Improved Compliance Revealed in Ciitizen HIPAA Right of Access Study

By James Keogh

There has been a major improvement in compliance with the HIPAA Right of Access, according to the most recent Patient Record Scorecard Report from Ciitizen.

To formulate the report, Ciitizen conducted a study of 820 healthcare suppliers to assess how well each responded to patient requests for copies of their healthcare data. A wide variety of healthcare suppliers were assessed for the study, from single physician practices to large, integrated healthcare delivery systems.

The HIPAA Privacy Rule gives patients the right to ask for a copy of their healthcare data from their providers. Request must be submitted in writing and healthcare providers must provide the patient with a copy of the health data in a designated record set within 30 days to the request being filed. The data must be provided in the format requested by the patient if the PHI is readily producible in that format.

In instances where data cannot be supplied in the requested format, the provider should give the patient a printed copy of their healthcare data or provide the data in a different format, as agreed with the patient.

For every study, requests for copies of healthcare data are sent to healthcare providers by Ciitizen users. The provider then receives a rating from 1-5 based on their response. A 1-star rating represents a non-HIPAA-compliant response. 2-stars are awarded when requests are eventually resolved satisfactorily, but only after a number of escalations to supervisors. A 3-star rating is given when the request is satisfied with minimal intervention, and a 4-star rating is given to providers that are fully compliant and have a seamless response. A 5-star rating is only awarded to providers with a patient-focused process who go above and beyond the requirements of HIPAA.

Previous studies showed most providers (51%) were not compliant with the HIPAA Right of Access. The latest study saw that percentage drop to 27%. The percentage of providers awarded 4 stars for their responses grew from 40% to 67%, and the percentage of providers awarded 5 stars grew from 20% to 28%.

There was more good news from this year’s study. Under HIPAA, healthcare providers are allowed to charge patients a reasonable, cost-based fee for producing the records, but only 6% of the 820 healthcare suppliers charged fees.

In earlier studies, many healthcare providers required patients to complete a standard form, yet this year, most suppliers accepted any form of written request and did not need patients to complete a particular form before the request was processed.

The most recent study saw a significant growth in assessments, which may have accounted, in part, for the improvements in compliance. 51 providers were assessed for the first Patient Record Scorecard report, 210 in the second, and 820 in the third. Ciitizen points out that the percentage of non-compliant supplier in those studies did correlate with a separate study conducted on 3,000 providers, which suggests that the enhancements made are authentic.

Ciitizen attributes the enhancements in compliance to three main factors. A greater emphasis has been allocated to the right of individuals to obtain copies of their healthcare data following the publication of new rules by the HHS’ Centers for Medicare and Medicaid Services and the HHS’ Office of the National Coordinator for Health IT, which make it easier for patients to obtain copies of their healthcare data.

There has also been a positive influence of release of information (ROI) suppliers. ROI vendors process patient requests on behalf of covered groups and help those entities adhere with the HIPAA Right of Access. Finally, the HHS’ Office for Civil Rights began a HIPAA Right of Access enforcement initiative last year. Under that initiative, two fines of $85,000 were imposed on covered entities that failed to comply with requests from patients to supply copies of their PHI.

The Ciitizen Patient Record Scorecard Reports and the website created by Ciitizen that shows the scores of each provider may also have played a part in encouraging healthcare providers to comply with this important aspect of HIPAA.

Twitter Facebook LinkedIn Reddit Link copied to clipboard

Posted by

James Keogh

James Keogh has been covering the healthcare industry in the United States for a several years and now serves as the editor of HIPAAnswers. He focuses on HIPAA and the blend of healthcare privacy with information technology. Over time, he has gained expertise in HIPAA-related topics such as compliance, patient privacy, and data breaches. Follow James Keogh on Twitter https://x.com/JamesKeoghHIPAA and contact James on LinkedIn https://www.linkedin.com/in/james-keogh-89023681 .