HIPAA Survival Guide Newsletter, September 2021

This bittersweet (mostly bitter) has to do with what we consider to be the most insidious part of the FINAL Rule and the one that is mostly likely to lead to liability for covered entities. This FINAL Rule requirement (§164.524(a)) reads in relevant part as follows:

  • Standard: Access to protected health information— (1) Right of access. (i) Except as otherwise provided in paragraphs (a)(2) or (3) of this section, an individual has a right of access to inspect and obtain a copy of protected health information about the individual in a designated record set, for as long as the protected health information is maintained in the designated record set, except for: (A) Psychotherapy notes; and (B) Information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding. (ii) An individual’s right to inspect protected health information about the individual in a designated record set includes the right to view, take notes, take photographs, and use other personal resources to capture the information, except that a covered entity is not required to allow an individual to connect a personal device to the covered entity’s information systems and may impose requirements to ensure that an individual records only protected health information to which the individual has a right of access.

Allowing patients into your physical facility / operational environment “to view, take notes, take photographs, and use other personal resources to capture the information” is likely to be a compliance officer’s worst nightmare. What could go wrong? Well, obviously there are a million and one things that could go wrong all of which are likely to lead to an OCR audit once the patient complains to OCR that they did not get what they wanted. If OCR does indeed conduct an audit the probability is high that they will find other non-compliance dead bodies scattered about (e.g. like deep sixing minor breaches). You are not going to have a good day.

Defining the cross-functional minimally viable process (“MVP”) to meet this requirement will amount to a wicked/insidious challenge of the highest order. There is no software that can help you with this task, although Expresso’s “Requestor” feature will enable you to track it with rigor once defined. We have a generic MVP for this process which we will distribute during the upcoming webinar. This MVP (depicted as a “swimlane diagram”) is a reference point but won’t capture the unique complexity that exists with each one of your respective operational environments. In addition, we will discuss the kinds of things that could go wrong with any definition of this MVP to get you thinking about the challenges you will face in your organization.