Health IT, Hospitals, Legal

Compliance with HIPAA may offer some clues on how providers will fare with new info blocking rules

Despite a 20-year head start, providers still fall short of HIPAA requirements around fulfilling patient requests for their medical records. In light of the federal information blocking rules, providers should first examine their compliance with HIPAA and then address the new demands imposed by the recently enacted regulations.

HIPAA, compliance, information blocking,

The federal information blocking rules went into effect about 10 days ago. As providers’ thoughts turn to compliance, there is one measure that can give us a sense of how they will fare: their compliance with HIPAA’s individual right of access provisions.

A dashboard developed by Ciitizen, a Palo Alto, California-based company that helps patients get access to their medical records, provides insight into how thousands of hospitals and health systems around the country respond to patient requests for their health information through HIPAA, which covered entities are required to provide. Looking through their data shows that compliance is rising, but follows no hard and fast rules. Many providers fall short of expectations — even some well-resourced ones.

But first, the good news. There has been a steady improvement in compliance since 2019, said Deven McGraw, co-founder and chief regulatory officer of Ciitizen, in a phone interview. The percentage of hospitals and health systems receiving top scores by providing seamless access to information or going above and beyond what HIPAA requires increased to 74% from 67% in 2019. 

In addition, the number of providers who are completely non-compliant or only provide the record after hospital supervisors or privacy officials get involved has dropped to 20% from 27%.

But that still means one in five of the 3,400 providers on Ciitizen’s dashboard are not complying with HIPAA as they should.

If you are thinking trends can be drawn from the hospitals that are non-compliant, you’d have to think again. There is no correlation between factors like size and location and a facility’s compliance level, said McGraw, who was a deputy director of health information privacy at the Department of Health and Human Services from 2015 to 2017.

“It is always surprising when a really large facility doesn’t score very well,” she said. “They do get a lot of requests, but they should also have more resources to staff the health information management department or medical records office sufficiently to respond to that demand.”

For example, Cleveland Clinic scored only 1 star, indicating it provided the requested records but not according to HIPAA protocols, which includes accepting requests by email or fax and sending requests in the format requested.

Further, well-known healthcare providers in the same city received scores on opposite ends of the spectrum. Northwestern Medicine has a score of 4 stars, which means the request for the medical record was granted with minimal effort. On the other hand, Ann and Ann & Robert H. Lurie Children’s Hospital of Chicago scored 2, which means the records were provided but Ciitizen had to escalate the issue to a supervisor at the hospital.

There is wide variation within big health systems too. Take UPMC, where most of its facilities scored 4 stars, but some, like UPMC Pinnacle in Lancaster and Lititz, Pennsylvania, are not compliant.

And there is no correlation between smaller facilities and compliance. Some did poorly, like Baechtel Creek Medical Clinic in Willits, California, while others outscored bigger facilities with more resources, like Rio Abajo Family Practice, a single-physician clinic in Los Lunas, New Mexico, which has a score of 5.

To check out how you did, click here.

But it is important to note that the scores are based on just one company’s experience getting records. In Ciitizen’s case, the records relate to the roughly 8,000 patients it works with, McGraw said. Also, the company currently serves only cancer and rare neurological disorder patients, who need multiple providers for their often complex care. So the dashboard is based on only these patients, though the company plans to expand to other patients in the future.

As the overall industry strives toward greater transparency, it will become increasingly important for providers to take a close look at how they respond to those requests for information — both on the HIPAA front as well as with regard to information blocking.

“In general, HIPAA compliance sets the baseline, and the information blocking rules set the higher bar,” McGraw said. “If you are out of compliance with HIPAA, you are going to be out of compliance with the information blocking rules.”

Jodi Daniel, a partner in Crowell & Moring’s Health Care Group where she leads the digital health practice, echoed McGraw.

“Healthcare provider organizations that are in compliance with HIPAA and currently provide information to patients through portals and APIs that enable third-party app access, are ahead of the curve with regard to compliance with information blocking, but still may need to do more,” she said in an email.

The new information blocking rules place a whole host of new demands on providers. For example, under HIPAA providers have 30 days to provide the information requested through the medical records department, whereas under the information blocking rules, any delays “can be considered an interference under information blocking,” Daniel said.

“It is important to understand how the information blocking rules layer on top of HIPAA,” she said. “I would encourage all healthcare providers to do a careful review of health information sharing practices and responses to requests for information, including consideration of technical specifications and policies.”

Photo: designer491, Getty Images