Under the HIPAA Privacy Rule, covered entities — including hospitals, doctors, and health plans — must have processes in place to assure that individuals can exercise their rights, including the HIPAA Right of Access. We first blogged about this obligation back on February 12th .
When we first started sending patient requests for their records, we painstakingly looked up the process for each institution and medical practice, followed their instructions to the letter, and set ourselves a reminder for when the request was close to approaching the 30 day deadline.
We learned a lot that first month.
As we got closer to the deadline, we decided to check on these requests — and found that in a number of cases, the entities claimed they had never received it (even though we had faxed, e-mailed or even mailed it per their instructions). So we decided that with our next batch of requests, we would follow up within 24 hours of sending the request to make sure it was received and was in process. (Of note — there were some Ciitizen employee requests in our first batch — and we did not follow up on these, and as a result, most of them were never fulfilled.)
Making these calls improved our response rate — but also introduced us to Medical Records (or Health Information Management (HIM) Department) phone call hell. Getting someone to answer the phone — or return a call — is frequently a challenge. And when you get someone on the phone, too often they lack knowledge of what HIPAA requires, telling us the patient needs to come in person, or cannot have records e-mailed, or must first pay a per-page fee even for digital copies. So more phone calls are required in order to get someone on the phone (usually the privacy officer) who actually knows the HIPAA Right of Access and will assure the request is processed.
On average, it takes 3–4 phone calls to get a single medical records request filled in compliance with HIPAA.
We devote resources to getting these requests fulfilled, even if it means multiple phone calls. But most individuals have neither the knowledge nor the time to engage in these battles. Recently the head of HIPAA — Office for Civil Rights (OCR) Director Roger Severino — talked about his efforts to get copies of his records in compliance with HIPAA, and he gave up after the process proved too time consuming.
Director Severino then announced he would be focusing on greater enforcement of the Right of Access.
How many phone calls does it take to reach the center of the HIM Department?
The answer should be: none.
Originally published at https://blog.ciitizen.com on April 9, 2019.