General Surgery Coding Alert

Step 2: Train the Right Personnel

If an employee’s job requires them to receive, process, or fulfill individuals’ records requests, they must be trained on HIPAA Right of Access requirements. But the regulations aren’t the only thing employees need to know — you should also include specific training about your surgery practice’s procedures for responding to records requests.

“Workforce members must understand the covered entity’s process for addressing any issues that arise in the access request process,” explains partner attorney Valerie Breslin Montague with law firm Nixon Peabody LLP in a blog posting.

Step 3: Watch the Calendar

CEs should get patients their protected health information (PHI) “no later than 30 days from the individual’s request,” according to HHS guidance. This timeline is just “an outer limit,” and the feds prefer that CEs respond as quickly as possible — especially if the data transfer is in an electronic form.

When PHI is stored offsite and the CE cannot offer access within the 30-day timeframe, the rule allows for a maximum extension of an additional 30 days, HHS guidance maintains. The CE must let the individual know in writing during the initial 30 days that an extension is necessary, why there will be a delay, and when the patient should expect access to their records.

Step 4: You Can Charge for Records

Although CEs can charge the patient for records, you need to know the following caveats:

• You must let requesters know in advance that you may apply a fee.
• Fees cannot pose a financial barrier to individuals’ requests for their records — or enforcement action may ensue.

How much? CEs are permitted to “charge a reasonable, cost-based fee for individuals (or their personal representatives) to receive (or direct to a third party) a copy of the individuals’ PHI,” HHS says. They can calculate those fees by adding up “certain labor, supply, and postage costs that may apply in providing the individual with the copy in the form and format and manner requested or agreed to by the individual,” the agency adds. CEs can also opt for a flat fee not to exceed $6.50 for electronic copies of PHI.

Step 5: Know Restricted Information

Some exceptions exist to the Right of Access rule. For example, CEs do not have to turn over data compiled and created for use in legal proceedings.

Individuals also don’t have the right to access mental health professionals’ psychotherapy notes due to the nature of their content. Since this data is “maintain[ed] separately from the individual’s medical record” and is used to “document or analyze the contents of a counseling session with the individual,” the information is exempt under HIPAA, according to HHS.

Caveat: The underlying PHI from the patient’s medical record that was used to generate legal or psychotherapy exceptions are subject to access.

Step 6: Understand State Law Impact

CEs should always review state privacy laws before setting up HIPAA policies and procedures, especially related to Right of Access laws.

“The HIPAA Privacy Rule sets a Federal ‘floor’ of privacy protections,” clarifies HHS in online guidance. “Many States have health information privacy laws that have additional protections that are above this floor. In addition, even though HIPAA is a Federal law, State Attorneys General have been given the authority to enforce HIPAA.”

Fees: CEs may want to revisit their state’s fee structures for medical records, too, as some states prohibit fees while others authorize them.

Resource: www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html.