Health Information Compliance Alert

Published on Thu Feb 21, 2008 PDF

Your response to PHI requests could save your compliance program.

The privacy rule gives your patients the right to view their protected health information, but it doesn't tell you how to make that happen. Let Eli's experts help you develop a strong policy for responding to patient access requests that will save you time and money -- and ensure your facility's compliance.

"You may always provide access, but you may choose to deny access in limited cases," says Gina Cavalier, an attorney with Sonnenschein, Nath & Rosenthal in Washington, DC. Example: You do not have to provide patients with their psychotherapy notes, she states. "You have to use your best judgment to make that decision," she adds.

"The record may contain information about other patients or the patient's family," notes Deborah Larios, a partner in the Nashville, TN office of Miller & Martin. You should not give the patient that information. Remember: You can leave out incident reports or any other information not part of the designated record set, Larios says.

Rather than waiting for patients to request their information, you should filter records as you create them. "The past practice was to lump all information about a patient together," but special information required for insurance purposes or for your attorneys doesn't need to be stored in the chart, Larios affirms. "It's too easy to forget that information and then give it to the patient," she explains. The patient has no right to that type of information.

Remember: You cannot separate any information that has been used "for patient care or to make decisions about a patient," Larios cautions. "Train your staff to recognize what information a patient has a right to see," she suggests.

Strategy: Be up-front with your patients about what information they are seeing, experts concur. If you are denying access, you must give them a reason for it.

"If your billing company has a number of patient records, you have to go to the agency and ask for all the PHI they hold," Cavalier counsels. "You must also go to your business associates and pull back any information they have," she adds.

How: Set up your business associate agreement (BAA) to highlight this need, Cavalier recommends. "Your [business associate agreement] should say that the business associate will promptly provide any PHI that you request in connection with an individual's request for access," she advises.

The privacy rule mandates that you supply information within 30 days, but "some states have laws that are more stringent," Cavalier reminds. "Set a time limit in your BAA for getting information from your associates" so that you meet both requirements, she recommends.

Any policy or procedure you develop is going to fall apart at the seams without a trained professional to "shepherd the process," says Cavalier.

Your patient record point-person must be able to "look at the records and do an overview of them before deciding whether to approve or deny the request," asserts Larios. They have to know what they're looking at, she explains.

This person must also have a good working relationship with your business associates, Cavalier reminds; he or she "has to know how to contact the appropriate people at those entities in order to fully comply with the patient's request" in a timely manner, she asserts.

Your appointed records manager must also train the entire department on how to process and fulfill requests, reminds Cindy Nixon, Cookeville Regional Medical Center's medical records director and privacy officer in Cookeville, TN. "Any problems must be immediately escalated to the medical records person" to ensure that the patient receives the best possible customer service, she notes.

When patients are handling their original files, your staff must be observant. "There are many cases where patients get mad, try to tear up their record or pull out a pen to change it," Nixon warns. Staff presence can deter this behavior.

However, your staff should not attempt to explain to patients what is contained in their file. "Tell them to talk to their provider," Nixon suggests. "If they are concerned about quality of care, then we have them make an appointment with the risk manager," she relates.

Considering the limited space at most hospitals, you will want to develop a process for allowing walk-ins. Best practice: "Schedule a mutually convenient time for the patient to come in and look at the record," she recommends. You can also offer to send them a copy of the record for a small fee and guarantee a quick turn-around time, she suggests.