Regulatory Compliance
C D A J O U R N A L , V O L 4 9 , Nº 7
Expanding Patient Access to Their Health Information CDA Practice Support
I
n a year and a half, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights reached settlement agreements with 18 covered entities that were investigated for failing to provide patients with access to their records in accordance with HIPAA. Seven of those settlements were with physician practices, and the settlement fees paid by those practices ranged from $3,500 to $36,000. Settlements were reached between September 2019 and March 2021.1 This news should not be surprising. Since the HHS began taking privacy complaints in 2003, patient access to their records has been one of the top five public complaints investigated by the HHS.2 Dental practices should review their policy and practices for providing patients with access to their records to ensure they comply with both HIPAA and state law. Practices also should be aware of two new initiatives by the federal government to further expand the ability of patients to access their health information. One is the information blocking rule that is part of the 21st Century Cures Act and the second is proposed amendments to the HIPAA privacy rule.
Current Access Rules
A patient’s right to access their health record is governed by federal HIPAA law and state law. There are a few differences in the two laws; and where the two conflict, the prevailing provision is the one that provides the greatest benefit to the public. State law does not address electronic versions of the patient record and only allows 15 days to provide a patient with a copy of their record instead of the 30 days permitted by HIPAA. HIPAA requires that patients be provided with the option of receiving electronic copies of their
records if that is readily achievable and sets limits on what covered entities may charge a patient for access. HIPAA-covered entities are required to have written policies and procedures, which some of the investigated entities did not have. A patient may not be denied access to their record due to an unpaid bill or be required to present at the office to make the access request or receive the copy. If a covered entity charges for providing a copy of records, they may not charge more than what it costs to produce a copy and must provide a cost estimate to the patient in advance. A CDA Practice Support resource, “Patient Request for Access to Records (Records Release) Form and Q&As,” details the rules for providing a patient with access to their records. A dental practice that wants to help a new patient obtain their records from their previous dentist may suggest the patient use “Patient Records,” an oral health fact sheet available on cda.org, when communicating with the previous dental practice.
Information Blocking Rule
The 21st Century Cures Act was enacted in 2017 with the goal of supporting seamless secure access, exchange and use of electronic health information. Part of that goal is to make the patient in charge of their own health information and doing so means removing barriers to obtaining their information. Envision accessing your own health information and that of your family through a single application that pulls the information from health care providers. The information blocking rule of the 21st Century Cures Act, which became effective April 5, 2021, defines information blocking, prohibits it and establishes exceptions to the definition. It focuses
on electronic health information. The rule applies to all health care providers whether or not they use certified health information technology or are subject to HIPAA. The rule also applies to health information technology developers and health information networks or information exchanges. Penalties will be assessed on “actors” — those subject to the rule — who engage in practices that interfere with the access, exchange and use of electronic health information. A health care payer organization is not excluded as an actor and will be subject to the rule if it undertakes activities that fall under the rule’s definition of “health care provider,” “health IT developer of certified health IT” or “health information network or health information exchange.” Health care payer organizations are subject to the interoperability rules promulgated by the Centers for Medicare and Medicaid Services. As of April 5, an actor must respond to a request to access, exchange or use electronic health information. The applicable electronic health information is limited for 18 months to specified data elements in the United States Core Data for Interoperability. The limit on applicable electronic health information will end Oct. 6, 2022. The Office of the National Coordinator (ONC) for Health Information Technology considers the 18 months as a time for actors to become educated on the rule. The ONC will conduct outreach. Webinars, fact sheets, blogs and FAQs are available on the ONC website. An enforcement rule with civil monetary penalties is expected to become effective sometime after Oct. 6. The rule does not require actors to have or use ONC-certified health IT or to proactively make electronic health JULY 2 0 2 1
467
