Health Information Compliance Alert

Physicians and many other covered entities are wondering what’s the best way to handle requests by patients who seek to amend their protected health information. Following an “if it ain’t broke, don’t fix it”  approach won’t win you many allies from the ranks of HIPAA regulators.

Under § 164.526 of the privacy rule, patients have the right to have a CE amend their PHI if the PHI is part of the designated record set; that is, records containing medical case or medical management,  billing, enrollment, payment, or claims adjudication information, used by or for the CE to make decisions about individuals. While that’s easy enough to understand, did you know that you have the right to  deny a patient’s request to amend PHI?

That’s right. Under the following circumstances, CEs may deny an individual’s request to alter his or her PHI or other record:

• The PHI was not created by the CE, unless the individual provides “reasonable basis to believe that [the] originator of PHI is no longer available to act on request”;
• It is not part of the designated record set;
• The data is not subject to an individual’s right to inspect or obtain a copy; and
• The information is “accurate and complete.”

But with the right to deny amendment to PHI come some  onerous responsibilities for CEs. However, there are some solutions  for lightening this compliance burden.

First of all, remember that the privacy rule  does offer guidance when it comes to denying or  approving an individual’s request to amend PHI  (you can view the privacy rule modifications at  www.hhs.gov/ocr/combinedregtext.pdf).

Also, keep in mind that while the Health  Insurance Portability and Accountability Act does  generate the regs, it often doesn’t mandate how  you implement those rules, notes Ernest Tsoules, 
an attorney with Exton, PA-based Tsoules, Sweeney  & Kepner.

It’s vital to have a knowledgeable person  within your organization to create guidelines for  PHI amendment requests. That means having a  “fairly senior medical records person or other  health care professional to evaluate these requests,”
Tsoules advises.

In most cases, it’s an organization’s privacy  officer who is responsible for handling these  types of requests. Rebecca Buegel, a privacy officer  and director of health information management  at Casa   Grande Regional Medical Center in  Casa Grande, AZ says CGRMC’s process is simple:  The Center offers a form on which the patient  documents what he considers to be inaccurate  information in his   record.

“They’ll then document the corrected information,  and they’ll be asked to provide information  as to who they believe should receive the  corrected information (such as their insurance company),” 
Buegel informs Eli.

Pen Is Mightier Than Your Word

Buegel says she doesn’t expect to deny  requests to amend records, since CGRMC simply  inserts an individual’s statement into the medical  record “as opposed to lining through information  and making corrections.” She’ll also insert a statement  saying CGRMC neither agrees nor disagrees  with the patient’s amendment.

No matter what model form you use for  PHI amendment and denial, it’s important that  you document whatever you do. 

Thomas Sweeney with Tsoules, Sweeney  & Kepner works with mental health agencies.  Sweeney says patients are often encouraged to  review their medical records as part of their  therapy. In those cases, a facility director appoints  someone who is most knowledgeable in  terms of the patient’s therapy to schedule a meeting  with that patient.

Those one-on-one meetings are documented  as part of the patient’s therapy, which  means if a patient submits a complaint to HHS  Office for Civil Rights, “we can say, ‘well,  here’s how we worked with that client or consumer.’”

Make Notices Easily Understood

For small physicians practices, patients often  request to amend their PHI, says Susan Orr,  another health care attorney with Tsoules, Sweeney  & Kepner. Orr cautions physicians and other CEs to  ensure that any notices of denial are written in what HIPAA calls “plain language.”

For instance, when a doctor’s writing his  notes, he’s writing them to himself and not to his  patients. “Consequently, there may be some clarification  where [a doctor] would need to put something  in more layman’s language so that nonprofessionals  can understand what he’s written,”  Orr recommends.

But however you handle PHI amendment,  it’s crucial to maintain as good a relationship as  possible with the individuals who request that data.  As Sweeney notes, speaking with a patient about a  PHI amendment becomes an opportunity to allay any patient concerns, and the policies you develop  in responding to these requests can become “a  pretty good foundation for defense if OCR or others  come back with a complaint submitted against your  organization.”

Keep in mind that individuals have a right  under HIPAA to take their complaints to HHS.  Brian Gradle, an attorney with Epstein Becker &  Green, says complaints can wind up at one of the  many regional offices of the OCR.

“Typically what happens is that if a complaint  comes in, that regional office of the OCR is  supposed to investigate that. They’re supposed to  look into [the complaint], and they would then route  that to the appropriate office and then they will  follow up on it,” Gradle maintains.

From that point, Gradle says, the OCR may  take as much time as they desire before any follow  up occurs.