June 28, 2021
Covered Entities (CE) and their Business Associates (BA) are facing increasing risks associated with their delayed response to patient requests for copies of their protected health information (PHI) in a timely manner. This in tandem with the proposed changes to the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule  create another level of responsibility on the Release of Information (ROI) departments across our nation. With the advent of the proposed HIPAA Privacy Rule changes, the response time to fulfill patient’s request for a copy of their PHI will be reduced from 30 days plus a 30-day extension to 15 days plus a 15-day extension. These proposed changes will have a profound impact on ROI operations. Our experience evaluating health system ROI operations and vetting third-party ROI vendors provides unique insight into the difficulties meeting a 30-day turnaround time, let alone a 15- day turnaround. We recognize that CEs and BAs can fail to meet this requirement for a variety of reasons including a lack of human capital in the ROI function, ineffective business processes, and ineffective access to parts of patient medical records, among other reasons.
Non-compliance with these regulatory requirements can lead to both civil penalties and irreversible reputational damage. It is expected that entities covered under the HIPAA will ensure that they: (1) respond to a patient’s request in a timely manner; and (2) that the requested is PHI in the format of the patient’s preference unless there are documented mitigating reasons as to why that request cannot be fulfilled. The Department of Health and Human Services Office for Civil Rights (OCR) has stated, “For too long, health care providers have slow-walked their duty to provide patients their medical records out of a sleepy bureaucratic inertia. We hope our shift to the imposition of corrective actions and settlements under our Right of Access Initiative will finally wake up healthcare providers to their obligations under the law.” (Roger Severino, OCR Director, December 12, 2019)  Enforcement actions under the Right of Access Initiative have identified systemic weaknesses in CE and BA processes and documentation, as well as their respective ROI departments inability to meet the current regulatory requirements.
RIGHT OF ACCESS SETTLEMENTS
OCR announced this initiative in 2019 promising to vigorously enforce patients’ rights to access to their medical records promptly without being overcharged, and in the readily producible format of their choice. This initiative has led to nineteen settlements  to date across a variety of health care institutions from boutique covered entities to larger health care enterprises, as well as their business associates, as defined by HIPAA.  Notable points from these settlements include:
- The OCR considers a variety of factors in determining the amount of a settlement including the nature and extent of the potential HIPAA violation; the nature and extent of the harm resulting from the potential HIPAA violation; the entity’s history with respect to compliance with the HIPAA Rules; the financial condition of the entity, including its size and the impact of the COVID-19 public health emergency; and other matters as justice may require. 
- Corrective Actions Plans (CAP) It is very important to recognize that the CAPs are inclusive of both punitive responsibilities, as well as monitoring requirements. The punitive responsibility is a payment of a set amount as conveyed by the settlement. However, even more daunting from an operational perspective are the monitoring requirements that currently span from one- to two-year increments. This will place an additional layer of accountability on the enterprise regarding direct confirmation and approval of processes with OCR/HHS before implementation and requiring constant review for both your staff as well as to those with which you have entered into a Business Associates Agreement.
HOW WE HELP
Our team of experts has deep expertise in HIPAA Privacy and ROI best practices. We assist clients that include large health systems, specialty hospitals, physician practices, and business associates. Ankura assists health care organizations by assessing their HIPAA Privacy adherence and identifying vulnerabilities and risks. We determine the potential impact of our findings and provide your organization with the tools to create and maintain a strategic and dynamic response to privacy and ROI operations concerns.
We accomplish these goals by analyzing current processes, existing Privacy and ROI policies, as well as your current ROI vendor utilization process. Our HIPAA privacy and ROI services have been designed to assess and mitigate both technical and non-technical HIPAA Privacy requirements as well as ROI state and federal requirements. In addition, we are qualified to assist you in determining the best way to remediate risks and to design processes to improve the effectiveness of your operations in the future.
PREPARING FOR HIPAA COMPLIANCE
We suggest you review proposed HIPAA Privacy Rule changes and the impact on your ROI functionality to seek answers to the following:
- Are you currently meeting the proposed turnaround time expectations?
- Do you have the human capital to meet the expectations?
- If you are using third-party ROI vendors, are they in compliance?
- What are the pros and cons of either keeping ROI in-house or utilizing an outside vendor?