Home Health & Hospice Week

Remember, ‘happy patients don’t complain to HHS,’ expert highlights.

Right of Access enforcement activity is expected to increase over the next year. With patients’ rights continuing to be a hot topic for the HHS Office for Civil Rights and the Department of Health and Human Services at large, you may want to beef up your relevant policies.

Providers should prepare for patients’ requests as well as third-party concerns, suggests HIPAA expert Jim Sheldon- Dean with Lewis Creek Systems in Charlotte, Vermont.

“The HIPAA Right of Access Initiative is focused on improving compliance with 45 CFR 164.524, so all covered entities should ensure that they are able to provide timely access to records or, if an exception applies, a timely denial notice to both patients and their personal representatives,” law firm Hall Render says. “Covered entities are encouraged to review policies and procedures regarding the verification and documentation of personal representatives and their authority to act on behalf of patients and train staff on how to identify and respond to requests by personal representatives.”

As you update your Right of Access policies, consider factoring these tips into your compliance plan:

• Educate staff: You need to train your workforce on individuals’ rights to access their health data, and what this means to your organization.
•  Know the rules: Administrative staff should familiarize themselves with the HIPAA rules and updates to the federal mandates. Plus, “make sure you provide access to individuals according to the rules for individual access only,” Sheldon- Dean cautions.
• Address third-party issues: Hammer out a compre­hensive business associate agreement (BAA) upfront to avoid problems later on. “Be ready to redirect requests from third parties to your authorization process for releases,” Sheldon- Dean advises.
• Check past resolutions: Review CAPs and resolutions from the 43 settlements to figure out what OCR’s expectations are for compliance with the provision.
• Put it in writing: It’s easy to forget what your policies are if they aren’t set in stone. Keep a written record of your organization’s policy updates, so you have recourse if problems pop up.
• Ensure staff know the deadline requirements: CEs must get patients or their representatives their medical records “in the form and format requested” and within “30 calendar days from receiving the individual’s request,” OCR reminds. Policies should include the HIPAA-mandated timeline as well as procedures on dealing with exceptions and/or denials when extra time is needed to compile the records.
• Pay attention to your patients: “Always do your best to satisfy reasonable requests from individuals and do what is best for their healthcare; happy patients don’t complain to HHS,” warns Sheldon-Dean.

Note: The OCR guidance on the Right of Access provision at www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/ index.html.