AHIMA unveils standardized request for information form for HIPAA compliance
The American Health Information Management Association has released a model Patient Request for Health Information form, which can be used as a modifiable template and given to patients when they request access to their EHR data.
The form is meant to help the process for providers, and ensure they're compliant with the right of access rules outlined by the HHS Office for Civil Rights under HIPAA. It also dovetails with a recent report from the Office of the National Coordinator for Health IT that called for a more transparent patient records request process to reduce the burden on consumers, according to AHIMA.
Several healthcare organizations and patient advocates had told the group that consumers are often confused by the inconsistency of patient access forms given to them by their healthcare providers.
[Also: Is HIPAA outdated? AHIMA questions whether law is keeping pace with change]
"Many patients may not understand their rights to access their personal health information including that they can request to receive information in a format of their choosing, such as on a jump drive or through email," said AHIMA interim CEO Pamela Lane in a statement.
"There also remains some confusion by healthcare professionals regarding their responsibility to provide patients with easy access to their records," she added. "Written in easy-to-understand language for all patients, this model form, and explanation of use provides healthcare providers with a customizable tool that both ensures their compliance and captures patient request information in a clear, simple format."
Recent OCR guidance addressed patients' rights to inspect and/or obtain a copy of their health records and to have a copy of their records sent or directed to an individual of their choosing. The new AHIMA model form – does not replace a third-party authorization form or address specific state laws – will help streamline the patient request process to help providers meet the 30-day timeframe for patient access required under HIPAA.
The form could be useful for large hospitals and individual physician practices alike, "providing needed clarity on their obligations," said Lane. "Our hope is that it will help connect patients with their health information and make them more empowered healthcare consumers."
AHIMA recommends providers take some steps to ensure optimal use of the model form. They can edit the form based on system capabilities as well as operational needs – logos, barcodes and addresses can also be added at the organization’s discretion – but organizations should also brush up on OCR guidance 45 CFR 164.524(c)(3) to ensure compliance.
The group notes that organizations aren't precluded from developing their own internal policies that comply with the OCR guidance as long as they do not create barriers to patient access: If a patient requests that health information be transmitted through unsecured email, for example the provider should comply. OCR rules and state laws should be also consulted when developing a fee structure for patient data, according to AHIMA.
Twitter: @MikeMiliardHITN
Email the writer: mike.miliard@himssmedia.com