Physicians and many other covered entities are wondering what’s the best way to handle requests by patients who seek to amend their protected health information. Following an “if it ain’t broke, don’t fix it” approach won’t win you many allies from the ranks of HIPAA regulators.
Under § 164.526 of the privacy rule, patients have the right to have a CE amend their PHI if the PHI is part of the designated record set; that is, records containing medical case or medical management, billing, enrollment, payment, or claims adjudication information, used by or for the CE to make decisions about individuals. While that’s easy enough to understand, did you know that you have the right to deny a patient’s request to amend PHI?
That’s right. Under the following circumstances, CEs may deny an individual’s request to alter his or her PHI or other record:
But with the right to deny amendment to PHI come some onerous responsibilities for CEs. However, there are some solutions for lightening this compliance burden.
First of all, remember that the privacy rule does offer guidance when it comes to denying or approving an individual’s request to amend PHI (you can view the privacy rule modifications at www.hhs.gov/ocr/combinedregtext.pdf).
Also, keep in mind that while the Health Insurance Portability and Accountability Act does generate the regs, it often doesn’t mandate how you implement those rules, notes Ernest Tsoules,
It’s vital to have a knowledgeable person within your organization to create guidelines for PHI amendment requests. That means having a “fairly senior medical records person or other health care professional to evaluate these requests,”
In most cases, it’s an organization’s privacy officer who is responsible for handling these types of requests. Rebecca Buegel, a privacy officer and director of health information management at Casa Grande Regional Medical Center in Casa Grande, AZ says CGRMC’s process is simple: The Center offers a form on which the patient documents what he considers to be inaccurate information in his record.
“They’ll then document the corrected information, and they’ll be asked to provide information as to who they believe should receive the corrected information (such as their insurance company),”
Pen Is Mightier Than Your Word
Buegel says she doesn’t expect to deny requests to amend records, since CGRMC simply inserts an individual’s statement into the medical record “as opposed to lining through information and making corrections.” She’ll also insert a statement saying CGRMC neither agrees nor disagrees with the patient’s amendment.
No matter what model form you use for PHI amendment and denial, it’s important that you document whatever you do.
Thomas Sweeney with Tsoules, Sweeney & Kepner works with mental health agencies. Sweeney says patients are often encouraged to review their medical records as part of their therapy. In those cases, a facility director appoints someone who is most knowledgeable in terms of the patient’s therapy to schedule a meeting with that patient.
Those one-on-one meetings are documented as part of the patient’s therapy, which means if a patient submits a complaint to HHS Office for Civil Rights, “we can say, ‘well, here’s how we worked with that client or consumer.’”
Make Notices Easily Understood
For small physicians practices, patients often request to amend their PHI, says Susan Orr, another health care attorney with Tsoules, Sweeney & Kepner. Orr cautions physicians and other CEs to ensure that any notices of denial are written in what HIPAA calls “plain language.”
For instance, when a doctor’s writing his notes, he’s writing them to himself and not to his patients. “Consequently, there may be some clarification where [a doctor] would need to put something in more layman’s language so that nonprofessionals can understand what he’s written,” Orr recommends.
But however you handle PHI amendment, it’s crucial to maintain as good a relationship as possible with the individuals who request that data. As Sweeney notes, speaking with a patient about a PHI amendment becomes an opportunity to allay any patient concerns, and the policies you develop in responding to these requests can become “a pretty good foundation for defense if OCR or others come back with a complaint submitted against your organization.”
Keep in mind that individuals have a right under HIPAA to take their complaints to HHS. Brian Gradle, an attorney with Epstein Becker & Green, says complaints can wind up at one of the many regional offices of the OCR.
“Typically what happens is that if a complaint comes in, that regional office of the OCR is supposed to investigate that. They’re supposed to look into [the complaint], and they would then route that to the appropriate office and then they will follow up on it,” Gradle maintains.
From that point, Gradle says, the OCR may take as much time as they desire before any follow up occurs.
an attorney with Exton, PA-based Tsoules, Sweeney & Kepner.
Tsoules advises.
Buegel informs Eli.