Health DataOCR Continues its Focus on Patient Access Rights

OCR Continues its Focus on Patient Access Rights

The Beckage Health Law team continues to monitor OCR developments that relate to patient access rights.  In 2020, it became clear that patient right of access to records is a significant priority of the Office of Civil Rights (OCR), under the Department of Health and Human Services (HHS).  Just last month OCR reported on a settlement, audit results, and proposed rules, all focused on patient access to records. 

For example, on December 22nd, OCR announced the settlement of its 13th investigation focused on health records access.  The investigation followed a patient complaint to the OCR after the patient was unable to obtain records from his primary care provider on two separate occasions in 2019.  Emphasizing the importance of workforce training and documentation, the OCR issued a $36,000 fine and required the provider to update its Designated Record Set Policy as part of the Corrective Action Plan. 

In December, we also saw the release of an audit report on health industry compliance for audits conducted during 2016-2017.  The December 17, 2020 report reveals findings for audits of randomly selected entities and business associates.  Of note, most organizations failed to include appropriate content in plain language in their Notice of Privacy Practices, and often missing content related to individual rights.  Moreover, the report notes that many entities did not have appropriate policies, procedures, and documentation to demonstrate compliance with rules about how to respond to requests for records.

Finally, as described more fully in Beckage’s recent blog posted about HHS proposed rules OCR proposed amending the HIPAA Rule, including amendments to expand patients’ rights to access records, increase transparency about these rights, and shorten providers’ time to respond to records. 

These three developments reaffirm OCR’s strong commitment to enforce the patient access rules, which we expect will continue in 2021. 

Beckage health law attorneys work with hospitals, health care providers and business associates to develop a compliance program tailored to mitigate risk.  Our team has significant experience in OCR enforcement matters and investigations.  We recommend that clients prioritize a review of their Notice of Privacy Practices and as well as patient access policies to help mitigate risk.  Reach out to our Beckage Health Law team for assistance analyzing these and other regulatory and legislative matters. 

*Attorney advertising. Prior results to not guarantee a similar outcome.

Subscribe to our newsletter.

Health LawHHS Proposed Rules Could Have Significant Impact on Health Plans and Health Care Providers

HHS Proposed Rules Could Have Significant Impact on Health Plans and Health Care Providers

Beckage’s Health Law Team is monitoring recent developments concerning patient’s right to access health information. Last week, two agencies within the Department of Health and Human Services (“HHS”) announced proposed rules that could have a significant impact on health plans and health care providers. Though applicability of the proposed rules varies, both rules focus on individuals’ right to access health information, a compliance area that has seen increased scrutiny and enforcement actions in recent years.

OCR Proposed Rule

On December 10th, the HHS Office of Civil Rights (“OCR”) announced proposed changes to the Health Insurance Portability and Accountability Act (“HIPAA”) Privacy Rule as part of a new proposed rule (“OCR Proposed Rule”). The OCR Proposed Rule is intended to reduce barriers for patients accessing medical records themselves and for covered entities using records related to care coordination and case management. While the OCR Proposed Rule eases some requirements for covered entities, it also creates a number of new requirements.

Key takeaways include:

  • Patient Access Requests: While covered entities currently have 30 days to respond to patient requests for access to their own health information, the OCR Proposed Rule would shorten this timeframe to 15 days (though it would allow an additional 15-day extension). Additionally, the OCR Proposed Rule would allow patients who are inspecting their records in person to capture images and take notes.
  • Fee Schedules and Notice of Privacy Practices: The OCR Proposed Rule would require covered entities to post their fee schedules for producing health records on their websites. In addition, covered entities would need to modify their Notice of Privacy Practices (“NPP”) to clarify patient rights, including prominent presentation of information about how patients can file HIPAA complaints and clarification that patients may direct release of their detailed records even when only a summary of records is made available to the patient. However, covered entities would no longer need to obtain patient acknowledgement of receipt of the NPP.
  • Use and Disclosure of Protected Health Information: The OCR Proposed Rule also broadens the scope of when and how covered entities can use and disclose protected health information, for the purpose of health care operations, with use and disclosure now permitted for case management and care coordination. Furthermore, there are additional provisions for sharing patient health information among covered entities, including among Armed Services care providers. CMS also updated references to reflect widespread use of electronic health records (EHR).

CMS Proposed Rule

Also on December 10th, the Centers for Medicare & Medicaid Services (“CMS”) announced proposed changes to the CMS Interoperability and Patient Access Final Rule (“Interoperability Rule”) issued earlier this year as part of a new proposed rule (“CMS Proposed Rule”). Visit Beckage’s previous blog on the Interoperability Rule here.

Key takeaways include:

  • Payer Requirements: The CMS Proposed Rule requires payers to provide patients with access to information about pending and active prior authorization decisions through their Patient Access API, which payers are required to implement under the Interoperability Rule. The CMS Proposed Rule also clarifies that payers can and must implement an attestation process for third-party apps to attest to security and privacy safeguards prior to accessing the payer’s Patient Access API on behalf of the member. Additionally, it specifies technical requirements for the Payer-to-Payer API, which must now be implemented using Fast Healthcare Interoperability Resources (“FHIR”) standards.
  • Provider Requirements: The CMS Proposed Rule requires providers to develop a Provider Access API for providers and payers to share claims and encounter data, certain types of clinical data, and pending and active prior authorization decisions.

Though the proposed rules will likely change during the 60-day public comment period, they underscore HHS’s commitment to individuals’ right to access health information. We encourage covered entities to review the proposed rules carefully to understand how the changes will potentially impact daily operations and procedures.

The experienced Health Law team at Beckage can help to distill these lengthy and complicated rules so organizations can understand practical implications on daily operations. Our seasoned health law attorneys are uniquely positioned to advise on regulatory compliance matters, as they have also worked in health care settings, are certified privacy professionals, and are technologists.

Call Beckage at 716.898.2102 for assistance analyzing these and other regulatory and legislative matters.

*Attorney advertising. Prior results to not guarantee a similar outcome.

Subscribe to our newsletter.