By Diane Evans
This week, I speak at a conference on a topic that could seem mundane – but is actually a speed trap for federal fines. Advance warning is worth sharing here as well: If individuals you serve request their medical records, respond promptly.
Any lack of responsiveness would defy years of federal government warnings that individuals have a right to their records. The priority is so high that the U.S. Office for Civil Rights (OCR) named it the agency’s “Right of Access Initiative.”
Within long-term care, two federal cases earlier this year illustrate the potential consequences.
In one instance, in a violation announced in April, a New Jersey skilled nursing facility paid a $100,000 fine for flatly denying access to medical records.
Separately, In an Oklahoma case, OCR initially imposed a $250,000 fine but eventually settled for $35,000 after an appeal.
Here are things to know to stay compliant:
Under the Health Insurance Portability and Accountability Act (HIPAA), providers have up to 30 days to provide access to requested medical records. Exceptions apply, relating to psychotherapy notes or criminal proceedings. You can refer to this federal government webpage for more information on the exceptions.
The Privacy Rule permits organizations to impose reasonable, cost-based fees. Fees may include copying costs, including supplies and labor, postage, and some costs associated with preparing requested summaries.
A provider may require individuals to request access in writing, but individuals must be informed of this requirement.
Unlike the threats of cybercrime, processes for records requests lie within the control of an organization. This is an easy one: Work speedily to meet valid records requests from individuals you serve or their authorized representatives. Keep in mind, the records are theirs for services paid.
Action Item for Long Term Care Executives: Make sure you have processes in place to handle requests for the release of medical records. Assign someone to oversee the process, and document everything from the request to the authorized release of information. Keep that documentation for at least six years as required by HIPAA.
Comments