In a recent HIPAA Journal publication, it was stated that the Health and Human Services (HHS) – Office for Civil Rights (OCR), has issued a warning to healthcare providers, focusing on the importance of compliance with the “HIPAA Right of Access,” that is also a part of the 21st Century Cures Act.
They announced that the total number of financial penalties imposed under the HIPAA Right of Access enforcement initiative up to 38. In their statement, they announced that more than 11 financial penalties for HIPAA-covered entities, such as hospitals, and physician practices, failed to provide patients, when requested, timely access to their medical records.
The HIPAA Right of Access gives people the right to inspect their protected health information that is held by a HIPAA-covered entity, check the information for errors, and request that any errors are corrected. People can also request a copy of their protected health information (PHI) from healthcare providers and health plans.
When such a request is made, the requested information must be provided in full within 30 days of the request being received. In very limited circumstances, an extension of 30 days is allowed. Requests can be submitted by patients or their nominated representatives, and parents and legal guardians of minors are permitted to obtain a copy of their minor’s records. Any individual requesting a copy of their records can only be charged a reasonable, cost-based fee for obtaining a copy of their records. The records should be provided in the format requested by the patient, provided the HIPAA-covered entity has the technical capability to provide records in that format.
Further, if the patient wants their records in a phone app, or digital access that is HIPAA protected, and the physician or facility that this information is being requested from, has that capability, then this is how it must be delivered. If the HIPAA-covered entity does not have that particular platform of delivery, they can ask the HHS-OCR to assist in implementing that electronic capability. There is also an option to direct the patient to their EMR, password protected patient portal, as long as the patient is given easily accessible instructions for use, and agrees to that form of delivery.
OCR launched its HIPAA Right of Access enforcement initiative in the fall of 2019 in response to reports of widespread noncompliance with this important HIPAA right. “It should not take a federal investigation before a HIPAA-covered entity provides patients, or their personal representatives, with access to their medical records,” said OCR Director Lisa J. Pino. “Healthcare organizations should take note that there are now 38 enforcement actions in our Right of Access Initiative and understand that OCR is serious about upholding the law and peoples’ fundamental right to timely access to their medical records.”
It would likely be considered an interference for purposes of information blocking if a health care provider established an organizational policy that, for example, imposed delays on the release of lab results for any period of time in order to allow an ordering clinician to review the results or in order to personally inform the patient of the results before a patient can electronically access such results (see also 85 FR 25842 specifying that such a practice does not qualify for the “Preventing Harm” Exception).
To further illustrate, it also would likely be considered an interference:
Per the HIPAA Journal, the latest penalties were all imposed for the failure to provide timely access to an individual’s medical records, rather than for charging unreasonable fees for exercising the Right of Access. All but one of these cases was settled with OCR, with the covered entities also agreeing to a corrective action plan to address the non-compliance and prevent further violations.
One HIPAA-covered entity refused to cooperate with OCR’s requests, resulting in a civil monetary penalty. ACPM Podiatry had received a request from a former patient for a copy of his medical records. OCR was notified on April 8, 2019, that ACPM had refused to provide those records. OCR provided technical assistance to ACPM on April 18, 2019, confirming that the records must be provided under HIPAA. A second complaint was then filed with OCR a month later when the records had still not been provided.
What is of note, is that many HIPAA-covered entities believe that if the patient has an outstanding balance with that entity or physician practice that they can hold the patient’s records based on that issue. That is an inaccurate assumption.
OCR’s investigation into ACPM Podiatry revealed the records had been withheld as the complainant’s insurance company had not paid the bill, but the complainant said the records were required in order to appeal the unfavorable decision, and that the records were necessary to file that appeal. While there was contact between OCR and ACPM Podiatry, ACPM failed to respond to OCR’s data access requests, OCR’s notice of proposed determination of a financial penalty, nor the Letter of Opportunity to provide evidence of mitigating factors, resulting in a civil monetary penalty being imposed.
You cannot ignore these patient requests or the requests from the OCR. The release of a patient’s ePHI is not conditional on whether or not their bill is paid in full. The below table reflects some of the recent penalties enforced by OCR for information blocking, and they do publish these entities and the penalties.
Source: HIPAA Journal July 2022
Programming note: Listen live today when Terry Fletcher reports this developing story during Talk Ten Tuesdays, 10 Eastern.
References:
https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html
I want to cover a story that was spectacularly overshadowed by the recent assassination of former CEO for UnitedHealthcare Brian Thompson. The story is the
It’s been an interesting week in corporate healthcare. But I want to start with some context. First, it’s important to recognize that the purpose of
Please log in to your account to comment on this article.
Join Beth Wolf, MD, CPC, CCDS, for an in-depth webcast on the FY2025 spinal fusion MS-DRG updates. Discover key changes in DRG classification, understand impacts on documentation and CMI, and learn strategies to ensure compliance.
Join Angela Comfort, DBA, MBA, RHIA, CDIP, CCS, CCS-P, as she presents effective strategies to strengthen collaboration between CDI, coding, and quality departments in acute care hospitals. Angela will also share guidance on implementing cross-departmental meetings, using shared KPIs, and engaging leadership to foster a culture of collaboration. Attendees will gain actionable tools to optimize documentation accuracy, elevate quality metrics, and drive a unified approach to healthcare goals, ultimately enhancing both patient outcomes and organizational performance.
Optimize your outpatient clinical documentation and gain comprehensive knowledge from foundational practices to advanced technologies, ensuring improved patient care and organizational and financial success. This webcast bundle provides a holistic approach to outpatient CDI, empowering you to implement best practices from the ground up and leverage advanced strategies for superior results. You will gain actionable insights to improve documentation quality, patient care, compliance, and financial outcomes.
Enhancing outpatient clinical documentation is crucial for maintaining accuracy, compliance, and proper reimbursement in today’s complex healthcare environment. This webcast, presented by industry expert Angela Comfort, DBA, RHIA, CDIP, CCS, CCS-P, will provide you with actionable strategies to tackle complex challenges in outpatient documentation. You’ll learn how to craft detailed clinical narratives, utilize advanced EHR features, and implement accurate risk adjustment and HCC coding. The session also covers essential regulatory updates to keep your documentation practices compliant. Join us to gain the tools you need to improve documentation quality, support better patient care, and ensure financial integrity.
Dr. Ronald Hirsch provides critical details on the new Medicare Appeal Process for Status Changes for patients whose status changes during their hospital stay. He also delves into other scenarios of hospital patients receiving custodial care or medically unnecessary services where patient notifications may be needed along with the processes necessary to ensure compliance with state and federal guidance.
Healthcare organizations face complex regulatory requirements under the No Surprises Act and Price Transparency rules. These policies mandate extensive fee disclosures across settings, and confusion is widespread—many hospitals remain unaware they must post every contracted rate. Non-compliance could lead to costly penalties, financial loss, and legal risks. Join David M. Glaser Esq. as he shows you how to navigate these regulations effectively.
Protect your facility from unwanted audits! Join Becky Jacobsen, BSN, RN, MBS, CCS-P, CPC, CPEDC, CBCS, CEMC, and take a deep dive into both the CMS and AMA guidelines for reporting post operative pain blocks. You’ll learn how to determine if the nerve block is separately codable with real life examples for better understanding. Becky will also cover how to evaluate whether documentation supports medical necessity, offer recommendations for stronger documentation practices, and provide guidance on educating providers about documentation requirements. She’ll include a discussion of appropriate modifier and diagnosis coding assignment so that you can be confident that your billing of post operative pain blocks is fully supported and compliant.
During this RACmonitor webcast Dr. Ronald Hirsch spotlights the areas of the OIG’s Work Plan and the findings of their most recent audits that impact utilization review, case management, and audit staff. He also provides his common-sense interpretation of the prevailing regulations related to those target issues. You’ll walk away better equipped with strategies to put in place immediately to reduce your risk of paybacks, increased scrutiny, and criminal penalties.
Copyright © 2024 ICD10monitor. Powered by MedLearn Media.
Prepare for the 2025 CMS IPPS Final Rule with ICD10monitor’s IPPSPalooza! Click HERE to learn more
Get 15% OFF on all educational webcasts at ICD10monitor with code JULYFOURTH24 until July 4, 2024—start learning today!
CYBER WEEK IS HERE! Don’t miss your chance to get 20% off now until Dec. 2 with code CYBER24
