WEBINAR: Turning Up The Heat! HHS Initiates Access Enforcement

WEBINAR: Turning Up The Heat! HHS Initiates Access Enforcement

Nov 26, 2019 | Uncategorized

Date: December 17th, 2019 2:00 pm – 3:00 pm EST

Presenters:

Michael Salsbury, JD, MBA
Counsel and Privacy Officer 

Linda Kloss, MA, RHIA
Regulatory Policy Leader, Disclosure Management

Keri Bay
Director of Client Operations

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) recently announced its first monetary enforcement action against a health system for failure to deliver medical records in response to a valid request by a patient.  The health system paid a fine and entered into a corrective action agreement with HHS. The focus of OCR compliance has heretofore been on breaches of protected health information.  Authorized requests and release of information (ROI) is a new area of focus, ushering in a new era for ROI. And it comes at a time when the volume of requests for release of information are increasing as are the risks.

This development should not come as a surprise. Earlier this year, HHS announced its intent to vigorously enforce the rights of patients to receive copies of their medical records promptly and without being overcharged. This should serve as a wake-up call for health systems that have yet to build robust compliance checks built into their release of information management systems. 

This timely webinar will help participants understand HHS’ intent in using its enforcement authority in matters pertaining to ROI. They will learn about the elements of this first enforcement action and the compliance lessons it offers for all health systems. Participants will probe the elements of robust release of information compliance and how to hardwire compliance through sound practice and use technology to flag and identify cases that represent a compliance risk.    

Webinar objectives:

This webinar is designed to help compliance, HIM, Privacy and ROI teams understand:

  • The federal policy environment concerning enforcement of patient access rights,
  • Elements of a first ROI enforcement action,
  • A systems approach to ROI compliance, and
  • How technology can be used to anticipate and red flag ROI compliance risks.

Approved for 1 AHIMA CEU Credit for Management Development

VIEW RECORDING

HHS Steps Up Access Enforcement: Compliance Implications

HHS Steps Up Access Enforcement: Compliance Implications

Nov 25, 2019 | Blog

By Linda Kloss

On September 9, 2019 the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced its first monetary enforcement action regarding the rights of patients to receive copies of their medical records.  Sadly, we’re all too familiar with the too long list of actions following breaches of health information.  In fact, OCR levied over $28 million in fines for 2018 breach actions.  Now, Bayfront Health, St. Petersburg, FL became the first covered entity to be fined for failure to comply with medical record access requirements.   

Earlier this year, OCR announced its initiative to vigorously enforce the rights of patients to receive copies of their medical records promptly and without being overcharged.  Empowering patients is one of four key strategies for HHS and access to information is a key tactic.  HHS is advancing access through its policy, standards, and enforcement levers. Patient access is a right ensured by the HIPAA Privacy Rule.  However, based on evidence of persistent barriers to patient access, HHS released Patient Access Guidance in 2016 that set out limits on what patients could be charged and reiterated process requirements. More recently, HHS is encouraging the use of apps for release of information to streamline the process and improve the flow of information.

The Bayfront case is a wake up call for all compliance and disclosure management professionals and their business associates.  An investigation was initiated by the OCR based on a complaint from a new mother who had requested fetal heart monitor records on her unborn child.  Bayfront first claimed that it did not have the requested records and later provided a partial set of records after repeated requests from the mother and her attorney.  The requested records were provided twenty-two (22) months after the initial request and only after a complaint was filed with OCR.  HIPAA Rules, of course, generally require covered entities to provide medical records within 30 days.

Bayfront agreed to pay a fine of $85,000, modest by comparison to fines paid for breaches, but not modest when one considers that this involves a single patient’s record set.  Bayfront also executed a one-year corrective action agreement that largely focuses on demonstrating that it has updated access policies and procedures, educated its workforce, and has mechanisms in place to monitor performance.  Bayfront is obligated to report instances whereby its employees or those of a business associate fail to comply, along with the results of its review and investigation.   It is also obligated to comply with documentation requirements as spelled out in HIPAA’s accounting for disclosures provisions. 

Enforcement is a powerful lever that only a governing entity can apply.  The fact that HHS is using this lever for patient access should prompt covered entities to evaluate the adequacy of their practices given the very rapid changes in health information disclosure management.  Reasonable disclosure management practices today include the following:

  • Technology enabled – Managing growing volumes of requests can’t be done without end to end disclosure management software that can track and prompt all phases of the request through release processes which include compliance prompts.
  • Optimized process – Migrating from siloed and fragmented release practices to standardized and even centralized practices across the health system—that are knit together by use of compliance-based technology.
  • Patient-centered – Proactive patient facing practices that enable patients to control the request and release processes through use of apps with rigorous authentication.
  • Knowledge work –Release of information personnel who understand guiding regulations and principles and are trained to do the jobs they do.
  • Accountability – Tracking, red flagging and trending the status of all requests and maintaining auditable accounting of disclosure records. 

We empathize with Bayfront’s unfortunate experience and that of the mother who experienced anguish and frustration through inexplicable delays.  This should not happen, but I bet many are whispering “there but for the grace….”  This is a learning moment.  Business as usual in release of information is no longer in our patients’ or our employers’ best interests.  Many health care organizations are rapidly moving to a new level of practice – and not a moment too soon.