What not to say to a patient.

 

Whenever we have a change in power in the White House, there’s a degree of uncertainty around what priorities will the executive branch emphasize. In the case of patient rights, once again, the Office for Civil Rights (OCR) aka, the HIPAA police, have made it known this will continue to be a priority under the new administration. Specifically, patient rights as they pertain to access to their records will continue to be enforced. So just give your patients copies of their records, or access to them, right? If only it were that simple. 

While the HIPAA laws have specific timelines in which records must be shared, and the manner in which they may be available, most states have rules of their own. It’s important for you to know what your state requires, it’s typically shorter than what’s federally required (HIPAA says 30 days). 

Where medical organizations find themselves getting in trouble is by either not responding to patient requests at all, in a timely manner, or telling a patient they won’t be getting a copy. Whatever your staff does when confronted with a request for records, the wrong response is always no. Keep in mind, even in a state like California, where the timeline can be as short as 5 days, you have time to get it right. A better answer is that you will process the request and will let them know as quickly as possible (in California you may want to add in 3 to 5 days). 

The challenge really comes in when you may not have access to all of the records after the encounter. For example, labs have been ordered, image studies, a referral to another physician, all complicate the timeliness of your ability to respond. Where image studies are concerned, automatic availability through a patient portal may not always be an option, so the burden falls upon the staff to notify the patient that the record is available. Add to that the matter of who is authorized for access, and you quickly have what can be a complicated situation. You need appropriate policies in place to guide your actions. 

It’s helpful to note that OCR is not looking to penalize failures in good faith efforts of compliance. Rather, they are looking for failed processes or no processes at all. It may be surprising to hear that many healthcare organizations have not adequately addressed meeting this HIPAA requirement. After all, as we noted earlier, it can get complicated quite quickly, and the penalties for impermissible disclosures can be steep. 

You can help yourself by following a few basic guidelines. First, don’t say anything that may upset the patient or cause them to believe you don’t intend to meet their request. Second, have formal processes in place to meet these requirements in accordance with your state laws. Third, where more complex requests are involved, seek the input of your Information Privacy Officer. 

If you need assistance crafting an effective access policy, we’re happy to assist.If you have any questions or if you are concerned about your organization’s cybersecurity, give us a call at (800) 970-0402. We’ll be happy to help.


For more HIPAA information, download our ebook – The Ultimate HIPAA Compliance Handbook.

The HIPAA Security Rule requires the implementation of a security awareness and training program for all members of its workforce (including management). Have your team sign up for weekly HIPAA Security Reminder to help stay compliant.