Privacy and Security, Regulatory and Health Industry
Lessons to Help Prevent Release of Information Mistakes
Most healthcare organizations aspire to make patients’ health information available as rapidly as possible. However, there may be unintentional inconsistencies in policy or practice that can inadvertently make organizations noncompliant with regulatory requirements.
The Office for Civil Rights (OCR) is the division of the United States Department of Health and Human Services (HHS) that enforces federal civil rights laws that protect the rights of individuals and entities from unlawful discrimination based on race, color, national origin, disability, age, or sex in health and human services. The OCR helps providers stay compliant with HIPAA, but it’s understandable why healthcare providers may shy away; after all, the OCR can issue enforcement actions and levy civil monetary penalties. However, the OCR starts with an investigation, which allows providers the opportunity to respond to the complaint. This investigation may find that there was no violation of HIPAA or that there is a reasonable resolution—one that doesn’t result in a fine or action against the provider. The OCR is a helpful resource that advocates for both the patient and provider.
This article will help providers and health information teams identify the patterns of failure that trigger most patient complaints, the consequences of ignoring patient complaints or the OCR’s technical assistance, and the steps a healthcare organization should take to satisfy requests and avoid penalties. It is important to note that I am not a lawyer, and this article is not legal advice.
How OCR Issues Investigations for Patient Right of Access
When it comes to a patient’s right of access, anyone can file a complaint against a provider if they feel their rights have been violated. When a patient files a complaint, the OCR has three ways to address it: a phone call, technical assistance, or a data request.
OCR Phone Call
The OCR can conduct an informal, impromptu phone call to the provider to gather information about why the complaint was filed. The OCR will offer advice and training to help the provider get the patient information or records they need. If the provider follows the OCR’s direction, a formal document detailing the patient complaint will be sent to the provider, and the complaint will be closed.
OCR Offers Technical Assistance
After reviewing the complaint and documentation provided by the patient or their representative, the OCR may issue technical assistance or education to the provider. Education may, for example, address how to provide access in the manner requested by the patient. That education and direction provided will be noted in the technical assistance letter to the provider and show the case is now closed.
However, a closed case is not a get-out-of-jail-free card. The OCR still expects the provider to investigate the complaint and implement the advice provided by the OCR by updating the policies and procedures that led to the complaint. Receiving technical assistance is like receiving a written warning for speeding. It doesn’t mean you can continue to speed; it means you must be more diligent than ever.
At the National HIPAA Summit in 2019, OCR Director Roger Severino, JD, was unequivocal: The office was frustrated with the number of complaints they were receiving regarding patients’ right of access and issuing many technical assistance letters. As a result, they were planning to issue civil monetary fines to help correct the issues around the mass influx of these complaints.
Fines often follow technical assistance and failure on the provider’s part to update policies and procedures and comply with the patient’s request. Honoring the patient complaint and getting the record requested—in the form it was requested—is critical and must be done quickly. The patient can file a second complaint if the provider drags their feet or ignores the original complaint. These duplicative complaints can cause hefty fines, sometimes in the hundreds of thousands of dollars.
Data Request
Finally, the OCR may issue a data request if the issue appears to be a trend or is a severe enough violation of policies. The OCR will send a document outlining the patient’s complaint, when it occurred, and the specific data details and items related to the event, along with a data request for the provider’s policies. Data requests issued in the last 24 months also ask for financial information from the provider, which may indicate that the OCR is using this financial information to determine the provider’s fine in the event of noncompliance.
A provider who has received an OCR data request should consider contacting the patient directly to better understand the complaint and document the conversation to show the OCR their due diligence in meeting the patient’s information needs. This could potentially help avoid significant civil monetary penalties.
OCR Investigators Are Your Friends
Every technical assistance citation is assigned to an investigator, who is typically listed on the paperwork the provider receives from the OCR. Too many providers overlook the importance of using the investigator as a resource. The investigator is there to assist you. If you receive technical assistance from the OCR and don’t understand the complaint or feel you were in the right, you can discuss that with the investigator. You can reach out to the investigator anytime, and they can provide education, explain rules, answer questions, and help you to resolve the patient complaint promptly. Most importantly, the investigator can help you make sure the situation that prompted the patient complaint doesn’t happen again.
The investigator provides the playbook for compliance and can help you close the compliance gaps you might not even know exist, as well as avoid astronomical civil monetary penalties.
Eight Technical Assistance Mistakes to Avoid
It is of the utmost importance that providers see the OCR and its investigators as the advocates they are, and thoroughly investigate the issues identified in the technical assistance. Here are eight common mistakes providers make when OCR offers technical assistance:
- The provider doesn’t resolve the complaint.
- The provider isn’t aware of what information the patient (or their personal representative) is allowed to have and, as a result, doesn’t understand what acceptable documentation is.
- The provider does not update and implement compliant access policy and procedures following the direction and education of the OCR.
- The provider or staff does not provide the correct information to the patient representative.
- The provider does not ensure staff understands and has access to all the records that are part of the patient’s designated record set (DRS), or does not have access to everything in the DRS.
- The provider does not understand the importance of timeliness of access or heed the 30 calendar days to comply with patient record requests.
- The provider’s forms for patient release are unclear in indicating what records the patient is requesting and which facility the patient is requesting the information from, if there are multiple facilities.
- The provider’s fee for the reproduction of records is incorrect.
Steps to Avoid OCR Violations
- Thoroughly investigate all technical assistance. The OCR may close the case through technical assistance, but that does not mean your responsibility ends. You must evaluate what prompted the patient’s complaint and close the gaps in your internal policy and processes to ensure it doesn’t happen again.
- Staff should understand the location of and how to obtain all documentation in your DRS. You must have a process in place that gives the patient complete access.
- Understand what a patient’s personal representative is and who has a right to the patient’s information.
To stay compliant, providers should ask themselves the following questions:
- Do you have a policy for dealing with technical assistance or any other regulatory complaint?
- Do you have a policy or procedure for receiving data requests?
- Do you have the location of all elements of the designated records set documented?
To stay compliant with the civil rights laws and regulations enforced by the OCR, providers must implement an investigation policy that incorporates and identifies the processes for technical assistance and data requests. If something comes from the department of justice, the OCR, or the attorney general, you will know how to handle it and potentially avoid hundreds of thousands of dollars in fines.
In addition, review recent OCR civil monetary penalties and learn from the processes other provider organizations have implemented to steer clear of penalties. Ask yourself: What are the similarities across these organizations that received civil financial penalties? If several are small clinics, what can clinics do to get support and stay compliant? What can larger health systems that have to navigate multiple, disconnected electronic health record systems do to ensure no omissions in sharing data?
To examine specific industry examples and learn what best practices can be applied to achieve high quality patient and regulatory satisfaction, watch my webinar from January, “Don’t Make the Same Mistakes – Lessons Learned from 25 Patient Right of Access Penalties.” Whichever way it is accomplished, when it comes to the release of information, rigorous compliance is critical.
Elizabeth A. Delahoussaye (elizabeth.delahoussaye@cioxhealth.com) is the chief privacy officer at Ciox Health. She is responsible for all aspects of the company’s privacy functions, planning and directing of compliance functions, and ensuring the organization is compliant with all federal and state regulations. She has also served on the AHIMA Board of Directors and the Speaker of the House of Delegates in 2016.