This article was co-author by Glena Jarboe and Ricardo J. Pabón-Degláns.
The Right of Access Initiative by the Office for Civil Rights (OCR) at the Department of Health and Human Services (HHS) began in 2019. On September 20, 2022, the OCR published its latest press release on the matter announcing three new investigations pertaining to patients' right of access under the Health Insurance Portability and Accountability Act (HIPAA). With these additional investigations, the OCR has issued forty-one (41) enforcement actions since the initiative began.
In this round of publication by HHS, the three investigations are focused on dental practices around the U.S., a sector of the healthcare industry that is often underemphasized when it comes to regulatory topics. It is important for providers to understand the rights HIPAA affords to individuals to see and get copies of their health information. An entity that is regulated by HIPAA has 30 days from receipt of a request, absent an extension, to provide an individual or their representative with their records in a timely manner. Furthermore, the three entities entered into corrective actions plans after agreeing to pay fines for the potential HIPAA violations.
The general rule established around right of access is that an individual has a right to inspect and obtain a copy of their protected health information in a designated record set, for as long as the protected health information is maintained in the designated record set. The two exceptions to the rule are for psychotherapy notes and information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding. See 45 C.F.R. 164.524(a)(1). Additionally, it is important to understand what a designated record set includes, which is medical records, billing records, payment and claims records, health plan enrollment records, case management records, as well as other records used, in whole or in part, by or for a covered entity to make decisions about individuals.
Right of Access Process - Key Elements
There are many challenges facing the dental community regarding compliant release of information. However, most of the challenges can be addressed with appropriate policies and procedures and practical training and education. Below are key elements that should be considered when evaluating the sufficiency of your own right of access process:
- Unlike large academic medical centers, smaller practices do not typically have an entire department dedicated to medical records and release of information, which makes implementation of standard practices and training and education of the entire staff essential.
- One of the biggest challenges is ensuring all staff understand what to do when asked by a patient for all or part of their record. Having a standard operating procedure (SOP) that outlines specific processes to be followed should reduce the risk of mismanagement by the staff.
- Systems present another challenge, either multiple systems with pieces of data in different systems, or new systems that have scanned documents. Knowing where all the records, including scanned images of records, are housed is essential to ensure complete records are released to the patient. Another system risk is scanned documents, the burden is on the practice to ensure that if scanned documents will be provided only the designated record set, as defined in 45 C.F.R. 164.524 are included (as an example, psychiatric evaluation notes for pain management should not be included). The risk in psychiatric evaluations lies in the fact that psychotherapy notes are one of the exempted parts of a record which is not included as part of the designated record set.
- Often the individual that has been charged with the release of information process also has other duties, potentially causing a conflict of commitment. The daily duties often take precedence over the release of information duties. Having to copy the records and images is a time-consuming process which often gets pushed to the back of the priority list. This can result in running the risk of missing the required window for release. (i.e., 30 days with a one-time extension of an additional 30, but for the extension a written notification to the individual is required.)
- Staff turnover is another area of concern for all dental practices. If you have documents that reinforce your practices standards and expectations, it will ease the burden of onboarding a new, potentially less experienced staff member.
As previously mentioned, development of a policy and/or standard operating procedure with mandatory and effective training and education can help eliminate many risks and challenges. In fact, we believe that a clear policy or SOP and appropriate education for all staff is the only way to achieve compliance with right of access. While this sounds like a daunting task, it does not have to be. Start with a basic outline that includes the goal (why is the policy or SOP being developed), the audience (to whom it applies), any important definitions or acronyms that staff members might not be familiar with, the rules and specifics for how the practice will be run and be in compliance with the right of access, and finally any related policies or SOPs that might tie to or support the policy or SOP.
Consider the issues that potentially cause the biggest challenges to dental practices and start there, such as:
- A Release of Information Policy that outlines the purpose, scope, and process for how release of information will be managed including:
- the individual/ title/ role that will have oversight of records release process;
- what parts of the record are considered part of the Designated Record Set (DRS) including medical records, billing records, payment and claims records, health plan enrollment records, case management records, as well as other records used, in whole or in part, by or for a covered entity to make decisions about individuals;
- a statement that only the individual with this oversight responsibility is allowed to copy and/or release records;
- and finally, basic instruction for all staff so that they understand their role, how the practice approaches ROI, and how to advise patients (e.g., all patients will be given the Release of Information (ROI) form or given instruction on where it can be obtained, that patients will be directed to individual or area with ROI oversight, etc.)
- A SOP outlining the systems that could potentially house records or images and how to access them. If the records have been scanned, what process will be followed to ensure only the designated record set will be released, and what process will be implemented for releasing outside records. Consideration could be given to placing a system alert to the record alerting staff that records are in other system.
- A SOP that clarifies expectations for staff and providers, including where to find the ROI form, where it should be mailed or picked up, and that only the person assigned to this task is authorized to release any portion of the record.
- A SOP (or included in the master policy) with an explanation of any costs associated with copying of records.
- A SOP outlining the process for prioritizing release (e.g., attorney request, government audits, CMS requests etc.)
At the completion of the policies/SOP, a slide presentation or other training tool should be developed and used for training and education, possibly with testing questions. Completion with a passing score should be an annual requirement.
If you are a Covered Entity as defined by HIPAA (and dental practices are a Covered Entity), understanding the process that your entity has in place for receiving, channeling and complying with a request from a patient to gain a copy their records is essential to avoid OCR complaints and investigations. Ankura’s team of healthcare privacy and security experts can assist your organization in reviewing the internal policies and procedures and identify potential changes to create efficiencies when handling individuals' requests covered by the Right of Access regulations under HIPAA, or any other privacy or security requirements under HIPAA.
© Copyright 2022. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.