Vitalii Gulenok/istock via Getty

Ciitizen: ‘Significant Improvement’ in HIPAA Right of Access Compliance

The third version of Ciitizen’s Patient Record Scorecard, evaluating providers on their compliance with the HIPAA Privacy Rule's Right of Access, saw ‘significant improvement’ from the initial reports.

Ciitizen released its third Patient Record Scorecard, which found significant improvements in the number of providers in compliance with the HIPAA Right of Access rule.

In fact, the number of noncompliant providers or providers who needed significant help to become compliant was found to be just 27 percent, compared to 51 percent of providers in November.

Under HIPAA, patients have the right to access their protected health information within a designated record set held by a providers, with limited exceptions. The data can include medical records, health enrollment plan records, case management details, and the like.

“Thus, individuals have a right to access a broad array of health information about themselves, whether maintained by a covered entity or by a business associate on the covered entity’s behalf,” according to the Department of Health and Human Services.

“The Privacy Rule requires a covered entity to provide the individual with access to the PHI in the form and format requested, if readily producible in that form and format, or if not, in a readable hard copy form or other form and format as agreed to by the covered entity and individual,” HHS continues.

Despite the rule, the initial scorecard released in August 2019 found the majority of providers failed to comply. And by November, 51 percent of providers were still failing to comply or required significant intervention to comply with the rule.

However, Ciitizen’s latest scorecard suggest providers are improving. The researchers evaluated the compliance of 820 healthcare providers that ranged from solo physician practices to integrated delivery systems. Each provider is ranked from one to five stars depending on their response to requests for access.

Not only did Ciitizen find providers are improving their compliance with the Right of Access rule, they also found the percentage of providers who received five stars for “going above and beyond HIPAA” increased from 20 percent to 28 percent.

Ciitizen also saw an increase in providers receiving four stars from 40 percent to 67 percent, or about two-thirds. These providers processed patient access requests without hassle or going beyond what HIPAA requires.

Further, just 6 percent of the evaluated providers charged fees to Ciitizen patient users. And nearly every provider accepted patient written requests for access with requiring the patient to fill in a specific form.

“This is not insignificant, as patients frequently need to gather records from multiple providers, so easy pathways to make record requests help reduce obstacles to patients trying to get their records,” researchers wrote.

The improvements are attributed to the long-awaited final rules from the Office of the National Coordinator and the Centers for Medicare and Medicaid Services, which has stressed the need and right of patients to have access to their health information.

The Office for Civil Rights also created the Right of Access Initiative, which enforces the patient rights around access to their records in a timely fashion without being overcharged. Two providers have been fined $85,000 for access right failures: Bayfront Health and Korunda Medical in Florida.

Ciitizen also attributed the improvement to “the positive influence of vendors (often called “release of information” or ROI vendors) who help their provider clients comply with HIPAA Right of Access obligations and who often take steps to make sure patients seeking their health information have a smooth pathway for obtaining these records.”

However, they’re concerned the improvements may reflect better treatment of Ciitizen users, rather than improved performance for patient requests, overall. And despite greater compliance, there are key areas where providers need to improve, as about 25 percent of providers are still struggling to be compliant or are noncompliant.

The biggest reason for noncompliance? Failure to send records in the form and format requested by the patient as required by HIPAA. Sixty-five percent of the noncompliant providers failed to comply with this section of the rule, compared to 85 percent from the past scorecards.

Most are declining to send information through unsecured email, even when the patient acknowledged and accepted that risk.

"'Form and format’ is an aspect of the law that can be very important to patients, who often can’t accept a fax or CD or for whom encrypting data could create a barrier, because the encryption can ‘stick’ to the data and the password typically will expire within 30 days (or less),” researchers explained.

“OCR’s guidance emphasizes that patients can choose convenience over security in getting their records, and providers (or their vendors) who ignore this aspect of a patient’s request are placing obstacles in the path of patients exercising their HIPAA Right of Access,” they added.

The scorecard also saw an increase in the number of providers missing the 30-day deadline or failing to send notice explaining the delay. In November, 20 percent of noncompliant providers missed this deadline, compared with 46 percent in the latest scorecard.

Additionally, 9 percent of compliant providers still needed phone calls to supervisors on HIPAA requirements, in order for patients to obtain access to their records.

The latest scorecard does not rule on whether providers are compliant based on fees, given a ruling from Washington, DC US District Court Judge Amit Mehta in January against HHS over third-party requests for patient records and related fees.

“The court holds that: HHS’s 2013 rule compelling delivery of patient health information to third parties regardless of the records’ format is arbitrary and capricious insofar as it goes beyond the statutory requirements set by Congress,” according to the ruling.

“HHS’s broadening of the Patient Rate in 2016 is a legislative rule that the agency failed to subject to notice and comment in violation of the APA,” it continued. “HHS’s 2016 explanation concerning what labor costs can be recovered under the Patient Rate is an interpretative rule that HHS was not required to subject to notice and comment.”

As a result, Ciitizen “refrained from judging whether fees charged to Ciitizen users are ‘compliant’ with HIPAA. Instead, the Scorecard just reports any fees that are charged to Ciitizen users. Because only 6 percent of providers charged any fees, this amount is reported just as part of each provider’s individual score.”

Next Steps

Dig Deeper on HIPAA compliance and regulation