HIPAA Right of Access and Information Blocking
For decades the idea of patients being in control of their health information was given little more than tacit support by our government as the healthcare industry
As of April 5th, 2021, HIPAA has a new final rule we will refer to as the Information Blocking rule. This final rule was scheduled to start in November of last year but was delayed due to COVID. In short, there’s now a new construct in place that goes into greater detail on what constitutes a right of access violation and what the penalty enforcement process may be. The good news for healthcare providers is if you’re limited in your ability to comply with a patient’s records request due to the technology you use, that vendor could be on the hook for significant penalties. But we wouldn’t suggest hanging your hat on that as an excuse to circumvent this law. You’ll still find yourself under scrutiny that will require time and likely money to get out of. That said, there are a handful of exceptions that may warrant you not complying with this new law. The full law and the exceptions can be viewed here: Electronic Code of Federal Regulations (eCFR).
Finally, the new law introduces a new penalty process for providers and Covered Entities, and this is where things may get murky. The Act requires the Office of Inspector General (OIG) to refer Covered Entities to an “appropriate agency” for the Orwellian phrase, and as yet to be determined “appropriate disincentives”.
If this law impacts you, we urge you to be certain your records management and release process is robust, redundant, reliable, repeatable, and trackable. If this is not the case, then call us or get help to make it that way. While we may not know what “appropriate disincentives” to be doled out by some “appropriate agency” may mean, we DO KNOW that OCR is actively and aggressively enforcing Right of Access rules and now they have a new bag of tricks. Don’t let yourself get caught in this rat’s nest.
While you tend to the many tasks before you, be sure to be keeping yourself and your staff alert for the many miscreants scheming to steal from you. Think before you click or enter sensitive data into a website.
Thank you for reading.
If you have any questions or if you are concerned about your organization’s cybersecurity, give us a call at (800) 970-0402. We’ll be happy to help.
For more HIPAA information, download our ebook – The Ultimate HIPAA Compliance Handbook.
The HIPAA Security Rule requires the implementation of a security awareness and training program for all members of its workforce (including management). Have your team sign up for a weekly HIPAA Security Reminder to help stay compliant.