See whose record requests you must honor. With six out of seven HIPAA enforcement settlements to date under the Biden administration dealing with Right of Access investigations, you can’t afford to have sloppy records-handling habits in your surgical practice. To make sure your surgeons aren’t the next covered entities (CEs) in the crosshairs, we have a rundown of six steps you can use to strengthen your own policies and procedures for access to medical records. Step 1: Recognize Personal Representatives The rules for Right of Access apply to both the patient and the patient’s personal representative. A representative is “a person with authority under State law to make health care decisions for the individual,” according to Department of Health and Human Services (HHS) guidance. A recent enforcement action involved a healthcare provider in Omaha, Nebraska who failed to furnish a parent with all of their child’s medical records, upon request. “Under HIPAA, a parent is a ‘personal representative’ of a minor child and must be treated like a patient when exercising the right of access,” explains Atlanta-based attorney Madison M. Pool with law firm Arnall Golden Gregory LLP in an online legal analysis. Step 2: Train the Right Personnel If an employee’s job requires them to receive, process, or fulfill individuals’ records requests, they must be trained on HIPAA Right of Access requirements. But the regulations aren’t the only thing employees need to know — you should also include specific training about your surgery practice’s procedures for responding to records requests. “Workforce members must understand the covered entity’s process for addressing any issues that arise in the access request process,” explains partner attorney Valerie Breslin Montague with law firm Nixon Peabody LLP in a blog posting. Step 3: Watch the Calendar CEs should get patients their protected health information (PHI) “no later than 30 days from the individual’s request,” according to HHS guidance. This timeline is just “an outer limit,” and the feds prefer that CEs respond as quickly as possible — especially if the data transfer is in an electronic form. When PHI is stored offsite and the CE cannot offer access within the 30-day timeframe, the rule allows for a maximum extension of an additional 30 days, HHS guidance maintains. The CE must let the individual know in writing during the initial 30 days that an extension is necessary, why there will be a delay, and when the patient should expect access to their records. Step 4: You Can Charge for Records Although CEs can charge the patient for records, you need to know the following caveats: How much? CEs are permitted to “charge a reasonable, cost-based fee for individuals (or their personal representatives) to receive (or direct to a third party) a copy of the individuals’ PHI,” HHS says. They can calculate those fees by adding up “certain labor, supply, and postage costs that may apply in providing the individual with the copy in the form and format and manner requested or agreed to by the individual,” the agency adds. CEs can also opt for a flat fee not to exceed $6.50 for electronic copies of PHI. Step 5: Know Restricted Information Some exceptions exist to the Right of Access rule. For example, CEs do not have to turn over data compiled and created for use in legal proceedings. Individuals also don’t have the right to access mental health professionals’ psychotherapy notes due to the nature of their content. Since this data is “maintain[ed] separately from the individual’s medical record” and is used to “document or analyze the contents of a counseling session with the individual,” the information is exempt under HIPAA, according to HHS. Caveat: The underlying PHI from the patient’s medical record that was used to generate legal or psychotherapy exceptions are subject to access. Step 6: Understand State Law Impact CEs should always review state privacy laws before setting up HIPAA policies and procedures, especially related to Right of Access laws. “The HIPAA Privacy Rule sets a Federal ‘floor’ of privacy protections,” clarifies HHS in online guidance. “Many States have health information privacy laws that have additional protections that are above this floor. In addition, even though HIPAA is a Federal law, State Attorneys General have been given the authority to enforce HIPAA.” Fees: CEs may want to revisit their state’s fee structures for medical records, too, as some states prohibit fees while others authorize them. Resource: www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html.