The American Health Information Management Association (AHIMA) recently released a model form, taking the lead in providing a resource when a patient requests a copy of their health information.
AHIMA is making strides to reduce the confusion for patients and streamline the process for providers, both of which are important aims. AHIMA is the only group that has created a form template for organizational use so far. While HIPAA requires a fairly standard written authorization for disclosure of PHI to a third-party, Right to Access under HIPAA has largely been overlooked until recently. We commend AHIMA in its efforts and feel it sparks healthy additional conversation around the Right to Access process and how it differs from Authorizations — as they are often combined and sometimes confused under the release of information label.
While Right to Access is not a new law, it was often misunderstood until Health and Human Services (HHS) in conjunction with the Office of Civil Rights (OCR) issued additional guidance in early 2016. At the center of the confusion is the process in which a patient or their personal representative request PHI under the Right to Access stipulation. While a form is not required by HHS for Access requests, a covered entity or business associate may require the request to be in writing if it is in the Notice of Privacy Practices. As healthcare organizations require an Authorization for release of PHI to a third-party, they consider it a best practice to require patients to complete their Access request in writing. To answer the need for a complementary form to Authorization requests, AHIMA created a model form to be utilized in the Right to Access process.
In particular, AHIMA’s model form addresses two issues with Right to Access:
1 – AHIMA’s model form draws attention to a frequently overlooked provision within HIPAA. Following the additional guidance from HHS and the OCR on HIPAA, Right to Access has become a hot topic. Yet, for many organizations, Authorizations far exceed the Right to Access requests they receive, so they have not placed much emphasis on the Access process in the past. As organizations try and navigate this additional guidance, AHIMA has stepped in to provide a starting point via the model form request. AHIMA’s attention to the Right to Access additional guidance illustrates organizations cannot overlook these provisions as perhaps they once had, or they will face repercussions from the OCR.
2 – AHIMA’s model form assists organizations in verifying personal representatives.
The Right to Access specifications allow a patient or their personal representative to request records, however Access requests are subject to different pricing stipulations than a traditional Authorization request. As such, attorneys and other entities are taking advantage of the guidelines for the pricing benefits and having patients designate them as their personal representative. There are real costs associated with producing medical records, and third-parties are taking advantage of what is supposed to be a benefit to patients. As the Access request is not required by HIPAA to be on a specific form, third-parties under the guise of personal representation are submitting requests pretending to be the patient. At DataFile, we have seen boilerplate letters issued “from the patient” with a copied and pasted signature of the patient, leading to uncertainty if the patient themselves is requesting the records, or a third-party representing themselves as a personal representative instead. AHIMA’s model form helps curb this possible exploitation by having the patient complete the form personally, as well as designate their personal representative in writing. HIPAA will allow a healthcare organization to use their specific form and require an Access request in writing, provided it is noted in the Notice of Privacy Practices as well as does not prevent a barrier to the patient receiving their records.
As healthcare organizations see their Right to Access requests are on the rise, in part due to additional awareness of the process and the personal representative designation, the OCR notes their guidance has created some unintended consequences. At the Health Care Compliance Association conference in March 2017, Iliana Peters, Senior Advisor for HIPAA Compliance and Enforcement, expressed the OCR would issue additional guidance on the Right to Access process to curtail third-parties like attorneys utilizing the personal representative designation misleadingly.
While the healthcare industry can expect to see additional guidance on Right to Access under HIPAA, AHIMA has assisted organizations in addressing Right to Access needs by developing their model form for Access requests.
Want more information on why a standardized ROI form is not enough in responding to your patient and requestor needs? Request our white paper.