October 04, 2019
On September 9, 2019, the HHS Office for Civil Rights (OCR), the agency that enforces HIPAA rules, announced that it had done something it has never done before: settle an enforcement action for not complying with HIPAA provisions ensuring individuals access to their own protected health information (PHI). Rather than an outlier, the $85,000 settlement with a Florida hospital is an indication of where HIPAA enforcement is heading. Earlier this year, the OCR announced it was kicking off a new Right of Access enforcement focusing on the sometimes overlooked HIPAA patient access rights.
Bottom Line: This would be an excellent time to review your current PHI access policies and procedures to ensure they meet HIPAA requirements. Let’s focus on a particularly troublesome aspect of PHI access: denying patients’ requests to amend their own PHI.
When You Can Deny PHI Amendment Requests
HIPAA requires labs and other covered organizations to give patients rights over their own PHI. That includes allowing patients to request amendments to their PHI. But HIPAA doesn’t say that you have to accept these requests. Denials are allowed in four situations:
How to Deny PHI Amendment Requests
In addition to having a substantive basis for denial, you must comply with the rules for notifying patients when you nix their PHI amendment requests. Specifically, you must put the denial in writing and explain the rights patients have with regard to the denial. This is true even if you deny just part of the PHI requested. The deadline to furnish the written denial is 60 days from the date you receive the amendment request—subject to a 30-day extension that you may be able to get in some circumstances. The denial notice must also meet the criteria set out in the HIPAA privacy regulations, i.e., it must:
**************
This article, along with a ready-to-adapt Model Letter denying a patient’s PHI amendment request, originally appeared in G2 Intelligence, Lab Compliance Advisor, October 2019
ADVERTISEMENT