Part B Insider (Multispecialty) Coding Alert

Patient Privacy:

Buckle Down for HIPAA's Regs on Patient Access

Get a process in place now for giving patients copies of their records.

If a patient approaches your front desk and asks for electronic copies of her records, you need to be able to respond quickly and accurately. Asking the patient to “hold on” while you check around for whether it’s acceptable to give her e-copies is not only unprofessional—it’s potentially a violation of the regs.

In the last issue of the Insider, we told you that HIPAA audits are starting this fall. This week, we break down one of the areas you should be addressing—patient access to their own health records.

Create A Process Now

New HIPAA rules and HITECH Act provisions are giving patients more and more ownership over health records. You always need to have a process for people to ask for copies of the information in their designated record set (DRS), says Jim Sheldon-Dean, director of compliance services for Charlotte, VT-based Lewis Creek Systems, LLC. And you must have a reasonable cost-based fee for furnishing the copies.

For instance, if a patient wants to get a copy of his records, you would give him a copy of whatever is in his DRS, Sheldon-Dean says. And if the patient wants to amend his records, you would amend whatever records exist in the DRS.

Heed New Rules for Electronic Copies — But Tread Carefully

These “new rules” include interim and proposed rules that were finalized in the big HIPAA Omnibus Update, published on Jan. 25, 2013; effective on March 26, 2013; and enforceable as of Sept. 23, 2013. The Omnibus Update included new rules under both the HIPAA Rules and the HITECH Act. The Update is published in the Jan. 25 Federal Register at www.gpo.gov/fdsys/pkg/FR-2013-01-25/pdf/2013-01073.pdf.

But now, if you keep DRS information electronically, you must honor requests for copies of that information in an electronic format. If the patient asks, you need to have some way of giving the information to him electronically, “whether it’s on a CD or as an email attachment or a memory stick or through a portal or however,” Sheldon-Dean explains.

“You can’t just say, ‘Oh no, we only give out paper copies,’” Sheldon-Dean cautions. If you’re keeping electronic information, you must give patients a copy electronically when requested.

Problem: You know there’s no excuse for not encrypting professional-to-professional emails, but what if a patient asks for a copy of his protected health information (PHI) via an unencrypted email? What if the individual says, “I want you to just email this information to me, and I really don’t care whether it’s encrypted because I don’t think it’s really sensitive information.”

Solution: You can’t just outright deny or agree to a request like this. You need to have a discussion with that individual, Sheldon-Dean says. You need to discuss with the patient what kind of information you’re emailing — regular medical records, a test result, HIV information, or reproductive health information, etc. — and explain the risks.

And you need to talk through and perform a risk analysis with the patient. The patient can’t just say, “I don’t care about this — just email it to me anyway,” according to Sheldon-Dean. The individual should tell you in writing, “Okay, I understand what my risks are and I think that’s acceptable.” The person must give you an informed risk decision.

Define the Scope of Your DRS

Another problem is understanding what’s on the DRS and where all that information resides. And this is not just your formal electronic health record (EHR) — “also you may have Excel files or access databases or Word documents,” Sheldon-Dean notes. Any information — no matter if it resides in the EHR or elsewhere — that you’re using to make decisions about the individual is part of the DRS.

Crucial: “So you need to understand where is your [DRS], how big is it, what are the limits of it,” Sheldon-Dean urges. “Because the more you can define that information, the easier it is to be able to provide individual access.”

Remember: Also, because the electronic access provision is new, you’ll need to update your Notice of Privacy Practices (NPP) accordingly.

What You Must Include in an Access Report

If somebody wants an accounting of disclosures (also called an access report) — what information might have been disclosed to some other organization — that applies to the information in the DRS, Sheldon-Dean explains. You could have other information that is PHI associated with the individual “but maybe it’s for purposes of internal audits or internal reviews or quality improvement” — that’s not in the DRS.

Under the new rules, you must widen your scope when providing an access report/accounting of disclosures to patients. If you haven’t already, you should evaluate the capabilities of your systems to ensure that you can properly produce this type of report.