Insights from MRO’s legal expert: Exploring patient access to Protected Health Information
President Obama’s Precision Medicine Initiative has encouraged millions of Americans to share their Protected Health Information (PHI) with the federal government. This push means providers should dedicate more time and resources to helping patients through the requesting process. With this in mind, my colleague Rita Bowen, MA, RHIA, CHPS, SSGB, Vice President of Privacy, Compliance and HIM Policy for MRO, and I co-authored an article for Compliance Today, reviewing the Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) patient access FAQs and guidance.
In this post, I’ll review a few compliance concerns related to patient access.
Patient requests are different than third party requests
Requiring patients and their personal representatives to submit HIPAA-compliant authorizations in order to obtain access to their PHI is one of the most common compliance mistakes. Healthcare organizations may require patients to request in writing and on provider-supplied forms, but these requirements cannot create a barrier to or unreasonably delay patient access to health information.
Designated record set may not be clearly defined
Providers should utilize the designated record set (DRS) to collect information for patient requests. The DRS contains any information used to make decisions about an individual, including medical records, billing records, insurance information, clinical lab test results, medical imaging, wellness and disease management profiles, clinical case notes and other items. Ensuring patient access may become a compliance challenge when the DRS is not clearly defined.
Timeliness and format
One major focus of the patient access FAQs is the emphasis on timely fulfillment of patient requests for access to health information, usually within 30 days. If a request cannot meet the specified turnaround time, the provider must notify the patient, explaining the reason for the delay and when the patient can expect their records.
Additionally, providers should give patients their PHI in the form and format requested. The copies should be delivered to patients for a “reasonable, cost-based” fee.
For a more in depth look at patient access, read the full Compliance Today article.
This blog post is made available by MRO’s general counsel for educational purposes only, as well as to give general information and a general understanding of the law, not to provide specific legal advice. This blog does not create an attorney-client relationship between the reader and MRO’s privacy and compliance counsel. This blog post should not be used as a substitute for competent legal advice from a licensed professional attorney in your state.