This bittersweet (mostly bitter) has to do with what we consider to be the most insidious part of the FINAL Rule and the one that is mostly likely to lead to liability for covered entities. This FINAL Rule requirement (§164.524(a)) reads in relevant part as follows:
Allowing patients into your physical facility / operational environment “to view, take notes, take photographs, and use other personal resources to capture the information” is likely to be a compliance officer’s worst nightmare. What could go wrong? Well, obviously there are a million and one things that could go wrong all of which are likely to lead to an OCR audit once the patient complains to OCR that they did not get what they wanted. If OCR does indeed conduct an audit the probability is high that they will find other non-compliance dead bodies scattered about (e.g. like deep sixing minor breaches). You are not going to have a good day.
Defining the cross-functional minimally viable process (“MVP”) to meet this requirement will amount to a wicked/insidious challenge of the highest order. There is no software that can help you with this task, although Expresso’s “Requestor” feature will enable you to track it with rigor once defined. We have a generic MVP for this process which we will distribute during the upcoming webinar. This MVP (depicted as a “swimlane diagram”) is a reference point but won’t capture the unique complexity that exists with each one of your respective operational environments. In addition, we will discuss the kinds of things that could go wrong with any definition of this MVP to get you thinking about the challenges you will face in your organization.