The regulatory environment governing health care providers is complex and difficult to navigate. As a licensed health care organization or provider, you’re balancing policy management with high-level patient care, which isn’t an easy feat.
Things have also become more complex during the COVID-19 pandemic due to changes in health care reform and a growing number of healthcare fraud cases. There have also been expanding challenges due to cybersecurity and the high alert on hospital ransomware cases.
Guidance for healthcare changes often leads to compliance challenges for large accredited hospitals, long-term care facilities, and smaller organizations.
The regulations facing the industry are constantly changing, such as the recent development of the Right of Access Initiative and electronic access.
Below, we delve into what healthcare providers and facilities should know about HIPAA-covered entities and the Right of Access Initiative. The Rights of Access Initiative deals with access requests for psychotherapy notes and patient records from the patient themself or their representative.
If a provider doesn’t give the appropriate access to records at a reasonable, cost-based fee, it may lead to administrative action from regulatory authorities to a covered health care provider, including mental health professionals.
Partial compliance isn’t an option for HIPAA in general or in terms of giving access to individuals for their health information.
A HIPAA Overview for a Covered Entity
Whether you’re new in health care services or you’re a long-time provider who’s very familiar with the implications of HIPAA, it doesn’t necessarily hurt to have a bit of a refresher.
The Health Insurance Portability and Compliance Act of 1996, better known as HIPAA, is a set of guiding regulatory standards outlining the lawful disclosure and use of protected health information or PHI and electronic health records.
The Department of Health and Human Services (HHS) regulates HIPAA while the Office for Civile Rights (OCR) is responsible for enforcement.
OCR’s role includes providing routine guidance as new issues arise that affect healthcare. OCR also investigates HIPAA violations and issues a financial penalty in some cases.
HIPAA compliance has to become a culture within health care organizations. The objective of these regulatory guidelines and requirements is to protect the privacy, security, and integrity of patients’ protected health information. The goal is to control the mode of transmission of health information and prevent unsecure transmission.
Protected health information is what can be used in the identification of a patient or client. The demographic information characterized by PHI can include names, phone numbers, addresses, medical records, Social Security numbers, and facial photos.
Two groups of organizations must be compliant with HIPAA.
- The first is a covered entity. A covered entity is any organization that collects, creates, or transmits PHI electronically. A covered entity can be health care clearinghouses, providers, and health insurance companies offering health plans.
- The second general category of covered entities is business associates. A relevant business associate can be an organization that encounters or interacts with protected health information in any way throughout their work. An enormous amount of business associates have to be HIPAA compliant. These can include cloud storage providers, accountants, attorneys, and email hosting services, to name a few. This type of covered entity can also include clinical laboratories that a healthcare facility works with, exchanging an array of health information.
There are a number of HIPAA rules, including:
- HIPAA Privacy Rule sets the national standards for patients’ rights to protected health information. The HIPAA Privacy Rule applies only to covered entities but not business associates. Employees must be trained on HIPAA Policies and Procedures annually, with documentation to prove training.
- The HIPAA Security rule outlines national standards detailing secure transmission and maintenance of electronic PHI. Both covered entities and business associates adhere to the HIPAA Security Rule. Again, staff must be trained on policies and procedures annually, with documentation of said training.
- The HIPAA Breach Notification Rule sets standards for both business associates and covered entities for what must be followed if there’s a data breach involving protected health information.
- With the HIPAA Omnibus Rule, an addendum to the HIPAA regulation applies to both business associates and covered entities. Business associates must be HIPAA compliant, and there must be Business Associate Agreements in place before any PHI or ePHI can be shared or transferred.
What’s Required for HIPAA Compliance?
Some of the specific elements required for compliance with HIPAA can include:
- Self-audits are a primary requirement for compliance. Both covered entities and business associates must conduct yearly audits. These are for the maintenance of year-over-year compliance.
- Remediation plans can occur after gaps are identified through internal audits. Remediation plans require documentation, and there should be set, defined dates when gaps will be alleviated.
- Employee training is based on developed policies and procedures in line with the regulatory standards of HIPAA. Staff training is to take place every year. Employees should have documented attestation that they have been informed and trained on and understand all relevant procedures and policies.
- If there is something new, like the introduction of health information technology that affects the management of an electronic record, training may need to happen more often.
- Documentation should be maintained in the event of an investigation or an access enforcement initiative.
What is the Right of Access Initiative?
In 2019 the HIPAA Right of Access Initiative was announced, relating to records access request rights and denial of access. The Initiative allows OCR to emphasize the right of a patient or their representative to receive medical records in a timely way, at a reasonable cost.
Now more than ever, access rights are one of the fundamental rights of patients under HIPAA’s guidelines regarding electronic records.
OCR said the Initiative occurred as the organization was concerned that covered entities including providers, acute care practice organizations, eligible hospitals, skilled nursing facilities, and health plans were not providing timely access to patients, not providing access at all, or overcharging.
Any covered entity or business associate that helps with providing medical record access has to make sure they’re following the requirements of the HIPAA Privacy Rule, including the provision of patient access and taking timely action.
What is the Access Standard?
There are limited exceptions, but otherwise, under the Privacy Rule access requirements, a covered entity must make sure that a patient designated individuals with access rights can inspect and get a copy of protected health information held in a recordset.
- This can include a request for access to laboratory test reports or electronic copies of things like scans and other tests.
- A digital and paper form should be made readily available by health care providers after an access request.
- These access obligations and policies do have gray areas, particularly for certain types of access requests, which we discuss below.
- There are access fee limitations set forth by HIPAA as part of this.
Covered entities may deny requests for access under some circumstances. For example, if there’s access requested during research, there may be a temporary suspension of access while the research is being conducted, as long as the individual was informed and consented.
- If a health care professional determines that the request for access could endanger the safety or life of the patient, they may issue a denial of request based on their professional judgment within a certain number of days from receipt or face a potential investigation and monetary penalty.
- They should alert the individual in writing of the basis for denial.
- From there, a covered entity must determine if the denial is reviewable or non-reviewable under access requirements.
- If the denial is reviewable, covered entities have to give the individual the opportunity to review it by eligible professionals not participating in the original denial determination.
- A covered entity is required to provide action on patient requests for access no more than 30 calendar days after receipt.
- The action should be noted to the patient requesting it in writing under the access rule.
- If the initial request for health records under the access provision is denied, the covered entity has to provide a written denial with additional guidance or face access investigations.
Potential Issues for Covered Entities
There is quite a struggle for covered entities regarding HIPAA and the Right of Access Initiative.
- Not providing the necessary access to medical records can lead to enforcement action and has already been the reason for monetary settlements.
- There has to be special consideration when an individual requests access as a personal representative, another challenge. One of the scenarios that most commonly creates problems or impermissible obstacles is when a parent requests their child’s records. For example, what if a parent asks for access to psychotherapy notes? There are many state laws that all vary from one another as far as what a minor can consent to, and there are also custodial arrangements that come into play when determining whether or not a personal representative can receive the records of minor children and who is considered an individual with access rights.
- A covered entity must balance the need to make sure someone is allowed access to PHI with the obligation stemming from the Right of Access Initiative.
In particularly complex cases, legal advice may be needed before electronic access can be provided or decisions about individuals’ access.
Getting Confidential Mental Health Treatment in San Diego
The policies about HIPAA are more details than most clients bother to familiarize themselves with, but the policies are all there to protect you and your privacy, and it is very important to us to do everything we can to protect your privacy, so you have one less thing to worry about.
To learn more about secure and private treatment options for your mental health struggles, call the Mental Health Center of San Diego today at (858) 258-9883.