Pathology/Lab Coding Alert

HIPAA:

Tighten Your ‘Right of Access’ Compliance or Face Enforcement Action

Published on Thu Mar 10, 2022

Assume the rules don’t apply to labs at your peril.

Take a hint: six out of seven Biden administration HIPAA enforcement settlements to date have dealt specifically with Right of Access investigations.

To help ensure your lab isn’t the next covered entity (CE) in the crosshairs, we have a rundown of seven tips you can use to strengthen your own policies and procedures.

Tip 1: CE Labs Must Comply With Right of Access

Contrary to a persistent understanding that patients must get their lab results through the provider who ordered the test, labs may provide results directly to the patient, upon request.

Although labs were restricted in the past from providing test results to patients, the Centers for Medicare & Medicaid Services (CMS) amended regulations for labs certified under the Clinical Laboratory Improvement Amendments (CLIA) to allow the practice. At the same time, CMS removed laboratories’ exception to the HIPAA Privacy Rule (see www.cms.gov/Medicare/Provider-Enrollment-and-Certification/SurveyCertificationGenInfo/Downloads/Survey-and-Cert-Letter-14-11.pdf).

Key: A laboratory is a CE under HIPAA if it conducts one or more covered transactions electronically.

Tip 2: Recognize Personal Representatives

The rules for Right of Access apply to a patient’s personal representative. That is “a person with authority under State law to make health care decisions for the individual,” according to Department of Health and Human Services (HHS) guidance.

A recent enforcement action involved a healthcare provider in Omaha, Nebraska, who failed to furnish a parent with all of their child’s medical records, upon request.

“Under HIPAA, a parent is a ‘personal representative’ of a minor child and must be treated like a patient when exercising the right of access,” explains Atlanta-based attorney Madison M. Pool with law firm Arnall Golden Gregory LLP in an online legal analysis.

Tip 3: Train the Right Personnel

If an employee’s job requires them to receive, process, or fulfill individuals’ records requests, they must be trained on HIPAA Right of Access requirements. But the regulations aren’t the only thing employees need to know — you should also include specific training about your lab’s procedures for responding to records requests.

“Workforce members must understand the covered entity’s process for addressing any issues that arise in the access request process,” explains partner attorney Valerie Breslin Montague with law firm Nixon Peabody LLP in a blog posting.

Tip 4: Watch the Calendar

CEs should get patients their protected health information (PHI) “no later than 30 days from the individual’s request,” according to HHS guidance. This timeline is just “an outer limit,” and the feds prefer that CEs respond as quickly as possible — especially if the data transfer is in an electronic form.

When PHI is stored offsite and the CE cannot offer access within the 30-day timeframe, the rule allows for a maximum extension of an additional 30 days, OCR guidance maintains. The CE must let the individual know in writing during the initial 30 days that an extension is necessary, why there will be a delay, and when the patient should expect access to their records.

Tip 5: You Can Charge for Records

Although CEs can charge the patient for records, you need to know the following caveats:

You must let requesters know in advance that you may apply a fee.
Fees cannot pose a financial barrier to individuals’ requests for their records — or enforcement action may ensue.

How much? CEs are permitted to “charge a reasonable, cost-based fee for individuals (or their personal representatives) to receive (or direct to a third party) a copy of the individuals’ PHI,” OCR says. They can calculate those fees by adding up “certain labor, supply, and postage costs that may apply in providing the individual with the copy in the form and format and manner requested or agreed to by the individual,” the agency adds. CEs can also opt for a flat fee not to exceed $6.50 for electronic copies of PHI.

Tip 6: Know Restricted Information

Some exceptions exist to the Right of Access rule. For example, CEs do not have to turn over data compiled and created for use in legal proceedings.

Individuals also don’t have the right to access mental health professionals’ psychotherapy notes due to the nature of their content. Since this data is “maintain[ed] separately from the individual’s medical record” and is used to “document or analyze the contents of a counseling session with the individual,” the information is exempt under HIPAA, according to HHS.

Caveat: The underlying PHI from the patient’s medical record that was used to generate legal or psychotherapy exceptions are subject to access.

Tip 7: Understand State Law Impact

CEs should always review state privacy laws before setting up HIPAA policies and procedures, especially related to Right of Access laws.

“The HIPAA Privacy Rule sets a Federal ‘floor’ of privacy protections,” clarifies HHS in online guidance. “Many States have health information privacy laws that have additional protections that are above this floor. In addition, even though HIPAA is a Federal law, State Attorneys General have been given the authority to enforce HIPAA.”

Fees: CEs may want to revisit their state’s fee structures for medical records, too, as some states prohibit fees while others authorize them.

Resource: https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html.