Four Healthcare Compliance Issues to Watch — Right of Access Initiative
HHS-OCR (Health and Human Services, Office for Civil Rights) launched a HIPAA Right of Access Initiative in 2019 to emphasize and enforce patients’ rights to prompt access to their medical records without excessive fees from the provider.
As HIPAA rules and regulations exist today:
- A covered entity generally has 30 days to provide the patient or the patient’s representative with access to medical records information when requested.
- The provider can request a 30-day extension in certain instances.
- The provider can charge a reasonable fee for copying the records requested.
Proposed modifications to the HIPAA Privacy Rule would shorten the response time to be “as soon as practical,” but in no case exceeding 15 calendar days from receipt of the request, with an optional extension.
Another potential change would require providers to establish written policies for prioritizing urgent or other high-priority access requests to limit the need for a 15 day-extension. Other possible modifications include changes related to fees associated with access.
Four Healthcare Compliance Issues to Watch — HIPAA Privacy Rule and the Dobbs Decision
Last year’s decision by the Supreme Court in the Dobbs case created confusion around the HIPAA Privacy Rule and what a healthcare professional can and cannot do moving forward. The issues centered on disclosing PHI without patient authorization for non-healthcare-related purposes, such as disclosures to law enforcement.
At the direction of the Biden administration, HHS issued guidance to clarify the agency’s position on the HIPAA Privacy Rule and permissible disclosures of PHI.
- In the absence of an individual’s signed authorization, covered entities and business associates may only use and disclose PHI as expressly permitted or required by the Privacy Rule.
- Without a court-enforceable mandate, the Privacy Rule’s permissions to disclose PHI for law enforcement purposes don’t allow disclosure to law enforcement by the covered entity or its workforce member to report an abortion or other reproductive healthcare.
- The Privacy Rule allows, but does not require, a covered entity to disclose PHI if the entity believes:
- the use or disclosure is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public; and
- the disclosure is to a person who can reasonably prevent or reduce the danger.
Four Healthcare Compliance Issues – Finding Healthcare Compliance Solutions
Finding healthcare compliance solutions for the issues listed above requires technical know-how and an understanding of the requirements and expectations of the law.
You must first have the awareness to address these issues. If you don’t know a problem exists, how can you hope to find an effective healthcare compliance solution?
Compliancy Group offers more than just HIPAA compliance solutions for providers and business associates. We also monitor the regulatory environment and inform you when changes affect your practice or business.
Using any of the automated compliance solutions within The Guard means you have our team of regulatory and legal experts on your side, monitoring potential changes in the law. We will let you know when, or if you need, to change your compliance practices to stay compliant with the law.
Being HIPAA compliant alone does not protect you from potential security and privacy breaches. But it provides the legally-mandated solid foundation to build an effective security and data integrity framework.