Three ways providers get HIPAA right of access wrong
Healthcare IT News
The HIPAA Privacy Rule Right of Individual Access guarantees that patients can get copies, physical or digital, of their healthcare records from their providers. Simple as that.
But then again, it’s not as simple as it might first sound. Many provider organizations misinterpret this area of HIPAA law. One mistake can lead a hospital, health system or group practice into noncompliance with HIPAA – the consequences of which can include substantial fines.
Where a right goes wrong
Deven McGraw, chief regulatory officer at Ciitizen, a company that helps consumers get digital copies of their medical records, is very familiar with the places where provider organizations get the HIPAA Privacy Rule Right of Individual Access wrong.
In her recent HIMSS20 Digital educational session on the subject, Patient Access to Medical Records: The Rocky Road to APIs, McGraw – who also served as chief privacy officer at the Office of the National Coordinator for Health IT – offered some detailed insights into how providers should be thinking about this law, especially in light of new patient-access rules from ONC and CMS.
“A covered entity may require that a request is in writing, and most do,” she explained. “And this request can be accepted electronically, and that is often the easiest way for patients in this day and age to get a request into the covered entity. Entities are required to take reasonable steps to verify the identity of the patient. But you can’t establish those identity verification requirements in a way that ends up creating an obstacle to or barrier to access, or unreasonable delay.”
McGraw said there are three ways that healthcare provider organizations typically find themselves in noncompliance with...