2 audits blog post, which can be accessed here . In this post, we’ll take a look at the recently announced audit protocols that were not yet released during our last post, and how your organization can ensure it’s prepared.

The new audit protocols are more specific than the previous audit protocols, addressing documentation requirements more comprehensively than the 2012 version. In total, there are 169 audit protocols: 78 for security, 81 for privacy and 10 for breach notification. Approximately one-third of the protocols ask for documentation, which will need to be submitted electronically to the OCR’s new secure online portal. With regard to privacy, the major areas are 1) uses and disclosures, 2) minimum necessary standard, 3) patient rights, 4) notice of privacy practices, 5) business associates and 6) administrative requirements.

How to prepare your organization
The best way to get ready for these compliance audits is to prepare the workforce and assemble an audit team that can communicate effectively with senior management and champion compliance activities. Here’s how to get started:

  • Educate the team: Present information on the audit protocols and inquires, reviewing how and where your organization’s relevant documentation can be accessed for potential audit requests.
  • Conduct internal audits: After the review, a mock audit team could be assembled to simulate complying with some or all of the Phase 2 audit protocols.
  • Address potential gaps: The mock audit should help identify areas where policies and procedures may be lacking or insufficiently documented. Those corrections should be completed before the Phase 2 desk audits begin.

Although the OCR released the protocols prior to soliciting input, they invite the public to submit feedback by emailing

All of the audit protocols are available on a user-friendly spreadsheet created by MRO to assist with your organization’s preparation. To download the reference tool, please fill out the form below.


Read More