by William Thieleman, RHIA
HIPAA promises patients the right to access and amend their medical records, but HIM departments are responsible for making it happen. How will your facility provide this service for patients? The author offers ideas from experts on designing an access and amendment process.
Among the changes in store for facilities as they implement HIPAA is the newly established patient right to access and amend the medical record. While this meshes nicely with the HIM profession's history of patient advocacy, it challenges HIM professionals to design and implement a system that will efficiently and easily serve both patients and the facility. In this article, we'll look at tips from experts on how to implement the process, plus we'll review the content requirements for the notice of privacy practices.
A History of Patient Advocacy
With a few exceptions, the privacy rule grants an individual the right to examine and amend his or her medical record. If the request to amend is granted, the covered entity must insert the amendment at the site of the information, and share the amendment with persons identified by the patient as well as those the entity knows to have the information. If the request is denied, the covered entity must provide basis for the denial and include the denied request with any future disclosures of the patient's information.1
Involved in the creation of the privacy rule, Kathleen Frawley, JD, MS, RHIA, of Frawley and Associates in New Jersey, strongly supports patient access to the record. She also suggests creating a procedure for the physician to be available to answer patients' questions when requested because patients may not understand terms used in the record.
The state of New York has had a patient access statute that includes an amendment provision since 1985. Frawley says that when the legislation was first introduced, physicians throughout the state predicted an avalanche of malpractice suits. Instead, she saw a significant increase in the quality of physician documentation. Interestingly, there was not substantial increase in amendment requests.
In states without a legal basis for an amendment process, some facilities have created one as a service for their patients. Group Health Cooperative in Washington, a member-governed healthcare provider, implemented an amendment policy in March 1980, before the legal requirement of Washington's Uniform Health Care Information Act took effect in 1991.
Gretchen Murphy, MEd, RHIA, director of the University of Washington Health Information Administration program in Seattle, says that in Washington, students learn about the basic right of amendment, in part because of the profession's longstanding support of patients' rights. Additionally, Murphy notes that national standards have been developed prior to the privacy rules, such as American Standards and Testing Materials (ASTM) E1869-97, Standard Guide for Confidentiality, Privacy, Access, and Data Security Principles for Health Information Including Computer-based Patient Records.
Look Before You Leap
To implement the amendment requirement, the place to start is with the privacy rule. According to Gwen Hughes, RHIA, HIM practice manager at AHIMA, there is no substitute for reading it. The simplest way to make sense of the details is to outline the elements of the amendment rule while reading through it. The outline can serve as the framework for creation of a new procedure or as a tool to review an existing procedure. For some, incorporating the outline of the amendment requirements into a flowchart may provide a graphic tool for developing an entirely new procedure.
Before developing the new procedure or revising the existing one, determine if an existing state law is more stringent than the federal amendment rule. If the healthcare organization provides care in more than one state, applicable laws from all states with jurisdiction must be reviewed against the rule and the procedure should be written to the highest standard.
The Function Requires a Form
To facilitate the amendment request and approval process, Mary Brandt, MBA, RHIA, CHE, of Brandt and Associates in Houston, TX, suggests developing a standardized form for patient and facility use. A complete, user-friendly form will include information about the amendment right, how to submit the request, to whom it is submitted, and the process that is followed. The request section should provide space for patients to put any required identifiers, the date of the entry to be amended, the type of entry to be amended, an explanation of how the entry is inaccurate, how the entry should be amended to make it accurate, and any providers the patient believes may have received the information in question.2
Additionally, while the healthcare organization may choose to limit or expand the ways the patient may submit a request for amendment, Brandt argues that the patient should know the grounds for refusal and the alternatives to amendment. In fact, the same form can be used to facilitate the healthcare organization's response to the amendment request. The response section should include the date the request was received, denial or acceptance status, and the reason for a denial. Check boxes will make documentation of the reason for denial much simpler. A space for comments of the clinician and signature and date lines for the HIM staff member and clinician allow the form to be used to document the request and response.
Including detailed information on the amendment request form will not only make the process easier for the patient but easier for the healthcare organization as well. A comprehensive form will require less follow-up and will allow more expedient action on the request and more consistent compliance with the rule. Consider making the access and amendment instructions available outside the notice, such as in the admissions office, HIM department, and online. Finally, in the interest of patient-provider relations, Hughes suggests that HIM professionals consider establishing a protocol in which amendments are generally accepted rather than rejected. This will discourage an adversarial response to requests.
Crafting the Notice
Once the procedure is complete, aspects of the procedure, required elements of the written request, and details of the right to amend must be incorporated into the notice. The HIM manager should review the requirements of the notice of privacy practices before documenting the amendment right and process. It is important that the description of the amendment process be complete and accurate in the notice, because if the procedure needs to be changed after the notice is published, the notice will need to be changed as well. Further, if the notice is inaccurate, it could have complicated and expensive consequences for the healthcare organization.
The amendment section of the notice should include:
- a statement of the right to correct or add missing information
- a requirement that the request and reason for the request be in writing
- a statement that the response will be made within 60 days of the request
- that the request may be denied in writing if the protected health information is:
- correct and complete
- not created by the healthcare organization receiving the request
- not allowed to be disclosed
- not part of the healthcare record
- a statement that the denial will state the reason for the denial and explain the patient's rights if denied, including:
- the right to file a written statement of disagreement with the denial
- the right to have the request for amendment, the denial, and (if submitted) the patient's written statement of disagreement attached to all future disclosures of the PHI
- that approval of the request will result in:
- the change in the PHI
- a written notice to the patient that the PHI was changed
- informing other providers the patient believes may have received the original PHI
For most HIM professionals, the right to amend the medical record is the realization of a long-held professional belief in patients' rights. As we implement this and other HIPAA initiatives, we are part of a landmark process that will change both the standards and perceptions of patient privacy protection.
Six Signposts in the Amendment Process
1. Before developing an access and amendment process, review the privacy rule, applicable state laws, existing standards (from ASTM and the Joint Commission, among others) to ensure compliance
2. Create a comprehensive written request and approval form for patient and provider use specifying the information required from the patient to process the request. Consider accepting a letter from the patient in lieu of the form if it contains the necessary information.
3. Make the instructions for record access and amendment available through multiple channels, such as the facility's Web site, HIM department, and admissions office
4. Before implementing the process for patient access and amendment, educate facility staff. Formal training should include an explanation of the right, who is responsible for handling access and amendment processes, and what the process entails. This will help staff direct requests to the appropriate department and foster the highest level of compliance with the privacy rule's requirements
5. Establish a means to monitor compliance and implement corrective action where indicated
6. Provide a custodian to sit with the patients as records are reviewed to protect the integrity of the record. The custodian,however, should not try to interpret the record.
What About the EMR?
Despite the obvious benefits of the EMR, Carole Okamoto, MBA, RHIA, CPHQ, president of C.O. Concepts in Washington, contends that facilities with an EMR are facing the greatest implementation challenge. Most systems do not provide for seamless amendment, that is, creating a link from the original record to the amended record and notice that the data has been changed. She also notes that every core system has its own approach to amendment, some less functional than others. The healthcare organization will need to work with the vendor to ensure a process that complies with the regulation.
Facilities using an EMR must also first create an organizational definition of the legal medical record.3, 4 Healthcare organizations will have to define patient-identifiable health information and what constitutes the legal medical record so that patients don't end up being able to go through databases that manage operational information such as utilization management or quality assurance. Okamoto foresees hoteling stations or computer terminals where patients will be able to get read-only access to their records if they don't have Internet access. Those with Internet access will view their records through a browser-based secure portal. Additionally, that kind of access will require definition of the legal medical record to facilitate limitation of access, such as HIV test results, when a state requires pre-test and post-test counseling.
Old News in Washington and Montana For some HIM professionals, implementing the HIPAA privacy rule's patient right to amend the medical record has been a done deal for some time. In Washington and Montana, for example, the Uniform Health Information Act was enacted more than 10 years ago and included the patient's right to know a record of care was kept, the right to access it, an amendment process, and parameters of disclosure, and required a notice explaining those rights posted in facilities.5 However, with the advent of the privacy rule, HIM professionals and healthcare organizations will have to implement a new required amendment process or review their existing procedure to ensure that it meets the standard of the privacy rules.
1. Hughes, Gwen. Patient Access and Amendment to Health Records (AHIMA Practice Brief). Journal of AHIMA 72, no. 5 (2001): 64S-V. Available online at www.ahima.org.
2. A sample amendment request and response form is available in the practice brief cited above.
3. Okamoto, Carole. Legal Medical Record Redefinition in a Multimedia Environment. Journal of AHIMA 69, no. 9 (1998): 70-76.
4. Amatayakul, Margret et al. Definition of the Health Record for Legal Purposes (AHIMA Practice Brief). Journal of AHIMA 72, no. 9 (2001): 88A-H.
5. Hughes, Gwen. Getting Your Arms Around HIPAA. Journal of AHIMA 72, no. 4 (2001): 62-65.
Standards for Privacy of Individually Identifiable Health Information; Final Rule. 45 CFR Parts 160 and 164. Federal Register 65, no. 250 (December 28, 2000). Available at http://aspe.hhs.gov/admnsimp/.
William Thieleman (firstname.lastname@example.org) is senior policy analyst for health information administration and managing co-chair of the Confidentiality and Security Council at Group Health Cooperative in Seattle, WA.
Thieleman, William. "A Patient-friendly Approach to the Record Amendment Process." Journal of AHIMA 73, no.5 (2002): 44-47.