With more and more health information being stored and transmitted electronically, the demand for easier access to protected health information (PHI) has grown dramatically of late. At the same time, the need to protect that PHI from compromise and breach has also increased.
A recent MRO white paper explored the latest regulatory initiatives from the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR), including the HIPAA Audit Program and Guidance on Patient Access, and offered tips for healthcare organizations to stay compliant.
This article provides additional detail regarding the OCR’s Guidance on Patient Access, released in early 2016 to educate patients about their rights and to guide healthcare organizations on providing patients with timely access to PHI.
Here are seven things to remember about patient requests:
1) Patient requests do not need to contain all the core elements and required statements necessary for authorizations under HIPAA.
Covered entities (CEs) can require that patient requests be made in writing and that patients use their own supplied forms; however, under HIPAA and the OCR FAQs, all a patient needs to provide in their request for access is enough information to verify the patient’s identity, what PHI is being requested, and where that PHI should be sent. Additionally, patients do not need to provide a purpose for their request. While asking a patient for a reason is not prohibited, denying access based on their answer is.
Access policies cannot create barriers or unreasonably delay patients from accessing their PHI.
CEs cannot require patients or their personal representatives to come on-site to the facility to request access to PHI in person, nor can they require patients to submit their requests via a Web portal or through the mail.
2) Patients’ personal representatives have the same access rights as patients.
Patients’ personal representatives have all the same rights to accessing PHI as the patients themselves, provided that the personal representative can supply information regarding their authority to act on behalf of the patient. Examples of personal representatives include healthcare powers of attorney and the parents/guardians of minors. Healthcare providers should make sure policies do not hinder personal representative access.
3) Patients and their personal representatives may designate a third party to receive copies of PHI on their behalf.
If a patient or personal representative wishes to send copies of requested PHI to a third party, providers must oblige, granted the request is in writing, signed by the patient or personal representative, and clearly identifies the designated recipient and where to send the PHI.
4) Healthcare organizations need to provide access to designated record sets to patients who request access.
HIPAA entitles patients to access their “designated record sets,” which consist of a broad array of health information, including medical and billing records, insurance information, clinical laboratory test results, medical imaging, wellness and disease management program files, and clinical case notes.
5) Providers need to provide copies of PHI in patients’ preferred formats.
Patients are entitled to copies of their PHI in the form and format they request. However, providers are not required to purchase new software or equipment in order to accommodate every possible individual request; rather, healthcare providers must have the capability to distribute some form of electronic PHI (ePHI). Therefore, if the requested format is not feasible, PHI must be provided in a readable format agreed upon by both the provider and the patient.
Additionally, healthcare providers are not required to take on an unreasonable level of risk to accommodate patient requests for copies of PHI in unsecure formats. If a patient asks for copies of his or her PHI in a format that poses an unacceptable level of risk to the provider’s information technology infrastructure – such as uploading PHI to the patient’s personal USB thumb drive – the healthcare provider is not required to oblige. Instead, the provider must deliver the PHI in another readable electronic format that is agreeable to the patient. Only if the patient does not agree to accept copies of the PHI in the electronic format proposed by the healthcare provider can copies be provided on paper.
However, the OCR has stated that the transmission of PHI via unencrypted email does not pose an unacceptable risk. Thus, if a patient requests access to PHI via unencrypted email, healthcare providers must comply, granted that the provider has warned the patient of the risks associated with unsecure transmission and the patient has accepted those risks.
6) Access to PHI must be provided within 30 days or less.
Providers must grant patients and personal representative access to PHI without unreasonable delay, usually within 30 days of receipt of request. If a long turnaround is unavoidable, the provider must notify the patient of the delay, explain why the delay has occurred, and provide an expected date of arrival for the patient’s PHI.
7) Ensure that accounting of disclosure database is up to date for easy extraction of key data.
Part of the patient’s right of access under HIPAA is to obtain a copy of an accounting of disclosures (AOD) for their PHI. Therefore, healthcare providers should ensure that they maintain accurate AODs for all release of information (ROI) requests. AODs should include the name and address for the person or entity requesting the patient’s PHI, the date of request, what PHI was requested, what PHI was disclosed, and the date of disclosure. Additionally, it is recommended that facilities include information regarding turnaround times and delivery methods in their AODs.
Keeping these matters in mind will ensure that healthcare providers remain HIPAA-compliant, and in line with the OCR’s Guidance on Patient Access.
MRO White Paper
Literature is ripe with classic phrases that seem timelessly apropos. For example, take the partial federal government shutdown. For days, the phrase repeated in the
In 2025, Category III codes 0913T and 0914T were introduced to streamline the reporting of percutaneous coronary interventions (PCI) by combining drug-coated balloon (DCB) angioplasty
Please log in to your account to comment on this article.
Join Beth Wolf, MD, CPC, CCDS, for an in-depth webcast on the FY2025 spinal fusion MS-DRG updates. Discover key changes in DRG classification, understand impacts on documentation and CMI, and learn strategies to ensure compliance.
Join Angela Comfort, DBA, MBA, RHIA, CDIP, CCS, CCS-P, as she presents effective strategies to strengthen collaboration between CDI, coding, and quality departments in acute care hospitals. Angela will also share guidance on implementing cross-departmental meetings, using shared KPIs, and engaging leadership to foster a culture of collaboration. Attendees will gain actionable tools to optimize documentation accuracy, elevate quality metrics, and drive a unified approach to healthcare goals, ultimately enhancing both patient outcomes and organizational performance.
Optimize your outpatient clinical documentation and gain comprehensive knowledge from foundational practices to advanced technologies, ensuring improved patient care and organizational and financial success. This webcast bundle provides a holistic approach to outpatient CDI, empowering you to implement best practices from the ground up and leverage advanced strategies for superior results. You will gain actionable insights to improve documentation quality, patient care, compliance, and financial outcomes.
Enhancing outpatient clinical documentation is crucial for maintaining accuracy, compliance, and proper reimbursement in today’s complex healthcare environment. This webcast, presented by industry expert Angela Comfort, DBA, RHIA, CDIP, CCS, CCS-P, will provide you with actionable strategies to tackle complex challenges in outpatient documentation. You’ll learn how to craft detailed clinical narratives, utilize advanced EHR features, and implement accurate risk adjustment and HCC coding. The session also covers essential regulatory updates to keep your documentation practices compliant. Join us to gain the tools you need to improve documentation quality, support better patient care, and ensure financial integrity.
Dr. Ronald Hirsch provides critical details on the new Medicare Appeal Process for Status Changes for patients whose status changes during their hospital stay. He also delves into other scenarios of hospital patients receiving custodial care or medically unnecessary services where patient notifications may be needed along with the processes necessary to ensure compliance with state and federal guidance.
Healthcare organizations face complex regulatory requirements under the No Surprises Act and Price Transparency rules. These policies mandate extensive fee disclosures across settings, and confusion is widespread—many hospitals remain unaware they must post every contracted rate. Non-compliance could lead to costly penalties, financial loss, and legal risks. Join David M. Glaser Esq. as he shows you how to navigate these regulations effectively.
Protect your facility from unwanted audits! Join Becky Jacobsen, BSN, RN, MBS, CCS-P, CPC, CPEDC, CBCS, CEMC, and take a deep dive into both the CMS and AMA guidelines for reporting post operative pain blocks. You’ll learn how to determine if the nerve block is separately codable with real life examples for better understanding. Becky will also cover how to evaluate whether documentation supports medical necessity, offer recommendations for stronger documentation practices, and provide guidance on educating providers about documentation requirements. She’ll include a discussion of appropriate modifier and diagnosis coding assignment so that you can be confident that your billing of post operative pain blocks is fully supported and compliant.
During this RACmonitor webcast Dr. Ronald Hirsch spotlights the areas of the OIG’s Work Plan and the findings of their most recent audits that impact utilization review, case management, and audit staff. He also provides his common-sense interpretation of the prevailing regulations related to those target issues. You’ll walk away better equipped with strategies to put in place immediately to reduce your risk of paybacks, increased scrutiny, and criminal penalties.
Copyright © 2024 RACmonitor. Powered by MedLearn Media.
Happy National Doctor’s Day! Learn how to get a complimentary webcast on ‘Decoding Social Admissions’ as a token of our heartfelt appreciation! Click here to learn more →
CYBER WEEK IS HERE! Don’t miss your chance to get 20% off now until Dec. 2 with code CYBER24
