In this article, we will highlight Right of Access in the Health Insurance Portability and Accountability Act (HIPAA) Security Rule and the NextGen PHI Log, a template in NextGen to use when releasing protected health information (PHI). Before we review the NextGen PHI Log, we will highlight key HIPAA Privacy Rules, discuss HIPAA requirements for providing medical records to patients (Right of Access), and then review the NextGen PHI Log Template.
History of HIPAA Privacy Rules
1996: HIPAA law passed by Congress
2003: Privacy Rule went into effect
2005: Security Rule went into effect
2009: HITECH enacted as part of the American Recovery and Reinvestment Act (ARRA) of 2009
- CMS Incentive Programs such as Meaningful Use
- Significant changes to HIPAA
- Defines Business Associate and Breach Notification Requirements
As you see in the history timeline above, in 2013 The Omnibus Final Rule is the compilation and update of all the HIPAA Rules that gives it context of the adoption of Health Information Technology.
The HIPAA Security Rule requires covered entities and their business associates the ability to conduct a risk assessment of their healthcare organization to ensure it complies with HIPAA’s administrative, physical, and technical safeguards. Conducting a risk assessment can also reveal where your organization’s PHI may be at risk. A good example of this is the free Security Risk Assessment tool provided through The Office of the National Coordinator for Health Information Technology that can help you walk through this process.
HIPAA Right of Access to PHI
The Privacy Rule requires HIPAA covered entities to provide individuals with access to their PHI managed by the covered entity.
- This includes the right to inspect or obtain a copy.
- Also, this gives the right to direct the covered entity to transmit a copy to the designated person or entity of the person’s choice.
- Requests must be made no later than 30 calendar days from the request, unless the requester is notified that additional time is required to respond.
Individuals have a right to access PHI in a “designated record set” defined as group of records maintained by or for covered entity.
- Medical and/or billing records
- Enrollment, payment, claims adjudication, and case/medical management record systems maintained by or for a health plan.
- Other records used to make decisions about individuals.
Two categories are excluded:
- Psychotherapy notes
- Information compiled in reasonable anticipation of, or for use in a civil, criminal, or administrative action or proceeding.
Providing individuals with an easy access to health information can lead to better patient care, control of decisions regarding their health, management of chronic conditions and treatment plans, find and fix errors, track progress, and directly contribute to their overall well-being. Advancement in health information technology has allowed patients to access their PHI faster and easier, enabling patients to take the driver’s seat in the transition to a more patient-centered health care approach.
Health Centers Act Now!
The Office of Civil Rights (OCR) is the enforcement entity of HIPAA Rules. They work in close partnership with The Office of National Coordinator of Health Information Technology to develop resources to assist with compliance and effective implementation. The OCR has identified enforcement of Right of Access as a top priority to support individuals’ right to timely access to their health records under the HIPAA Privacy Rule. Their initiative announced in 2019 has led to over 14 settlements, to date, to enforce respect of the patient’s rights to timely access to their medical records. From this, health centers have started assessing their policies and procedures and implementing new initiatives to coincide with the Security Rule.
While most practices have a standard medical release request form, many have not updated to reflect the changes in policy or the method to which the requestor would like the PHI. Ask yourself, how often does your practice review and update your policies and procedures? Are your new employees aware of the timelines under the Rule to release and respond to requests for PHI?
How does NextGen Offer Health Centers Assistance with PHI?
NextGen offers a demographic template to help document medical record releases. The PHI Log is a demographic template that is not encounter-based. There is a default link on the Patient Information Bar (PIB), or you can access the template icon from the history bar. This template helps document releases of PHI in accordance with HIPAA requirements.
The date requested field should be the date the patient or other entity/provider requested the documents. Based off the information we learned earlier about how the OCR is enforcing respect of the patient’s rights to have timely access to their medical records. Once this date is entered, the clock starts, and the practice has 30 days to respond to the request. Entering this date correctly will assist in monitoring if your practice is compliant with requirements for providing records in a timely manner. Entering detailed information on the is also particularly important to be entered correctly for future reference.
Practices must record what PHI was released to meet HIPAA requirements.
This section provides the ability to document when the request was processed and accompanying information, along with indication whether release was related to a transition of care.
The following is an example of documentation for a release request providing time stamps for request and response date, along with key information required for Accounting Disclosure reporting under HIPAA.
The two examples below show based upon information entered for the release. This grid on the PHI template provides a quick view of key information that was recorded.
NextGen can generate a PHI Log Report with defined Start/End dates to provide upon a request for disclosures. A patient has the right to request this information and the practice must respond within a defined timeline. Based on the examples above, we have pulled the PHI Log Report to show how helpful this report is to view the PHI that was requested.
Questions to Ask When Reviewing Policies and Procedures
- How often does your organization review and edit exiting HIPAA policies and forms?
- If changes are made, how is this communicated with staff?
- If paper forms, are old versions destroyed?
- If you use signature pads, do you have the newest form available in a format that a patient could review if requested?
Preparing your Practice for PHI Released Documentation
- Review policies and procedures and update accordingly.
- Forms updated and easily accessible.
- Confirm your staff is aware of processes and workflow when a request is submitted.
- Confirm staff person responsible for each step.
- Monitor compliance for timely response requests.
- Training on NextGen documentation workflow.