We previously published Part 1 of this article on abuses of Patient Right to Access for medical records and how these abuses can overburden healthcare providers and put patient health information at risk. This Part 2 focuses on what healthcare organization can do about the growing problem.
The following blog was written for the HIPAA Secure Now community by DataFile Technologies, a leading provider of health data management including fast records release services with a 24-hour turn-around time, and an industry-leading accuracy rate over 99.9%.
So what can you do in your practice to prevent misuse of Right to Access?
Stay in the know about your rights in patient Right to Access
The best way to protect your patients and your organization is by staying informed. We’ve created this helpful library of resources and this FAQ on Patient Right to Access to serve healthcare organizations in their struggle with issues like Right to Access abuse. DataFile Technologies is committed to our involvement in lobbying efforts to steer Right to Access back to its intended use.
Inform and educate your patients
Cited within the OCR guidance are examples of relevant third-parties with whom patients may need to share health information including other healthcare providers, a caregiver, a mobile health app or a researcher. The OCR did not, however, name attorneys in the guidance. This has led certain attorneys to circumvent litigation costs and obtain records without paying the medical record fees set by each state. We have seen an additional demand that we provide Custodian of Records Affidavits in response to these Right to Access requests even where the patient didn’t request this additional work from the healthcare provider (see the difference).
Under the guise of Right to Access, attorneys are obtaining medical records to lower their costs—but at what expense to the patient? When medical records are requested under the OCR rule, they do not have the same HIPAA protections.
Patients should be informed that when medical information is requested under patient Right to Access, they have lost control of their healthcare information:
- No expiration date on the permission to access the requested records so the third party can request the record now and a decade from now.
- No means to revoke the permission to access the requested records so the requestor can continue seeking information without additional patient consent.
- No limitation in scope, meaning attorneys have access to information the patient may want to keep private, like STD or mental health records.
When a patient-copy of records using Right to Access is directed to a third party, the patient is no longer in control. It’s kind of like walking out of the house and leaving your door open. The house is still yours, but now it’s vulnerable to ongoing threats.
Healthcare organizations can help empower patients with more information. A trade organization called AHIOS produced a helpful video can serve as a guide for patients when considering their options. Providers can and should use informational tools like this in their patient newsletters, on their social media sites and as a link when communicating with patients. The more your patients know about their rights, the better choices they can make.
Also, whenever a patient needs to release medical information, encourage them to sign a HIPAA authorization.
Charge the appropriate amount to cover your costs – even if requestors try to get nasty
The Department of Health and Human Services Office for Civil Rights (“OCR”) provided guidance on calculating a “reasonable, cost-based fee” to charge for medical records requests made pursuant to Right to Access. A Covered Entity or Business Associate can use one of three methods:
- Calculate the actual costs incurred for each specific request;
- Determine the average costs for requests and charge each request based on this calculation; or
- Charge a flat fee for electronic copies that is capped at $6.50
Healthcare organizations are required to show patient requestors supporting evidence as to how 1 and 2 above are calculated. To further complicate matters, the OCR stated that providers cannot use a per page cost for electronically delivered records – despite the fact that EHRs still generate documentation per page!
Sadly, most providers are relegated to the third option of charging $6.50, which is nowhere near the actual cost to produce a medical record in a secure, compliant and timely manner. As a medical records service, DataFile actively maintains its data on costs and has used the average cost methodology to determine what to charge for Right to Access requests. However, for most healthcare providers, the amount of work and time it takes to analyze the cost data and develop the fair pricing model is onerous to say the least.
Take the time to perform and document a cost analysis including your allowable labor, media and postage so that you can capture as much of the costs for producing a medical record as is allowable under the regulation, which will likely be an amount much closer to the true cost of providing this service to patients and their assigns. Research more about what is allowable in your calculation here.
Consider professional disclosure management help
DataFile Technologies is just one provider of services that takes the burden of health information disclosure and fulfilling medical records requests off the to-do list of healthcare providers. Provider organizations can benefit from outsourcing disclosure management in several ways. First, dedicated, full-time disclosure management teams tend to be highly trained and specialized. Because they are not split between disclosure management and priorities like clinical responsibilities and other back office tasks, they can focus all efforts on effective, compliant release of information and related HIM services.
A quality service provider also has resources dedicated to staying up to date on all the rule and regulation changes that frequent the healthcare space. So, for example, when the OCR provides guidance on how to implement and comply with a new regulation, it gets incorporated into your outsourced process in a timely way.
At issue with the misuse of Right to Access by third party requestors is how adamant they can be about their objections. Most providers will understandably capitulate to a belligerent requestor rather than take the time to clearly explain the laws and ensure their own costs are covered. When outsourcing that function, your business associate partner also handles all the phone inquiries, status requests and billing. So, you won’t need to invest the time to train your staff to handle those challenging calls.
Much like offloading the burden of the disclosure process, outsourcing release of information also offloads the risk and liability, including compliance with HIPAA. The regulations allow healthcare providers to transfer the function and the liability for release of information to an outsourced provider. With HIPAA breaches on the rise year over year, this alone is often worth the switch to an outsourced solution.
Among the many administrative burdens of running a healthcare organization, release of information and medical records is only one. Yet, the growing trend in abuses that cut further into shrinking bottom lines makes it ripe for “death by papercuts,” and since solutions are immediately available, provider organizations can more easily do their part to protect themselves and their patients.