Medical records are not just a clinical necessity: Owning them is a patient’s right.
However, patients often face challenges and encounter burdensome processes when trying to obtain this critical information. As healthcare modernizes, patients expect a more connected health experience, with medical information available in a timely manner and delivered through relevant technology like digital electronic health record platforms and mobile applications.
These expectations, along with support from the federal government through updated guidance and rule enforcement that align with today’s technology, are creating a wave of change in healthcare, forcing organizations to revamp outdated policies to make patient access to data simpler.
The Office for Civil Rights (OCR) oversees HIPAA’s Right of Access Initiative, a rule that requires hospitals to provide patients with copies of their medical records promptly, in the form and format of the patient’s choosing and without being overcharged.
The agency is demanding improved access and control for patients as it relates to their own medical data. Its efforts enable better patient access through updated or clarified guidelines and stricter enforcement of violations for noncompliance. OCR appears to be ramping up efforts to take Right of Access compliance seriously, denouncing violators to the public by calling out bad behavior and publishing fines and penalties.
Recent penalties indicate change
In September 2019, OCR issued its first settlement for its Right of Access Initiative. This fine, issued to a hospital in Florida, was primarily due to the hospital’s refusal to provide timely access to a patient’s requested records.
This corrective action demonstrates that the government will stand behind patients to advance their rights. OCR will not allow provider organizations to make patients wait for necessary, critical information that belongs to them.
This past December, OCR issued its second corrective action and settlement under the Right of Access Initiative. This instance ties to not only timing but the provider’s refusal to provide records electronically as the patient requested. Form and format is an important consideration for an industry that heavily relies on outdated formats, like CDs, paper records and fax transmission of information.
Both of these recent instances stemmed from a patient complaint and required the organizations to pay $85,000 and make corrective changes to practice and policies. The public announcements should be a catalyst that reminds providers to be diligent in following compliance rules around Right of Access.
The tide is turning
Though the Right of Access provision is clear, historically there has not been strong enforcement by OCR as manifested in fines. Without enforcement, provider organizations are slow to adopt change.
For years, the technology to make secure sharing of protected health information electronically and on-demand with patients has existed, but providers have continued to hold out and use outdated means of sharing information; relying on fax, CDs and the U.S. mail service.
The recent OCR enforcement actions stem from the challenges patients face when they try to access and control their health records. The healthcare system is made up of disparate medical institutions that are siloed, leverage proprietary technology and do not readily share information.
Fear of patient leakage and competitive pressure exacerbate the issue and cause more barriers for patients trying to retrieve their medical information. Patient complaints are causing a chain reaction, forcing government action to not just make the rules surrounding patient access but to enforce them. This then requires healthcare organizations to update policy and process or risk consequences in the form of corrective actions.
Available technology should make it easier for patients to access and own their medical data. Patients expect healthcare to modernize and adopt processes that make access easy (read: digitize). OCR has updated HIPAA rules and initiatives accordingly that stimulate healthcare organizations to make improvements to policy and process.
Get a handle on the Right of Access rules and guidance
It is expected that there will be an uptick in corrective actions and penalty enforcements for HIPAA Right of Access violations. Roger Severino, OCR director, was very clear about OCR’s enforcement intent in its December 2019 press release:
"For too long, healthcare providers have slow-walked their duty to provide patients their medical records out of a sleepy bureaucratic inertia. We hope our shift to the imposition of corrective actions and settlements under our Right of Access Initiative will finally wake up healthcare providers to their obligations under the law," Severino said.
Healthcare organizations do not have time to be resistant any longer. So, how do healthcare organizations walk the fine line to maintain compliance and patient satisfaction in the face of bureaucratic challenges?
It is time to change and adopt available technology to make data sharing between institutions and with patients seamless, timely and in a relevant form and format.
Eliminate hurdles created by outdated policies. Consider adopting digital platforms and cloud-based applications to replace CD workflows. They are relevant, cost-efficient and faster. In fact, patients expect this type of experience: information delivered in a timely manner in a usable format (aka no more CDs and faxes).
Access to personal medical information as consumers is a federal right and a growing expectation as life becomes increasingly digital.
Do not get left behind, and do not hold out until patient complaints and fines start rolling in. Now is the time to act.
Cristin Gardner is director of consumer products and markets at Life Image.