The Patient Record Scorecard and Survey Explained Hosted by: Deven McGraw Chief Regulatory Officer at Ciitizen (Former Deputy Director, Health Information Privacy at OCR) 1
Goals • Yesterday (8/14/19), Ciitizen announced the publication of the following tools that evaluate health care provider’s compliance or likely compliance with the HIPAA Right of Access: - Scorecard: patientrecordscorecard.com -Survey: ciitizen.com/survey Slide Title -Whitepaper: https://www.medrxiv.org/content/10.1101/19004291v1 • We will present overall findings and share why we did this work and how we did it • We will also talk about about what’s next for the scorecard and survey 2
Ciitizen: who we are • Help cancer patients collect, summarize and share medical data free of charge • Slide Title Enable patients to get second opinions, coordinate with caregivers and donate to research 3
Why we did this • OCR released extensive guidance on the Right of Access in 2016 - but through our work of helping patients request their medical records we saw it didn’t appear to have made much of a difference • Recently OCR announced more robust enforcement of the Right of Access Slide Title • We want to raise the bar on compliance with the Right of Access – and get processes improved before OCR knocks on the door • We’re taking a page out of the quality measurement playbook – what gets measured and publicly reported gets improved 4
Scorecard: About The Patient Record Scorecard • We sent medical record and radiology requests to 51 healthcare providers, based on actual requests by 30 Ciitizen users - patientrecordscorecard.com • All patients requested digital copies to be sent (through an encrypted portal or by e-mail for text and CD for images) to Ciitizen. They acknowledged security risks Slide Title of unencrypted e-mail and the possibility of sharing sensitive health information • We rated medical providers from 1-5 stars • Score is based on the latest request (not averaged) - many scores based on only one request 5
Four key right of access components • Accepts requests by email or fax: Providers may not create a barrier to access by requiring patients to submit requests in person or by mail • Sent in format requested to the patient’s designated recipient: The provider sends the records in the format the patient requests, which is in digital form by email Slide Title for text, CD for images, and sends it to the third party designated by the patient • Sent within 30 days : The provider responds to the request within 30 days of receipt. • No unreasonable fees: Providers may only charge reasonable, cost-based 6
Star rating key Slide Title 7
Ciitizen Five-Star badge • Our goal is to help providers understand where record release processes can be improved to become patient-focused Slide Title • We will be highlighting Five-Star providers and sharing stories of providers who put effort into improving the way they process patient requests 8
Patient Record Scorecard analysis Slide Title 9
Primary reason of non-compliance: records not sent in form and format requested Slide Title 10
Too much intervention needed to get records Without intervention to HIM Supervisors and/or Privacy Officers, 71% of our requests would not have been fulfilled Slide Title pursuant to HIPAA requirements. 11
HIPAA Right of Access Survey • We called healthcare institutions in order to assess likelihood of compliance - ciitizen.com/survey • During the period of August 2018-May 2019 we called and obtained reportable data on ~3,000 institutions Slide Title • We asked a set of consistent questions to medical records and radiology departments • We summarized our findings in a whitepaper - https://www.medrxiv.org/content/10.1101/19004291v1 12
Survey questions asked to healthcare providers • Will you accept a patient’s access requests by email or by fax? -Some institutions required the patient to come in person or to mail a request. • Will you send the records directly to the patient? -Some institutions reported they would only send the records to another medical professional. Slide Title • Will you send the records to a patient by email? -Some institutions refused to send electronic records by e-mail. • Do you charge patients for these records – and if so, how much? -Some institutions shared a fee amount, more details on next slide. 13
Analysis of reasonable fees: Per OCR guidance on the Right of Access: • We considered an institution to be charging “reasonable fees” if they: - did not charge patients, -charged a flat fee of $6.50 or less, or reported fees that seemed to be based on reasonable labor costs for copying Slide Title • We considered an institution to be charging “unreasonable fees” if they: -charged per page fees, including fees for records retrieval, or charged a flat fee higher than $6.50 • Institutions who did not answer this question are reported as NA (not applicable) • When answers suggested compliance, we gave institutions credit 14
HIPAA Right of Access Survey analysis Slide Title 15
What we also found • Based on responses, medical records departments are four times more non-compliant than radiology departments • However, radiology departments are much more non-compliant in terms of sending records Slide Title directly to the patient, insisting on only sending to a doctor’s office (77%) • When a provider indicates non-compliance in terms of charging fees, the majority (72%) also had responses indicating non-compliance with another aspect of the right of access 16
Our scorecard and survey show similar results Slide Title 17
Healthcare provider compliance with HIPAA critical to patients over next few years • Still too much noncompliance out there – too hard for patients to exercise their right of access, particularly when they both don’t know enough about HIPAA to push back or have the time and energy to fight these battles Slide Title • Direct access by patients to their records in Electronic Health Records (EHRs), particularly through open, standard APIs, will become more robust – but it will take years before this is fully implemented, especially for the entire “designated record set” • We will still need medical records offices – and their vendors – to be compliant with the Right of Access for some time to come 18
Potential limitations of scorecard and survey • Many providers were scored based on one request -For HIPAA compliance with the right of access, being compliant with each request matters -But makes meaningful statistical analysis more difficult Slide Title • We took detailed notes but did not record interactions (either for scorecard or survey) • Phone surveyors worked from scripts but we lacked reporting conventions for fee information • Providers evaluated separately by location 19
What’s next? • We will continue to do rolling updates to the scorecard - updating the scores of existing providers and adding new providers • Continue free monthly webinars to educate providers on the right of access; private webinars and assessments also possible. Slide Title 20
Recommend
More recommend