Be prepared for more patients requesting to access their health records

Patients were top of mind when new federal guidance was issued in January on rights to their protected health information. The guidance by the U.S. Department of Health & Human Services' (HHS') Office of Civil Rights relayed the how-tos for patient access and empowerment in a fact sheet, frequently asked questions and social media.

There also was a nod to covered entities, such as doctors of optometry, who must comply with these patient requests

"Unfortunately, based on recent studies and our own enforcement experience, far too often individuals face obstacles to accessing their health information, even from entities required to comply with the HIPAA Privacy Rule," wrote Jocelyn Samuels, director, HHS Office of Civil Rights on Jan. 7.

"This must change," Samuels added.

The Health Insurance Portability and Accountability Act (HIPAA) was adopted in 1996. Ever since its Privacy Rule went into effect, HIPAA has given patients the right to access their medical records maintained by their providers, hospitals and health insurance plans. But this new guidance or re-emphasis by the Office of Civil Rights means doctors of optometry should be prepared for more patients seeking access to their health information.

Last year, after an audit, the Office of the Inspector General urged HHS' Office of Civil Rights to be more proactive when it comes to compliance. Further, increasingly patients are filing complaints. The number of HIPAA complaints rose, between 2004 through 2014, by 172%. A lack of "access" usually ranked No. 3 among the reasons for a complaint.

Be aware of new HIPAA guidance

Staying abreast of changes under HIPAA, including its complex Privacy Rule, can be time consuming and confusing.

"With over 500 pages of a rule, of course there is confusion," says Robert "Bob" Grant, co-founder and chief strategy officer for the HIPAA consultancy group The Compliancy Group, an AOAExcel^® endorsed business partner.

"The bottom line is a patient has to be allowed access to his or her medical record," he says.

Michael Stokes, J.D., AOA's general counsel, adds, "Members of our association must be aware of this new guidance. We want to do what's best for patients."

And doctors also need to know and do, Stokes says, what it takes to make the exchange of information go smoothly for patients and providers. One of the values of AOA membership is being kept informed of events and trends affecting optometry.

Under the Privacy Rule, covered entities are required to:

• Establish a process to accept either written or electronic requests by patients for their health information.
• Take reasonable steps to verify the identity of an individual making a request.
• Provide the information in a form or format requested (i.e., paper or electronic), if at all possible. If the preferred form or format is not available, the covered entity and individual must agree on a readable alternative.
• Provide access to the information within 30 calendar days of the request. That time frame may be extended an additional 30 days if the information is not readily available; the requester must be notified of the extension.
• Provide access to most information in the "designated record set," including medical records, billing and payments records, insurance information, clinical laboratory results, medical images, wellness and disease management program files, clinical notes and other information used to make medical decisions about patients.
• Deny access only in limited circumstances. For instance, an entity is not required to create new information or provide information in the designated record set that is not used in making decisions about a patient's care. That includes patient safety activity records or quality assessment or improvement records.
• Transmit the patient's information to another person or entity if the patient requests it.
• Impose a reasonable, cost-based fee for providing the information provided that charge covers only labor costs for copies, supplies for creating paper copies or electronic media, postage, and the preparation of an explanation or summary, if one is requested by the patient.

Learn about a security risk assessment tool from the U.S. Department of Health and Human Services.

Claiming ignorance of HIPAA won't fly with HHS, Grant adds. He recommends doctors "document, document, document" each step of the process, including having a patient sign a disclosure authorization form that can be tracked. In the end, Grant says, the rules are good for everyone involved.

"Compliance with the HIPAA rules is good all around for patients and the protection of their personal data," Grant says. "The federal government will be starting audits soon and compliance by covered entities is paramount to not getting fined."

In recent months, HHS also published new fact sheets in support of interoperability or making the exchange of health information between covered entities go more smoothly:

• Permitted Uses and Disclosures for Health Care Operations
• Permitted Uses and Disclosures: Exchange for Treatment