What is the response when an individual submits a request to receive access to their medical record? The response can often be one of frustration over the time and effort that will go into compiling the record in response to the request. There can also be a desire to recoup costs (or make a little extra). Are all individuals in an organization prepared for responding to requests or obtaining necessary information? A lot of questions can arise when a request for access is made.
In this respect, education and training are key components to building, establishing and maintaining a culture of compliance. As I often like to say, how can an individual be expected to do the right thing, if that person does not know what the right thing is or how to do it. Promoting the beneficial aspects of education leaves aside that HIPAA requires training and education.
When thinking about an education or training program, many individuals may be resistant to following through with mandated training or may not really pay attention. If a training module can be done remotely, how many people would take the opportunity to “watch” it while sitting in front of the television or doing some other activity where attention will be divided. Training does not rank high on the list of preferred activities for many, so it is important to find ways to promote meaningful training.
Training is especially important for physicians because physicians have so many direct interactions with patients who could make requests. At the same time, physicians are among the individuals with the least amount of time to want to devote to training. What incentive could be offered to promote more willingness to do the training? Money or some other compensation would likely be good, but probably not feasible. The Office for Civil Rights may have found another way. As part of continuing efforts to ensure an accurate understanding of access rights, OCR created a continuing medical education approved training module. Like any remote training, the module can be done anywhere, but is presented by some of the top government HIPAA officials and gives CME credit. Any continuing education credits are often in high demand among professionals.
Having identified the hope for the training, will it work? The answer to that question will be hard to determine. However, the mere existence of the training is a positive sign. The more opportunities and avenues there are for physicians and others to be trained on HIPAA requirements the better. For too long HIPAA has been blamed for impeding too many activities, often driven by a lack of understanding about what HIPAA actually does. If tools are available, the list of excuses for not comprehending HIPAA can be shortened. That is a good thing.
Education and awareness alone should be sufficient to drive individuals and organizations to learn about HIPAA. The optimistic view is overshadowed by reality though. If the right thing is not sufficient motivation, the potential negative consequences could be a better motivator. What happens if a patient’s request for access is not fulfilled timely or accurately? If a report is made to OCR, then an investigation could occur. Many investigations are resolved behind the scenes through discussions between OCR and the subject, but sometimes bigger issues can arise and then headlines can be made. No organization would want to face the potential backlash of paying a hefty settlement and seeing its name appear everywhere just because it did not understand the access requirement. A healthy mix of encouragement and fear could be enough to emphasize the importance of good education and training.
About the author: Matthew Fisher is the chair of the Health Law Group at Mirick, O’Connell, DeMallie & Lougee, LLP, in Worcester, MA. Matt advises his clients in all aspects of healthcare regulatory compliance, including HIPAA, the Stark Law and the Anti-Kickback Statute. This article was originally published on Mirick O’Connell’s Health Law Blog.