New OCR Guidelines Remind Practices to Follow HIPAA

As patient engagement continues to take center stage, it’s more important than ever for patients to gain access to their own health information. Not only does HIPAA require this, but it’s simply good for patient care. When patients access their information, they’re able to monitor chronic conditions, adhere to treatment plans, track progress, coordinate care, and identify errors.

Unfortunately, some physician practices tend to over-interpret HIPAA, says Angela Rose, MHA, RHIA, CHPS, FAHIMA, director of HIM practice excellence at the American Health Information Management Association (AHIMA). They use the federal law as a barrier to providing access because they tend to err on the side of caution in certain situations, she adds.

“Far too often, individuals face obstacles to access their health information, even from entities required to comply with the HIPAA Privacy Rule,” Jocelyn Samuels, director of the Office for Civil Rights, wrote in a recent blog entry. “This must change,” she added.

A thorough understanding of HIPAA is paramount, says Rose. In addition, practices need to know how HIPAA requirements stack up against the HITECH Act that is more stringent and exact in some cases. The good news is that new OCR guidelines published last month provide much-needed clarification. 

What HIPAA does—and doesn’t—include
In summary, patients are permitted access to the following information in the designated record set:

• Medical records
• Billing and payment records
• Insurance information
• Clinical lab test results
• Medical images
• Wellness and disease management program files
• Clinical case notes
• Other information used to make decisions about individuals

Patients are not permitted access to the following information:

• Quality assessment or improvement records
• Patient safety activity records
• Business planning, development, and management records (e.g., a practice’s quality records referencing an individual’s protected health information [PHI] that are used to improve customer service)
• Psychotherapy notes that a mental health provider maintains separately from the rest of the patient’s medical record
• Information compiled in reasonable anticipation of, of for use in, a civil, criminal, or administrative action or proceeding

HITECH specifically states that patients must have access to recent lab test results, a current medication list, a medication history, and a problem list maintained in Certified EHR Technology. This is something to consider if your practice is participating in the Meaningful Use (MU) EHR Incentive Program.

Timeliness of access
Practices must provide access to the requested PHI no later than 30 calendar days from receiving the individual’s request, as per HIPAA requirements.

However, according to HITECH MU Stage 2, eligible professionals must make information available within four business days of its availability. Stage 3 requires eligible professionals to make information available to patients within 48 hours of its availability.

Requests for electronic copies
Rose says many practices are still surprised to learn that per HIPAA, individuals have a right to request an electronic copy of their PHI when that PHI is maintained electronically by the covered entity.

According to the OCR guidelines, “If a covered entity has the capability to readily produce the requested format, it is not permissible for the covered entity to deny the individual access to that format because the entity would prefer that the individual receive a different format, or utilize other customary record access processes of the entity.”

4 tips to maintain compliance
Rose says to consider these tips to ensure that your practice meets HIPAA and HITECH requirements: If you are looking for more information on the requirements of Meaningful Use and what is changing with modified Stage 2 and Stage 3, visit the Kareo Meaningful Use Resource Center.

1. Review the OCR guidelines carefully. In addition to the information reference above, the guidelines also provide information about methods for requesting access, verifying the identity of the individual requesting access, charging fees for copies of information, grounds for denying access, and more.
2. Contact your local AHIMA state component association for more information about HIPAA and what your practice needs to do to comply.
3. Develop an internal policy regarding how to handle different types of patient requests. This policy should address request formats, timeliness for response, and response formats. Educate patients about this policy and about HIPAA, in general, so they know what to expect.
4. Implement a patient portal. Work with your EHR vendor to integrate portal technology that will allow you to respond to patient requests for PHI more quickly and even in an electronic format.