Many physicians dread phone calls and technical assistance from OCR investigators. But when it comes to the release of information, rigorous compliance is critical.
The US Department of Health & Human Services Office for Civil Rights (OCR) helps physicians stay compliant with health information requests and avoid hefty fines, but it is astounding how many physicians dread phone calls and technical assistance from OCR investigators. These investigators, however, should be seen as a resource that can provide the compliance playbook to avoid astronomical civil monetary penalties and to close compliance gaps you might not even know exist.
Anyone can file a complaint against a provider if they feel their rights of access have been violated, and OCR has 3 ways to address a patient complaint: phone call, technical assistance, or data request.
Phone Call. OCR may conduct an informal, impromptu phone call with the provider to gather information about the reason the complaint was filed. It will offer advice and training to help the provider get the patient the needed information or records. If the provider follows OCR’s direction, a formal document detailing the patient complaint will be sent, and the complaint will be closed.
Technical Assistance. OCR will issue technical assistance if it deems a more formal method of communication is warranted. First, OCR reviews the complaint and documentation provided by the patient or their representative. If the documentation is adequate, OCR may issue technical assistance offering education. After OCR provides education and direction, it will note them in the technical assistance letter and show the case as closed.
However, a closed case is not a get-out-of-jail-free card. OCR expects the provider to investigate the complaint further and implement the advice provided by OCR through updated policies and procedures to close the gaps that caused the situation in the first place. Receiving technical assistance is like receiving a written warning for speeding: It does not mean you can continue to speed; it means you need to be more aware of your transgressions and work harder to avoid making the same mistake.
Of the fines I see in my position as chief privacy officer, most of the time, providers received technical assistance but did not implement the lessons and failed to update their policies and procedures to comply with the patient’s request. Honoring the patient complaint and getting the requested record—in the form it was requested—are critical and must be done quickly. The patient can file a second complaint if the provider drags their feet or ignores the original complaint. These duplicative complaints can cause hefty fines, sometimes in the hundreds of thousands of dollars.
Data Request. OCR may issue a data request if the issue appears to be a trend or is a severe violation of the policy. OCR will send a document outlining the patient’s complaint, when it occurred, and the specific data details and items related to the event, along with a request for the provider’s policies. Data requests issued in the past 24 months are more detailed because OCR is now asking for the provider’s financial information. In my opinion, OCR is using this additional request for information to evaluate the potential fine for the provider if they do not comply on time.
I recommend physicians contact the patient directly to better understand the complaint, which might help in avoiding significant civil monetary penalties. The provider should document the conversation to show due diligence in satisfying the patient’s issues.
If you receive technical assistance from OCR and either do not understand the complaint or feel you were right to not provide access, talk with your investigator. The investigator is there to assist you by providing education, answering questions, and helping you promptly resolve the patient complaint. Most importantly, the investigator will help prevent similar complaints from reoccurring.
Bottom line? When it comes to the release of information, rigorous compliance is critical.
Ms Delahoussaye is the chief privacy officer at Ciox Health. She is responsible for all aspects of the company’s privacy functions, planning and directing compliance functions and ensuring the organization is compliant with all federal and state regulations. ❒
READ MORE: https://bit.ly/3K7gSiQ