5 minute read
Regulatory Compliance: Expanding Patient Access to Their Health Information
In a year and a half, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights reached settlement agreements with 18 covered entities that were investigated for failing to provide patients with access to their records in accordance with HIPAA. Seven of those settlements were with physician practices, and the settlement fees paid by those practices ranged from $3,500 to $36,000. Settlements were reached between September 2019 and March 2021. [1]
This news should not be surprising. Since the HHS began taking privacy complaints in 2003, patient access to their records has been one of the top five public complaints investigated by the HHS. [2] Dental practices should review their policy and practices for providing patients with access to their records to ensure they comply with both HIPAA and state law. Practices also should be aware of two new initiatives by the federal government to further expand the ability of patients to access their health information. One is the information blocking rule that is part of the 21st Century Cures Act and the second is proposed amendments to the HIPAA privacy rule.
Advertisement
Current Access Rules
A patient’s right to access their health record is governed by federal HIPAA law and state law. There are a few differences in the two laws; and where the two conflict, the prevailing provision is the one that provides the greatest benefit to the public. State law does not address electronic versions of the patient record and only allows 15 days to provide a patient with a copy of their record instead of the 30 days permitted by HIPAA. HIPAA requires that patients be provided with the option of receiving electronic copies of their records if that is readily achievable and sets limits on what covered entities may charge a patient for access. HIPAA-covered entities are required to have written policies and procedures, which some of the investigated entities did not have.
A patient may not be denied access to their record due to an unpaid bill or be required to present at the office to make the access request or receive the copy. If a covered entity charges for providing a copy of records, they may not charge more than what it costs to produce a copy and must provide a cost estimate to the patient in advance. A CDA Practice Support resource, “Patient Request for Access to Records (Records Release) Form and Q&As,” details the rules for providing a patient with access to their records. A dental practice that wants to help a new patient obtain their records from their previous dentist may suggest the patient use “Patient Records,” an oral health fact sheet available on cda.org, when communicating with the previous dental practice.
Information Blocking Rule
The 21st Century Cures Act was enacted in 2017 with the goal of supporting seamless secure access, exchange and use of electronic health information. Part of that goal is to make the patient in charge of their own health information and doing so means removing barriers to obtaining their information. Envision accessing your own health information and that of your family through a single application that pulls the information from health care providers.
The information blocking rule of the 21st Century Cures Act, which became effective April 5, 2021, defines information blocking, prohibits it and establishes exceptions to the definition. It focuses on electronic health information. The rule applies to all health care providers whether or not they use certified health information technology or are subject to HIPAA. The rule also applies to health information technology developers and health information networks or information exchanges. Penalties will be assessed on “actors” — those subject to the rule — who engage in practices that interfere with the access, exchange and use of electronic health information. A health care payer organization is not excluded as an actor and will be subject to the rule if it undertakes activities that fall under the rule’s definition of “health care provider,” “health IT developer of certified health IT” or “health information network or health information exchange.” Health care payer organizations are subject to the interoperability rules promulgated by the Centers for Medicare and Medicaid Services.
As of April 5, an actor must respond to a request to access, exchange or use electronic health information. The applicable electronic health information is limited for 18 months to specified data elements in the United States Core Data for Interoperability. The limit on applicable electronic health information will end Oct. 6, 2022. The Office of the National Coordinator (ONC) for Health Information Technology considers the 18 months as a time for actors to become educated on the rule. The ONC will conduct outreach. Webinars, fact sheets, blogs and FAQs are available on the ONC website. An enforcement rule with civil monetary penalties is expected to become effective sometime after Oct. 6.
The rule does not require actors to have or use ONC-certified health IT or to proactively make electronic health information available through use of patient portals or application programming interfaces (APIs). The rule is expected to work with HIPAA and interoperability rules. Eight exceptions are permitted for an actor who cannot fulfill a request for electronic health information. The rule sets an expectation that an actor will not charge patients who access their electronic health information with an API. The ONC has an online portal to take information blocking complaints.
Proposed Amendments to HIPAA Privacy Rule
The HHS has proposed amendments to the privacy rule to overcome what it views as impediments to care coordination and to value-based health care. Simply put, the changes will remove some obstacles to the flow of patient information necessary to provide care to a patient, and patients should have improved access to their information. Some of the proposed changes include:
■ Permitting patients to use their own devices to view and capture their information.
■ Allowing record inspection at time of appointment.
■ Requiring covered entities who charge for copies of records to place a fee schedule on their websites.
■ Permitting the use of APIs but not requiring a covered entity to have an electronic health record system with specific API capabilities.
The HHS currently is reviewing the comments it received during the comment period that ended May 6. Although there is no timeline for publishing the amendments, the HHS has set the compliance date to be approximately six months after the amendments are published and have become effective. When the amendments are published, covered entities can expect to be required to update their notice of privacy practices. CDA will provide members with information on the new requirements and compliance guidance after amendments are published.
REFERENCES
1. U.S. Health and Human Services. Resolution Agreements, www.hhs.gov/hipaa/for-professionals/complianceenforcement/agreements/index.html. Accessed April 7, 2021.
2. U.S. Health and Human Services. Enforcement Highlights, www.hhs.gov/hipaa/for-professionals/complianceenforcement/data/enforcement-highlights/index.html. Accessed April 7, 2021.
Regulatory Compliance appears monthly and features resources about laws that impact dental practices. Visit cda.org/ practicesupport for more than 600 practice support resources, including practice management, employment practices, dental benefit plans and regulatory compliance.
