Patient Access of Records under HIPAA - New HHS Guidance, New Focus for HIPAA Audits

Why Should You Attend:

Medical laboratories are now required to provide individual access to test records, and will need to have processes to authenticate those who request information and the means to ensure that the correct results are provided to authenticated individuals.

HHS has also issued guidance on issues relating to access of mental health records and the records of minors, clarifying what information may be provided or not, depending on the information and other circumstances. The guidance also includes information on dealing with law enforcement requests for information on alleged violators of the law.

In this webinar, the new regulations will be reviewed and their effects on usual practices will be discussed, as will what policies need to be changed and how. The course will show what policies and evidence you may need to produce if you are audited by the HHS Office of Civil Rights, which has already indicated that compliance with the rules on patient access of records is a significant problem that is likely to be a focus of the new HIPAA audits in 2016.

A four-tier violation schedule with mandatory fines for willful neglect of compliance starts at $10,000 for willful neglect even if the problem is corrected within 30 days of discovery. Violations that are not promptly corrected carry mandatory minimum fines starting at $50,000 and can reach $1.5 million for any particular violation. Any reports of willful neglect are required to be investigated under the law, and even violations for a reasonable cause or with reasonable diligence taken are subject to penalty. The course will discuss what is necessary to avoid penalties and make sound compliance decisions.

Areas Covered in the Webinar:

• Learn about the new guidance from HHS on access of PHI by individuals.
• Learn about the new access rights under HIPAA and CLIA regulations.
• Learn about the guidance from HHS regarding access of mental health information and minors' information.
• Find out what the regulations call for and what processes you must have in place for the proper approval and denial of access as appropriate.
• Learn about the required process for the review of certain denials of access.
• Learn how e-mail and texting should be handled, what can go wrong, and what can result when it does.
• Find out about HIPAA requirements for access and patient preferences, as well as the requirements to protect PHI.
• Learn about the training and education that must take place to ensure your staff handles access requests properly.
• Learn about how the HIPAA audits are under way and enforcement activities are now being increased, and what you need to do to survive a HIPAA audit or investigation.

Who Will Benefit:

Medical offices, practice groups, hospitals, academic medical centers, insurers, business associates (shredding, data storage, systems vendors, billing services, etc.). The titles are:

• Compliance Director
• CEO
• CFO
• Privacy Officer
• Security Officer
• Information Systems Manager
• HIPAA Officer
• Chief Information Officer
• Health Information Manager
• Healthcare Counsel/Lawyer
• Office Manager
• Contracts Manager

Instructor Profile:

Jim Sheldon-Dean is the founder and director of compliance services at Lewis Creek Systems, LLC, a Vermont-based consulting firm founded in 1982, providing information privacy and security regulatory compliance services to a wide variety of health care entities. He is a frequent speaker regarding HIPAA, including speaking engagements at numerous regional and national healthcare association conferences and conventions and the annual NIST/OCR HIPAA Security Conference. Mr. Sheldon-Dean has more than 30 years of experience in policy analysis and implementation, business process analysis, information systems and software development, and eight years of experience doing hands-on medical work as a Vermont certified volunteer emergency medical technician. He received his B.S. degree, summa cum laude, from the University of Vermont and his master’s degree from the Massachusetts Institute of Technology.

Topic Background:

Changes modifying the HIPAA Privacy and Security Regulations have gone into place over the last few years, providing new rights of access and communications for individuals, and HHS has recently published and updated new guidance on the topic. Now, HHS officials have announced that the provision of access will be one of the focal points for the new HIPAA Audits taking place in 2016. Covered entities, and particularly those that use electronic health records (EHRs), need to meet the new access and disclosure rules. And if you are required to have a HIPAA Notice of Privacy Practices, you may need to update that to properly show all the rights that patients have.

Patient rights under HIPAA have been expanded to include several new rights of access, and extensive new guidance on access of records has been issued and expanded. Tied to access are rights of communication that allow individuals to request communications and transmission of PHI to them in the format they wish, if reasonably possible. HIPAA now provides for individual rights to receive electronic copies of records held electronically, and to directly access test results from laboratories. The changes to rules having to do with patient access of records will need to be reflected in every health care-related organization’s policies and procedures.

Providing access must appropriately consider a number of issues specified in the rules, as to what access is permitted, and how it is provided. Procedures for responding to requests for access and handling the provision of access, or its denial, appropriately is required and is expected to be a focal point in the 2016 HIPAA Audits. Costs must be carefully considered; records should be provided for free if possible; electronic access may be provided for a flat fee of $6.50 – these are all issues covered in the new guidance from HHS.

In addition, there is guidance from HHS about how to treat access to mental health information and information pertaining to minors, including giving due consideration to patient requests and safety issues of the patient and others.

Perhaps most importantly, the HIPAA Audits of 2012 revealed that providing the proper patient access to information is a significant compliance problem, and the new HIPAA Audit program by HHS is expected to include reviews of patient access policies and practices. It is expected that HHS will be focusing on current access issues, having to do with the costs to individuals for access of records and the proper handling of denials of access.

All HIPAA-covered providers need to review their HIPAA compliance, policies, and procedures to see if they are prepared to be in full compliance and meet the requirements of the changes in the rules. Compliance is required and violations for willful neglect of the rules begin at $10,000.

Follow us :