Risking OCR and Patient Ire, Many CEs Don’t Comply With Patient Access Rules

June 2014 Volume 14 Issue 6
aishealth.com

REPORT ON PATIENT PRIVACY delivers timely news and business strategies for safeguarding patient privacy and data security.

In apparent defiance of final HITECH regulations, many HIPAA covered entities (CEs) are not offering patients the option of receiving an electronic copy of their medical records, let alone in the “form and format” of their choosing, as has been required since January 2013.

Some are imposing fees for copies and applying limits on what they will provide that do not appear to be in line with regulations. Health systems with multiple hospitals have implemented the access requirements inconsistently across their medical centers, meaning some may be in compliance while others are not.

All of this is evident on the websites of covered entities, in their pages that outline the policies and procedures for patients to obtain their protected health information (PHI) — so officials from the Office for Civil Rights (OCR) can readily see it also. An OCR spokeswoman tells RPP “we can and we have” brought enforcement actions against CEs who violate the access requirements.

Patient advocates, medical records providers, privacy experts and others also tell RPP of a multitude of likely unlawful hoops imposed by CEs that people are jumping through to try to get their records.
“Unless you are behind the curtain like I am or unless you start finding the right stones to turn over, you don’t ever get to see the horror show that really exists in various degrees across the country,” says Chris Carpenter, director of operations for Diversified Medical Record Services, Inc. (DMRS), a business associate that processes records requests for hospitals and physicians offices nationwide.

To view the full article, please visit Risking OCR and Patient Ire, Many CEs Don’t Comply With Patient Access Rules

The Individual’s Right to Restrict Disclosure of Health Information

This article gives a great explanation of how industry has fought to influence those in government that write the ‘rules’ for how federal law works in practice. The key industry tactic is to complain that complying with the law is too costly, or impossible, or would take too much time. For reasons we don’t understand, the government agency that writes the ‘rules’ takes the side of industry rather than defending patients.

From ABA Health eSource, Jim Pyles, “The Right to Obtain Restrictions Under the HIPAA/HITECH Rule:
A Return to the Ethical Practice of Medicine
.

The Individual’s Right to Restrict Disclosure of Health Information
AuthorThe HIPAA/HITECH Final Omnibus Rule issued on January 25, 2013 restores the right for Americans to retain some control over the disclosure of their health information as part of the “floor” of federal privacy protections afforded by HIPAA.(1) Under the new rule, individuals have a right to obtain restrictions on the disclosure of health information in electronic or any other form to a health plan for payment or healthcare operations with respect to specific items and services for which the individual has paid the covered entity out of pocket in full.(2) Such requests for restrictions must be granted by the covered entity unless disclosure is required by law. Covered entities must also include this right in their notices of privacy practices.(3) The guidance in the preamble states that only healthcare providers are required to include such a statement in their notices of privacy practices; however, the language of the statute and the regulation itself states that the notice requirement applies to covered entities.(4) The new rule became effective March 26, and covered entities must be in compliance by no later than September 23, 2013.(5)

————-

1 78 Fed. Reg. at 5628 (January 25, 2013).
2 45 C.F.R. § 164. 522(a)(1)(vi).
3 45 C.F.R. § 164.520(b)(1)(iv).
4 HITECH Act, section 13405(a); 45 C.F.R. § 164.522(a)(1)(vi) (as amended).
5 78 Fed. Reg. at 5566.