Patient Rights Under HIPAA: A Small Practice Owner's Guide to Access, Amendment, and Accounting
Executive Summary
For small practice owners, navigating the intricate landscape of HIPAA compliance is not merely a regulatory burden, but a fundamental commitment to patient trust and privacy. Understanding and upholding patient rights under the Health Insurance Portability and Accountability Act (HIPAA) is paramount. This guide will delve into three critical patient rights: the right to access, the right to amend, and the right to an accounting of disclosures, providing clear actionable insights for your practice. Adhering to these principles not only ensures legal compliance but also strengthens the patient-provider relationship, fostering an environment where individuals feel secure and empowered regarding their sensitive health information. This comprehensive approach is vital for maintaining a reputable and trustworthy healthcare service in an increasingly regulated digital age.
The Right to Access Protected Health Information (PHI)
Patients have a fundamental right to access their Protected Health Information (PHI) held by covered entities. This is right, outlined in 45 CFR § 164.524, empowers individuals to inspect and obtain a copy of their medical and billing records maintained in a designated record set. This ensures transparency and allows patients to verify the accuracy of their health data. The designated record set includes a wide array of information, from clinical notes to laboratory results, reflecting the comprehensive nature of this right.
Key Considerations for Small Practices
- Timeliness: You must act on a request for access no later than 30 days after receipt. This strict timeline underscores the importance of efficient internal processes. If unable to meet this deadline, a 30-day extension is permissible, provided the individual is informed in writing of the reasons for the delay and the expected completion date. This notification should also include the patient's right to complain to the practice or the HHS Office for Civil Rights (OCR) if they are dissatisfied with the extension.
- Form and Format: Patients may request their PHI in their preferred format (e.g., electronic or paper). If the information can be easily reproduced in the requested electronic format, you must provide it that way. Otherwise, you must provide it in a legible, mutually acceptable electronic format, or in paper form if the electronic option is not feasible or the patient does not prefer it.
- Fees: A reasonable, cost-based fee may be charged for copies, but this fee is strictly limited. It can include labor for copying the PHI, supplies, and postage if the copies are mailed. However, no fee can be charged for the time spent searching for or retrieving the information. Fees must be communicated to the patient in advance.
- Denial: Denials are permitted in specific, limited circumstances. These typically include requests for psychotherapy notes, information compiled for use in a legal proceeding, or where a licensed health professional believes access would endanger someone's safety. A written denial must be provided with the specific basis, review rights (if applicable), and information on how to file a complaint.
The Right to Amend Protected Health Information (PHI)
Patients have the right to request that a covered entity amend their PHI if they believe it is inaccurate or incomplete. This right is specified in 45 CFR § 164.526.
Key Considerations for Small Practices
- Designated Record Set: Applies exclusively to PHI in the designated record set.
- Timeliness: Action is required within 60 days. One 30-day extension is allowed with written notification.
- Granting the Request: If accepted, the amendment is linked to the original record. The practice must notify the patient and others who may have relied on the incorrect information.
- Denying the Request: Denials may occur if the PHI was not created by the practice, is not part of the designated record set, is already accurate and complete, or is not subject to access rights.
- Denial Process: A written denial must be provided within the deadline, including the basis, the right to submit a statement of disagreement, and the right to file a complaint. If a disagreement is submitted, it and any rebuttal must be appended to the PHI.
The Right to an Accounting of Disclosures
Patients have the right to receive an accounting of certain disclosures of their PHI made by your practice under 45 CFR § 164.528.
Key Considerations for Small Practices
- Six-Year Lookback: Maintain tracking systems for disclosures made in the previous six years.
- Exclusions: Excludes disclosures for TPO, to the individual, authorized disclosures, national security, and limited data sets.
- Content of Accounting: Must include the date, recipient, brief description of the PHI, and purpose or request documentation.
- Timeliness: Response required within 60 days, with one 30-day extension allowed via written notice.
- Fees: First accounting in 12 months is free. Additional requests may incur a reasonable fee with advance notice.
A Case Study Title: The Delayed Accounting for Public Health
Data
A small pediatrics practice, which actively participates in
state-mandated public health reporting, received a request from a
former patient's parent for an accounting of all disclosures of
their child's PHI over the past five years. The practice had a
system for submitting these reports electronically, but their
internal record-keeping was insufficient. When the request came in,
the designated privacy officer found that logs for these public
health disclosures lacked detailed information about the specific
PHI included or the precise purpose beyond general "public health
reporting." Despite requesting a 30-day extension, the accounting
provided remained incomplete. The parent filed a complaint with the
HHS Office for Civil Rights (OCR). The investigation revealed that
although the disclosures were permissible, the practice failed to
adequately track and document them. The OCR required a corrective
action plan, implementation of a detailed logging system, staff
retraining, and a resolution agreement.
Best Practices for Small Practice Owners
- Develop Clear Policies and Procedures: Define workflows and roles for processing patient rights requests.
- Designate a Privacy Officer: Assign an individual to manage HIPAA compliance.
- Utilize Technology Wisely: Use secure EHR systems with features to track disclosures and manage requests.
- Maintain Thorough Documentation: Record all requests, actions, denials, and communication.
- Educate Your Patients: Provide a clear Notice of Privacy Practices (NPP) to explain rights and procedures.
Final Takeaways
- Empower patients through education.
- Streamline processes using standard forms.
- Train staff on their responsibilities.
- Track and document all requests and disclosures.
- Stay updated on HIPAA changes.
Next Steps for Your Practice
- Review HIPAA policies and ensure alignment with 45 CFR § 164.524, § 164.526, and § 164.528.
- Use compliant request and denial forms.
- Assign responsibilities to trained staff.
- Implement tracking mechanisms and audit logs.
- Consult experts or compliance platforms to support policy and training.
Regulatory References and Official Guidance
Concluding Recommendations and Next Steps
To truly honor patient rights and maintain HIPAA compliance, small practice owners must view these requirements not as a chore, but as an integral part of building trust and providing quality care. Proactive measures are key: regularly review and update your HIPAA policies to align with current regulations, especially those pertaining to access, amendment, and accounting of disclosures. Invest in ongoing staff training to ensure every team member understands their role in protecting patient privacy and facilitating these rights. Finally, leverage technology wisely, utilizes your Electronic Health Record (EHR) system's capabilities for tracking disclosures and managing patient requests efficiently. By embedding these practices into your daily operations, you'll not only meet legal obligations but also foster a more transparent and patient-centric healthcare environment.