HIPAA tips: are you correctly informing your clients of their rights?

Published on January 21, 2021

'HIPAA tips (2)

In our last blog post, we discussed the 2016–2017 HIPAA Audits Industry Report that revealed areas where healthcare practices are coming up short in their efforts to comply with HIPAA requirements. 

One of these areas is implementing the individual’s right of access to their health care records. Of the audited covered entities, 89 percent failed to show they were correctly informing patients and clients of their rights. 

In today’s post, we’ll explain what the individual's right of access is and what you can do to ensure you’re correctly informing your clients of their rights.

What is the individual's right of access?

The Privacy Rule stipulates that individuals have the right to request access to their protected health information (PHI) at any time, in the format of their choice or in a hard copy format agreed upon by the individual and the health care practice. 

It is the responsibility of the practice to implement easy-to-understand policies and procedures that make it easy for an individual to make this request. Practices also must respond in a timely manner and document the request and the practice’s response. 

Common mistakes

The HIPAA Audits Industry Report shows numerous areas where practices did not comply with the Privacy Rule requirements.

  • Practices did not adequately document requests, many reporting that they hadn’t  received any requests when they actually had, and often misunderstanding what constituted a request. Requests can take a variety of forms, including requests for lab results, immunization records, a copy of a bill, among others.
  • Practices didn’t have a cost-based fee policy in connection with the provision of the records.
  • Practices failed to maintain policies requiring a timely written denial.
  • Practices didn’t include individual rights in their Notice of Privacy Practices (NPP).
  • Practices’ NPPs did not properly cover the right to timely access.
  • Practices also tended to have inadequate or incorrect policies for individuals to request and obtain access to PHI. For example:
    • Mistakenly assuming that a form to name an authorized representative is adequate as an access policy
    • Requiring signed authorization forms when such forms aren’t necessary
    • Incorrectly stating that the practice could deny access to PHI in specific records such as lab test results
    • Lacking policies regarding the provision of access to PHI to third parties
    • Failing to allow an individual to request their PHI in a preferred format
    • Having no policy to address requests for PHI not maintained by the practice

Have a plan for informing your clients

It’s understandable if this all seems a little overwhelming, but with a little guidance and planning you can be confident of satisfying the requirements. Fortunately, the OCR provides plenty of guidance on how to inform your clients of their rights. Their report provides a helpful table, which we provide below, detailing the key considerations that should guide your policies. 

6 For additional guidance, see Individuals’ Right under HIPAA to Access their Health Information 45 CFR § 164.524 (includes FAQs on access guidance)
7 § 164.524 (c)(2)
8 § 164.524 (c)(3)(ii)
9 § 164.524 (b)(2)
10 § 164.524 (c)(4)
11 § 164.524 (a)(2) Unreviewable grounds for denial, (a)(3) Reviewable ground for denial.
12 § 164.524 (a)(3), (a)(3) Reviewable ground for denial, and (a)(4) Review of a denial of access, also § 164.524 (d) Implementation specifications: Denial of access.

After applying the above suggestions to your policies and procedures, compare them to the following example documentation of an individual access process that successfully passed the audit.

Another aid the OCR has developed to help practices improve their patient records request process is the following document that gives useful insight into the patient/client experience by following three personas on their journey to obtain their records.

At the end of the day, make sure you document with as much detail as possible. Write out exactly how you will respond to requests for PHI and communicate that information to your clients. Then, be sure to keep records of every request that comes in. Next, document your response. By placing your focus on meticulous documentation and following the guidelines mentioned in this post, you’ll be well on your way to satisfying HIPAA’s individual right of access requirement.

Make it easy for your clients to request access to their PHI 

Sign up for Hushmail for Healthcare

Of the covered entities audited by the OCR and reported on in their 2016–2017 HIPAA Audits Industry Report, 89 percent of them were not correctly informing their clients of their rights to request their protected health information (PHI). Fortunately, the OCR provides plenty of guidance on how to inform your clients of their rights, which we detail in this post. At the end of the day, make sure you document with as much detail as possible. Write out exactly how you will respond to requests for PHI. Then, be sure to keep records of every request that comes in and document your response.

Related posts: 

Subscribe to our newsletter

...and we’ll send 6 tips to make sure your emails are truly HIPAA compliant straight to your inbox.