What Keeps a Compliance Officer up at Night? Challenges with Access and Disclosure of PHI
With years of HIM leadership experience under my belt, my current role as Director of Corporate Compliance requires me to step back to see the big picture. As I read about the nineteenth OCR HIPAA settlement, it should give pause as to how we got here. HIM professionals are ingrained to protect patient privacy at all costs, but it begs the question if we are trying to protect the wrong people. Patients absolutely have a right to their information and unfortunately, too many roadblocks have existed in the past. When managing release of information (ROI), I agree it is cleaner and less complex to routinely require a written authorization from the patient before releasing any PHI to anyone. But, in some scenarios, we are doing a disservice to the very patient whose information we are trying to protect.
Patients are more technology savvy; they want their information and they want it now. We have an opportunity to speed up this entire process and in so doing, improve service to our customers. If you haven’t already, it is time to think creatively about ROI. If a patient calls your department asking for their records, figure out a process for verifying their identity over the phone versus requiring the patient to come into your department or submit a written request. Use the technology available to you for delivering records to patients, whether that is through your patient portal, an app, email or another electronic method. Speaking of email, we also need to accept the fact that not all patients will be comfortable handling encrypted emails containing their records. They may not want to make up a password and, in my opinion, it should be their choice. You may need to work with your Information Services Department to ensure you can email records unencrypted, if that is the patients’ preference.
I don’t believe we should charge our patients for copies of their own medical information. They are entitled to the information and I think it is just the right thing to do. As we increase the capabilities of apps, our patient portals and methods of delivering medical information to patients, the task of covering our costs should become easier. We also need to get more efficient at this process – 30 days is a long time to wait for delivery of anything – think how we would feel if our typical Amazon orders took this long to arrive? I applaud the 15 day turnaround requirement in the proposed HIPAA Rules. We cannot ignore requests from our patients – the HHS Enforcement Actions demonstrate examples of frustrated patients not getting what they request in a timely manner, or not getting the information at all.
I am hopeful the use of electronic signatures will be specifically noted as allowable under the Proposed Modifications to the HIPAA Privacy Rule. I have seen health information departments differ in their decisions to allow or disallow their use. The use of electronic signatures is a well- established practice and we should move away from requiring only handwritten signatures from patients.
Another thought about patient portals – we are now pushing much more information to the patient, i.e. test results, notes, pathology reports, discharge instructions, in some cases very quickly after creation. Having test results at your fingertips as soon as they are available is not intended to replace those critical discussions between provider and patient. We need to reassure our patients that these discussions will still occur, even if they see the results via their portal account before they have spoken to their provider. Informing the patient of this during the office appointment when the tests are being ordered needs to become the norm. Placing a “results disclaimer” on the patient portal is another method to communicate this to patients.
As a compliance officer, I want to ensure we are following the law and exceeding our patient needs at the same time. It is also my job to ensure our policies/procedures minimize risk for my organization. It is very important for HIM leaders to step up controls to make certain that access and disclosure management is a sound and reliable process. With each enforcement announcement, the OCR is sending a strong message – no more barriers for patients to get their own information. If access and disclosure management has not been top-of-mind before, it sure needs to be now. If we consistently and efficiently meet our patients’ needs for access, we can all sleep soundly at night.
Wendy Mangin, MS, RHIA is Director of Corporate Compliance for Good Samaritan, Vincennes, Indiana where she served as Director of Health Information Management for over four decades with responsibilities as Executive Project Director for the health systems EPIC implementation. She served on the Board of Directors of AHIMA and its President in 2008.