We dig into the ramifications of OCR’s new clarifications on patient access to PHI.
Since its introduction 20 years ago, HIPAA has come to mean a number of things to a number of people. Patients typically associate it with yet another form to be filled out without reading when visiting the doctor’s office, a vague reassurance via a Notice of Privacy Practices that their PHI will be protected from prying eyes.
Providers, meanwhile, see it as a framework governing security of that same health data – one that seems to have evolved into a rigid set of processes aimed at denying patients their PHI access rights. Business associates and payers likely look upon it with trepidation, wondering if and when their trove of hopefully secure health data will be breached.
What nearly all healthcare stakeholders seem to have forgotten is that HIPAA is also intended to be a means by which patients have clear rights of access to their data, a playbook that providers and patients can rely on to ensure timely delivery of sensitive – and sometimes life-saving – information.
Patient access complaints continue to mount even as the federal government widely publicizes its push for patient-centered and empowered care, a contradiction to be sure. To remedy the situation and send a reminder of what HIPAA is truly about, OCR issued updated guidance last month on how providers can best comply with patient PHI requests in a timely manner that doesn’t burden the patient with delay or expense. But will it be enough to truly turn the tide on an issue that seems to have historically been swept under the rug by both providers and OCR?
The Precision Medicine Push
OCR Deputy Director for Health Information Privacy Deven McGraw is confident the new guidance will bring HIPAA’s patient-empowerment side to light. “We have long wanted to provide additional guidance on this issue,” she explains. “When we began to get more involved in the White House’s effort to create the Precision Medicine Initiative, we could clearly see how the right of the individual to access a copy of her health information and send that information directly to a third party, like a researcher, could be very important. It would be very driven by the individual and their donation of data. The Precision Medicine Initiative really provided a hook to move this access issue up the priority list and get the new guidance out in a timely way.”
McGraw says that it’s been a long time coming, an issue that she has wanted to address from Day One. “The inability to access health information has always been one of the top five categories of complaints that we’ve received,” she explains. “When I interviewed for this position, I said, ‘I really want to work on the access issue,’ and it just so happened that they were thinking along the same lines.”
Understanding the Numbers
The sheer volume of patient access complaints (including Mr. HIStalk’s still-unresolved, six-month-long records request drama) may help explain why OCR has at times been sluggish in enforcing compliance with offending healthcare organizations.
“We get so many complaints that come into our office every year — in the tens of thousands,” says McGraw. “If one-fifth of those are complaints about access, we can’t investigate all of them. We try to deal with many of them by contacting the covered entity and just telling them they have to comply with the rules. I do suspect that often times what the individual or patient ends up getting may not be exactly what they want, and may not follow the letter of the law. Sometimes those people will complain again to our office and we’ll try to follow up, but often times they’ll just give up and take what they received, which is obviously not an ideal situation.”
The Root of the Problem
The access issue seems to stem from a lack of knowledge on the part of patients and a lack of efficient processes on the part of providers. Patient requests for records have historically been treated by providers as unusual occurrences. “It has not been built in as an ordinary function of providing healthcare,” says McGraw. “It’s really been dependent on people asking, and a lot of people didn’t know they had the right to ask. Sometimes they get turned away under the misimpression that HIPAA doesn’t allow them to obtain a copy of their own records, when in fact the truth is the exact opposite.”
McGraw continues, “An entity is required to give an individual a copy of their medical records. There has been a lot of misconception out there about what our rules require in terms of the actions that have to be taken by providers and health plans to respond to individual requests. That’s why we put the guidance out there.”
Because patients have been in the dark about their access rights, providers have in turn not rushed to make the process of delivering PHI efficient. “These processes may be antiquated for a variety of reasons,” says Erin Whaley, a partner at Troutman and Sanders law firm in Arlington, VA. “For instance, some providers still require individuals to deliver a request for access in person so that the individual’s identity can be confirmed. The provider isn’t trying to create a barrier to access. They’re trying to employ a best practice to verify the authenticity of a request.”
“They’ll need to make sure that they provide multiple avenues for an individual to request access, know which electronic formats they are capable of producing above and beyond the standard PDF, and enable various methods for transmitting the responsive information,” she adds. “Developing a new request form with all of this is obviously the first step. To the extent OCR has reviewed forms that it thinks represent the gold standard, it would be helpful to share those with the provider community.”
Getting the Word Out
McGraw and her team at OCR plan to move beyond the new guidance’s initial release with awareness campaigns aimed at trade groups, healthcare organizations, and patients. The office will release more in-depth FAQs into fees and the right of the individual to send their records to a third party within the next several months. It will also reach out to professional associations like AMA to help spread the word.
More consumer-friendly materials are also in the works via a partnership with ONC. “We’ve done some strategic thinking about how we’ll get these patient-centric materials out to people,” McGraw notes. “We’ve been in preliminary contact with other government agencies about how we can piggyback on their community outreach efforts. It’s premature to release any details about that.”
Enforcement is Coming
Enforcement is also a big part of the issue. That seems challenging given OCR’s bottlenecks in even responding to complaints, much less following up with enforcement.
McGraw emphasizes that enforcement isn’t an efficient process, with cases often taking years to resolve. She points to the civil monetary penalty levied against Cignet Health (MD) in 2011 – the only time a provider has been taken to such public task for violating the HIPAA Privacy Rule. Cignet willfully ignored the medical records requests of 41 patients between 2008 and 2009, and then disregarded OCR’s attempts to resolve the situation and subsequent subpoena in the years following. All to the tune of an eventual $4.3 million fine.
“The Cignet case was obviously an egregious one where there was a pattern of non-compliance,” McGraw explains. “It wasn’t just that they were making patients jump through hoops, but that they were refusing to give people copies of their records. Then on top of that, they didn’t cooperate with us. That was a pretty egregious set of circumstances.”
McGraw says OCR will step up enforcement. “Given the new guidance, we’re working with our regional office heads to come up with a strategy for how to step up our enforcement of these access cases. Clearly we’re going to have to pursue more of these. We will start enforcing this more aggressively. When we’re able to put out more details about this, we’ll do so. People shouldn’t put their heads in the sand about this. We’re quite serious.”
But Are Providers Ready?
Whatever the level of enforcement, Whaley believes providers are not ready for the increased scrutiny. “Providers know that OCR is looking to launch Phase 2 of its HIPAA audit program in early 2016 and are making sure that their house is in order in case they’re selected,” she explains. “While individual access is certainly part of HIPAA compliance, providers, for the most part, have been focusing their compliance efforts in other areas. There are still far too many who are not conducting a comprehensive annual risk analysis, or who have never updated their BAAs following the passage of the HIPAA Omnibus Rule. These providers are focusing on closing these gaps and not on their individual access processes. Hopefully, OCR will understand that while the individual access right is not new, there is a lot of new information in the guidance that will take providers time to implement. If providers are making good-faith efforts to respond to requests from individuals for access to their records, hopefully OCR will recognize this.”
Patients are the Decision-Makers
McGraw is enthusiastic about OCR’s efforts to shed more light on the patient access issue, and believes that fewer barriers will ultimately help speed up the road to interoperability and truly patient-centered care. “The role of the HIPAA rules is to create a baseline,” she says. “Nobody can fall below what we require in terms of access, but people can certainly go above and beyond. To be really patient-centered as a healthcare provider, even as a health plan, I think you have to give people the same access to the data that you have in terms of patient care and payment for care. Patients are the ultimate decision-makers for the type of treatment that they want. We have to give them information in order to enable them to make those choices.”