Wes Morris, Senior Director of Consulting Services, Clearwater, speaks with Valerie Montague, Partner, Nixon Peabody LLP, about the latest trends involving enforcement of OCR’s Right of Access Initiative. They discuss why access to health care records remains such a challenging issue, notable recent cases of enforcement and how they align with historical trends, exceptions to the Right of Access, and best practices. Valerie recently authored an article for AHLA’s Health Law Weekly on this issue. From AHLA’s Health Information and Technology Practice Group. Sponsored by Clearwater.
To learn more about AHLA and the educational resources available to the health law community, visit americanhealthlaw.org.
Wes Morris, Senior Director of Consulting Services, Clearwater, speaks with Valerie Montague, Partner, Nixon Peabody LLP, about the latest trends involving enforcement of OCR’s Right of Access Initiative. They discuss why access to health care records remains such a challenging issue, notable recent cases of enforcement and how they align with historical trends, exceptions to the Right of Access, and best practices. Valerie recently authored an article for AHLA’s Health Law Weekly on this issue. From AHLA’s Health Information and Technology Practice Group. Sponsored by Clearwater.
To learn more about AHLA and the educational resources available to the health law community, visit americanhealthlaw.org.
Support for HLA comes from Clearwater, the leading provider of enterprise cyber risk management and HIPAA compliance saw software and services for healthcare organizations, including health systems, physician groups, and health. It companies, our solutions include our proprietary software as a service based platform, IRM pro, which helps organizations manage cyber risk and HIPAA compliance across the enterprise and advisory support from our deep team of inform security experts for more information, visit Clearwater compliance.com.
Speaker 2:Hello, I'm your host, Wes Morris senior director of consulting services for Clearwater. Joining me today is Valerie Monague partner with Nixon Peabody. Valerie is a health law and data privacy attorney who are represents a variety of healthcare providers, digital health companies, and vendors of those healthcare providers. She advises on compliance with the requirements of HIPAA and other state and federal health, uh, privacy requirements, including breach analysis and notifications and counsel during government investigations. She counsels organizations on compliance. Second uses of regulated health data. She also advises foreign and domestic organizations entering the healthcare space on the us data privacy requirements applicable to their business and how to structure operations in a compliant manner that also satisfies their business needs. Hello, Valerie. Welcome and glad to have you here with us today.
Speaker 3:Thank you we for that introduction and, and thank you to ALA for having me
Speaker 2:Well, it's a pleasure today. Uh, we want to talk about something that has been around for a bit of time now, but still seems to be an issue. And that's the subject of access to healthcare records? Um, we just, I saw two days ago, I believe prior to this, uh, recording, uh, the 27th total, uh, number of the 27th and enforcement action, uh, override of access. So obviously this continues to be, uh, a trend and a concern for, uh, the office for civil rights in particular and for the industry as a whole. You know, it's interesting, uh, Valerie, that if we, if we look at the total number of enforcement actions that have been, um, conducted over the life of HIPAA, there really only comes out to a little over a hundred that involved, um, monetary, uh, costs. And yet here we have 27 of them just in the one area of the fun, fundamental right to access. Um, what do you think are the, the, the real trends that exist here when it comes to why this is such a big issue and continues to be a problem for the industry as a whole?
Speaker 3:Yeah, well, I think you, you hit the nail on the head. I mean, I think OCR has been very active in this space and, you know, it's a, it's a really interest seeing stat that you provided over, you know, the, the, the full span of their enforcement action, but particularly over the last two, two and a half years, this has been a significant chunk of their enforcement actions. And, you know, I think it's, it's, it's twofold. I think one it's, it's viewed as a, you know, a fundamental right, as you mentioned for patients to have acts of us to their data and to be able to, um, you know, get copies, to be able to inspect it or both. Um, and also I think, you know, this is a, a very common complaint that OCR seeing. They're seeing it as a, as a real problem in the industry from, you know, large providers to, you know, single clinician entities. And I, I think they're trying to take the opportu to not only raise awareness, but to try to, to rectify this problem that has been, you know, a common complaint from patients for the last, you know, however many years
Speaker 2:Mm-hmm<affirmative>. Yeah. In fact, it's been consistently in the top five of issues investigated for most of the time that I can recall in, in the world of HIPAA and compliance, um, in, in these two most recent cases that they, they weren't earth shattering or groundbreaking cases, but it seemed that they were consistent with some common problems. Um, uh, one of the cases, uh, involved a provider who never respond to the OCR, uh, with any sort of response, uh, to their inquiries, um, do you see that as an ongoing problem for, uh, organizations that they just fail to respond?
Speaker 3:You know, I, we, we do see that as a, as a big trend in these enforcement actions, and it's probably the most surprising one that, that jumps out to me because it's something that can be so easily rectified. Um, you know, I, I think we've seen both organizations not responding to the patient access requests and also organizations not responding to OCRs outreach and not taking advantage of, um, you know, the ability the technical assistance offered in some cases by OCR. And I think, you know, again, if you're able to address those issues, if you're able to implement procedures and processes to respond to these inquiries from patients to do so in a compliant manner. And I think also it's really important, and we've seen this in a, in a number of, um, a number of the enforcement actions under the initiative where if, if OCR does reach out, you know, you're being given sort of a second chance, you're being given an to, you know, reflect upon what happened to rectify it with the particular patient. Um, you know, if, if any of your policies are lacking or whatever guidance OCR is providing to you, you, you have a second chance at compliance and it is surprising, and it is, you know, a trend that we see across these enforcement actions that organizations are not jumping to take advantage of that.
Speaker 2:Yeah. And, and it seems, as you said, such an easy thing to rectify simply respond and, and, uh, try to UN understand what they're looking at and what you can do to solve the problem. Um, you know, I also found it interesting when I looked back at, uh, these 27 enforcement actions that the majority of them involved only one or two patients or individuals asking for access. That's rather, I, I find that rather unique. What's your take on that?
Speaker 3:I agree. And, and I think it's also unique that in, in some cases, the, you know, the settlement related to only that issue, at least as far as was publicly disclosed, you know, oftentimes in some of the other enforcement actions, we'll see, you know, perhaps a breach or a complaint that triggered OCR to investigate. And then they found, you know, a whole host of, of non-compliant actions here. There are some that are really just a appear to be limited to the, the improper provision of access or the denial of access improperly. And I, and I think that is really interesting, you know, maybe it speaks to the fact that some of these financial settlements aren't as high as some of the other ones we've seen, but I think it's important for those in the industry to note that it could just be this one issue with this one patient that could get you into trouble with OCR.
Speaker 2:Yeah. Yeah. When I went back and did a little research on the subject, uh, in the past, uh, about a year ago, we were only up to about 16, uh, resolution agreements by that time. Uh, so now we're up to 27, but at that time, what I saw was the range of the costs were anywhere from about$3,500 for one, uh, provider all the way up to$200,000. And that involved that case, the 200,000 case involved two individuals, uh, two, two different cases, but sort of compiled together and averaging abouts$65,000 in penalties that were, uh, assessed as a part of the enforcement action. Um, if we look at these two most recent cases, they seem to be consistent with that trend.
Speaker 3:Yeah. I, I think you're right. And I think, you know, the, the one thing that it's important to not overlook and, you know, even though one of the recent cases did not have, um, you know, a C attached to it, it did have, um, additional, uh, obligations beyond the, the date of the settlement. Mm-hmm,<affirmative>, it's important to note that, you know, even if there's a low financial penalty, you know, even if the financial penalty is not extremely severe for the size and the, the scope of the organization, those, those caps and the requirements under those lasting for a year, two years, that that takes a lot of personnel time that takes a lot of legal spend that takes a lot of effort on behalf of the organization to, you know, provide OCR with the policies and follow up and all the reporting requirements and all that. So it's, it's not, it shouldn't be viewed as just, you know, a$15,$15,000 settlement or anything like that. There's more of a cost when you do have these types of events. And that's why it's, it's really important to, you know, not only try to maintain compliance generally is, you know, an obvious point, but when you do have an issue that's brought to your attention by OCR, really jump on it and, and work to resolve it quickly. So you don't get to the, the point where you do have a, a financial settlement in the C.
Speaker 2:Yeah. And I think that's a good point because if you, if you really look at the total cost to an organization to recover from, if you wanna use that term, uh, from, uh, this sort of an event, uh, it, the, the outlay far exceeds sometimes many times over the actual stated cost to the organization from OCR. Um, you know, I I've, I've seen it time and again, that that's happened. So I think you make a very good point there. You know, one of the things that I found interesting was is that we know that in the access, um, uh, standards that certain records can actually be not always, but generally exempted from the right of a access. And that includes this unique category called psychotherapy notes. And in one of the cases, uh, that occurred the psychiatric practice that, um, did not, uh, respond to the patient's request, um, was claiming that these records were therapy notes and therefore were exempted from this requirement. I, I wonder if you, uh, have any perspective on just how narrow that psychotherapy note, uh, exception really is even in a psychiatric practice or a behavioral health environment.
Speaker 3:Yeah, I think that's a great point. And I, I do think it is fairly narrow, you know, it's, it's the, the notes that are held outside of the traditional medical record that are of a mental health provider that are documenting these counseling sessions. So it is narrow. And I think, you know, it's, it's important to understand that you don't always have to provide acts, right? You don't always have to allow the individuals to inspect their records. There are, you know, cases where you may deny whether it be partial denial or whether it be a, a full denial, but you need to analyze what is being requested. And if it is something that is subject to a partial denial, and that was, you know, what OCR pointed out in the particular example that you cite, you need to make sure you're providing the access that they are permitted to have. So the non psychotherapy notes should have been provided to the patient. And, you know, perhaps it is a, a full scenario and another fact pattern. And I think in, in those types of circumstances, you, you, you know, if you've got a legal basis to deny the access, then what you wanna do is make sure you're documenting that correctly and make sure you're informing the patient. Right. Because I mean, if the patient doesn't understand, then they can go reach out to OCR and you can get yourself into the same scenario. So I think it's important to communicate when you do have the ability to, to issue either a partial or a full denial and make sure not only do you have your records in place, but that you've got the proper communication in place with the patient,
Speaker 2:Right? Yeah. I mean, it would seem like that would be the best way to do it. Um, I, I think that, uh, one of the things that sometimes gets in a way is, um, a, a fundamental understanding of what records belong in what categories, as you've said, uh, you know, fairly, fairly, um, narrow exception there, uh, not all records in a behavioral health practice would fall under the psychotherapy, exception, psychotherapy, note exception. Uh, um, so what other circumstances, uh, are common where you would be able to deny access other than that psychotherapy note, the exception?
Speaker 3:Um, well, another way would be if, if the records, and again, this might be a partial denial scenario records are not held within a designated record set. Um, and that's kind of a term of art under HIPAA. So for a, a healthcare provider, the designated record set is probably a lot of the information they hold on a particular patient, the medical records, the billing records, um, you know, other records that are used to make decisions about out an individual. Um, but it would not include, you know, quality improvement, information, patient safety records, business planning, anything like that. Okay. Um, so there would be the opportunity if you held information in, in those buckets to, you know, deny access to those particular pieces of information, but you, you know, the only caveat there is you can't use that as a, as a way to circumvent the access requirement, right? You can't take a record and say, oh, well, we use this as, as part of our, um, quality improvement. And so now it's not DHS. Well, if it's, if it's in the patient's medical record, then you know, it is even if it is, even if you do have a copy elsewhere.
Speaker 2:Yeah. And, and in fact, that whole issue of the designated record set comes back into play for us in a more recent set of regulations and requirements in the 21st century cares act and the information blocking rule, they refer back to the designated record set when describing, eh, I electronic health information that falls within the, uh, the information blocking rule. And, um, I've spent a good part of the last year, uh, working with a task force on one of the issues is just how do you define that design native record set? Uh, and it seems that that, that, uh, many organizations struggle with it. I know that for example, the American health information management association, uh, publishes, uh, guidance that, uh, people understand as the legal health record, but the designated record set is actually larger than the legal health record. And I wonder if that can sometimes cause, uh, an organization to, to limit what they're releasing, because they believe that they're meeting a requirement of the designated record set rather than the fuller or the, uh, yeah. When in fact all they're releasing is the legal health record that a Hema has defined over the years. Um, any thoughts around that before we move on into the next area here?
Speaker 3:Yeah. You know, I, I think that is quite a possibility and I, I think that, you know, that kind of hammers home, the fact that you really want to have your arms around the provision of access, you know, particularly as we're moving into the world of information blocking enforcement, um, and, and those that are involved in the process really need to have an understanding of, you know, not only legal requirements are, but what the organization's policies are. You know, if you have a question as to, you know, whether a particular piece of information is something that's subject to access or not, who do you go to in your organization, you know, who makes the file determination of what's in, what's out to, and making sure that individual is up to speed on, you know, all the, the regulations that exist now, as well as all those that are, you know, we're looking forward to in the future.
Speaker 2:Yeah. And, and I think you highlight something there that is a, um, a, a common problem for us. And that is small healthcare providers who may not have a formal, you know, I a C official who has written a bunch of policies and really in implemented these things, uh, you know, in, in a practice with a single provider or two or three providers that may not be within their resources to have that kind of level of attention to the subject. But at the end of the day, this, as we said at the beginning, this is a fundamental patient, right. And so we've still gotta meet'em where they are and do the right things. You know, one of the places that I have often seen, um, a misunderstanding that could probably be solved by having someone who actually understands, uh, the intricacies of these rules, the difference between an authorized disclosure and an access to a third party or a third party directive. Could you speak a bit about, uh, what that distinction is and how, uh, our listeners should be thinking about it?
Speaker 3:Yes, absolutely. And I, and I agree with you that it is, uh, you know, a key point of, of misunderstanding at, at this stage in the game. Um, I, I do think there's more clarity now than there was, um, a few years back, but, um, the, the third party directive is something that OCR considers to be, um, within the scope of an access request. And it might not be, you know, from the face of the request, something that a healthcare provider or a health plan sees, you know, in the instant as something that's covered under access. So I think that's why there's confusion in, and it, it occurs when, you know, a patient or, um, a beneficiary asks the covered entity to direct their electronic protected health information to a third party. It occurs a lot in you see it a lot in litigation settings where they're saying, you know, you need to send my electronic health record to my attorney, you know, I'll fill out your form, you know, please do so. And, um, you know, if, if the organization is maintaining the protected health information electronically, and if, uh, an electronic copy is requested by the patient, um, that information must be provided electronically as long as it's readily producible in that F format. And this was something that was clarified a couple years back, and then the sys health decision. Um, so if an individual is directing a copy of their EPH, I to be sent to a third party that does fall within the access re requirement,
Speaker 2:Right. And so where organizations will sometimes struggle with this is that they've only thought of, well, we, you have this authorization to disclose form. So everything goes there. Whereas an access request can come in in many different varieties, right. It doesn't have to be on an authorization form. Yeah. Um, when we, uh, when we look at cases where there have been, uh, a failure to respond, um, by, by a covered entity, um, are these typically single cases where they failed to respond to the individual or in the case of an investigation failed to respond to the investigation? Or, or do we see organizations typically do this multiple times?
Speaker 3:Yeah. I mean, I think that's a really interesting point and something that's really interesting that came out of the enforcement actions, including, um, one of the, the recent ones that, that just came out this week. Um, you know, we, we see a couple different enforcement actions where patients have made requests for their records repeatedly. I think the most recent one, the patient made a request annually for a number of years and the organization failed to respond each year. Um, and I, oh, goodness, we're also seeing enforcement actions where, you know, the patient issued more than one complaint to OCR. So the, you know, OCR received multiple complaints from the same patient requesting the same records. So, you know, I, I think it's important. It, it's sort of a patient relations issue too, in addition to a compliance issue that, you know, you really need to be understanding what's being asked for. And, you know, if, if there's some sort of communications issue between, you know, the personnel on, on the healthcare provider side and, and the patient as to whether it is an access request, whether there's a denial in place. I mean, there seems to be, you know, something missing in, in these circumstances where it's, it's not only a repeated request for access, but it's also in some cases repeated complaints to OCR.
Speaker 2:<affirmative> absolutely, you know, another area that, uh, I think deserves some attention is, um, when we're dealing with cases of personal representatives, you know, there are a variety of circumstances there. Would you elaborate a bit on some of the circumstances where, uh, our listeners would want to be cognizant of, of what to do in the case of a personal representative?
Speaker 3:Sure. In my view, this is the most challenging aspect of dealing with access requests because there's, um, you know, complex issues surrounding a per personal representatives, there's variety of state laws at play. Uh, so you, you need to consider with respect a lot of times it involves minors. So you need to understand whether all or some of the records requested were, um, relate to services that the minor has the ability to consent for themselves that may not the personal representative may not have ACC enacts, this, uh, requirement for, um, you may have various custodial relationships where you're trying to determine if the requester is in fact, a personal representative for the particular patient. Um, and then the status of an individual as a, as a guardian, whether it's for a minor or, um, you know, an incapacitated individual, um, you wanna may make sure that you're balancing getting it right. You know, whether the person has the right to access with complying with the, you know, 30, with the 30 day potential extension timing requirement. And then, you know, as, as we move into the world of information blocking, you know, providing this access as quickly as possible, um, you know, with the, the verification of the identity of, of the individuals, who's making the request. So it's, it's, it's a difficult scenario. And I, you know, I do feel for the providers when they are faced with some of those challenging scenarios, but I think it's important to, to get ahead of that and to, to, you know, lay out policies for, you know, difficult custody situations and what documenting, or you're gonna request. And to, to clarify, when you have a, a minor who's able to consent to services, to flag, you know, what is, and is not accessible to their, um, parent or guardian.
Speaker 2:Yeah. And in fact, when you, when you, um, hit on that point about laying out the policies, you know, very often we write policies with sort of our own view in mind of, well, this is what the policy will cover, but what I'm hearing you say is, is, is that we need to consider those outlier kinds of situations. And I don't really know that, you know, a minor patient will be an outlier, but it's a little different than the norm. So it can, it can leave someone not knowing how to, how to act or, or move in a particular case. Uh, and that's where having someone who can advise you, uh, in that, whether that person as a privacy officer in, in house, or in house counsel or external counsel, whatever the case might be, who can advise you on how to solve that situation. But that sort of takes us right into the next area here, which is when we think about best practices. And we think about what to do, um, to, to build our policies correctly, and to ensure that we have good compliant policies. What are some of the best practices you would think about from a policy perspective?
Speaker 3:Yeah, I mean, I, I sort of look at the policies as, as you probably do, as well as the compliance baseline, right? I mean, we're seeing even in the, one of the most recent enforcement actions that, you know, as they investigated OCR found that not only was there a provision of access issue, but there was a non-compliant access policy. So I, I think that, you know, you wanna make sure that your policies obviously track any applicable, uh, laws and regulations, HIPAA, and, and state law, and anything else that applies, you know, if you've got mental health, you got part two and et cetera, et cetera, but you also wanna make sure that they are specific to your organization. So, you know, building off of the conversation we just had on minors, you know, children's hospital is going to have very different policies and procedures than, you know, a dental practice, uh, because they're dealing with different issues and, and the focus, um, on these access requirements will, will vary a little bit. Um, and I think another thing that we, we didn't talk about that has popped up in these enforcement actions as well is regarding fees. And I think it's important mm-hmm,<affirmative> that your policy and this is so, and unfortunately you're probably gonna have to look at, um, annually, if not more frequently, um, given all the different, uh, changes to the state laws and the, the cost cost updates. But, um, you wanna make sure that the fees that you're charging are accurate with what's, um, permissible under HIPAA and under state law, and for organizations, again, that span multiple states, we just wanna make sure that you're, that you're tracking that and that the individual who is the one reaching out to the patient to respond and charge has a document or a process that they can follow to understand what that is.
Speaker 2:Yeah, yeah. That that's, that is so absolutely the case. Uh, I, I remember a particular case for me, where I requested 10 pages of records from a provider back in the, uh, early two thousands. And they charged me$35 for the first page and$5 for every subsequent page. Oh my. And that was, I just found that to be outright. And that was just as I was getting into the world of working in HIPAA. And, uh, so I went back to the provider and made some noise and they changed it. But, you know, we shouldn't have to make noise to solve that kind of a, of a challenge. So I think that access, uh, and the, and the fees surrounding access are really a subject of, of, um, mud concern and, and need to be continually addressed, as you said, probably reviewed annually. And I know that if we do see the, uh, notice proposed rule making that was published, um, uh, last year, uh, become, uh, the new requirements that, that will also further lock down those fees in several different categories. Um, when, when we think about, uh, policies, you know, often as you said, you gotta make'em specific to your organization and to the type of practice and that sort of thing. Um, we often think of policies as being sort of directive, but they really should drive our, our process. Right. Um, and when we think about, um, process for provision of access, what are some of the elements in policy that you would say have absolutely got to be there to, to say that you're doing it right?
Speaker 3:I mean, I think the big one is identifying the roles of who is involved, you know, who should these access requests be directed to when they are received within the organization in any manner in which they come in mm-hmm<affirmative>, um, you know, who processes them? If there's a question, does it go to the privacy officer? Does it go to a designee? You know, who, who is, what's the chain of command for addressing any issues that are involved? And then, you know, if there's a denial or a partial denial, who who's the one who makes that ultimate determination, I think that's really important. Um, you know, I also think given what we're seeing and what we talked earlier about, you know, multiple requests for access or multiple complaints to OCR, if an organization, because those individuals may have complained first to the organization. So if, if the organization re receives a complaint regarding access, who who's addressing that, who is interfacing with the patient to handle that type of issue, you wanna make sure that not only is this process, you know, something that your team is aware of, but that it's, it's documented. So when you do kind of walk through an access request, let's say a denial or a partial denial scenario, you, you document who is involved in the decision making, you know, how is the patient notified? What was the outreach, so that you've got, you know, a consistent process in place that not only can your team rely on, but that's something where if, if something, you know, you can, you can handle things in an expedient manner when they come in, whether it's a request or whether it's a complaint.
Speaker 2:Right, right. You know, that, that sort of leads to something that I have long had an interest in. And that is what do we do in training? You know, oftentimes we you've seen it, I'm sure as well where the, uh, the training program that staff members given is this is HIPAA public law number, blah, blah, blah, and the Kennedy CA bomb act. And, and that sort of thing. And I, I hold the position. I know you do too. That training should not be a broad overview of HIPAA. It should be to instruct the workforce on how to do job. What are some of the elements of training that you think are critical to, uh, to ensure that, that the workforce is getting?
Speaker 3:Yeah, I, I, as you said, I am in agreement with you there. I, I think that, you know, in addition to what I'll call, you know, the module level training, you wanna make sure that there's a, a really a clear understanding of the organization's role and the role of, you know, the individual, um, you know, whatever their position is in the organization, in the provision of access process, in dealing with any back and forth with patients throughout that process. Mm-hmm,<affirmative>, um, really like understanding what their job is in this context and understanding beyond their job, who they can look to within the organization for assistance and, and you know, what resources do they have, that's great that you sent them a, a copy of your, your HIPAA policies. But if someone reaches out, if, if one of their clinicians reaches out and says, I was talking to a patient and they have this question, where's our form that, you know, where the form is, or if a, you know, access request comes in in a different manner that you're able to reach out to the patient and, and provide them with whatever documentation you need to secure on their end. So I think it's, it's really understanding what they need to do to do their job in a compliant manner.
Speaker 2:Yeah. Yeah. I, I, I appreciate the way that you, um, that you said that, that in addition to a module, so the idea here is, is that a bigger, broader perspective is fine, but then you've really got to get it down to the role and the responsibilities to help people to understand what their part and all of this is. Uh, I think you've said something in the past about, you're only as complaint as your weakest link<laugh>. And so if you're not educating your workforce to their responsibilities and their roles that may be creating a weak link, what about if you have, uh, an external organization that is involved in providing access or copies or those sorts of things, what are the concerns there that, that need to be considered?
Speaker 3:Yeah, that's a great question, cuz we're seeing a lot more of that these days. I mean, I think the, the fundamental starting point there is, you know, know conducting your diligence and understanding if they are, you know, compliant and if they have a, an understanding of the requirements that are applicable to these access requests. Um, and I think another important part is making sure that they've got a clear avenue to whomever it is within your organization, that they can reach to if there's questions, whether that's the privacy officer or someone else. Um, so that any issues that they have on their end can be handled in an efficient manner. And to allow you to, to get on top of any potential issues or, you know, any potential violations so that you can jump in and, and help rectify the situation in as soon as possible, both with the patient and if it rises to that level with OCR. So I, I think that you wanna make sure that, you know, if it's a, a newer organization that, that you're working with, that they understand what your policies are. Perhaps the organization has implemented policies that are more strict than HIPAA, or if they're coming into a new state that they're aware of, of the state law requirements. So really, I, I think fundamentally you wanna start with understanding the, the compliance of the vendor and then also making sure that they have access to your team and they know contractually required or otherwise when and how to raise issues and, and who to raise them with.
Speaker 2:So in other words, you can't just sign a BAA and throw it over the fence.
Speaker 3:<laugh> that would not be my recommendation.
Speaker 2:<laugh> okay. So there was a point that you made there, if something rises to the level of OCR. And so let's, let's sort of wrap up today, if you wouldn't mind with talking about what do you do when and OCR has gotten involved?
Speaker 3:Yeah. I mean, I, I think I would take one step back and say, if you know, of an issue before OCR gets involved, take that opportunity to not only resolve the issue, both with the patient, uh, but also within your organization and, and, and take stock of your compliance. And if, if there is sort of a weak link within your organization, take that opportunity to, to correct it. I think the, the big, um, you know, trend that jumps out at me from the enforcement actions with respect to, you know, OCRs, um, you know, provision of technical assistance is you, you need to cooperate. If you, if you receive that outreach, you need to respond and you need to, to take advantage of, of what they're offering. So I, I think that, you know, if you are provided technical assistance, take the opportunity to do so. If you have the ability to explain what happened, you know, tell your story to OCR, there's probably facts that they did not hear in, in the patient complaint that, that you can tell them as, as to what happened in the specifics of what happened and make sure that, you know, if you've got documentation of what happened, that you're that with OCR, usually what, what I would recommend is you've got that initial outreach and they're asking for information, that's your chance to tell your story, to really sell not only the, the compliant manner you dealt with the particular incident, but also your compliance program generally. So you wanna sort of end the OCR involvement right there at this start, to the extent you can.
Speaker 2:I love that. Tell the story element, uh, because I think that's what sometimes gets lost when people are responding to, uh, OCR, uh, and to an investigation is they think, oh, we've got to give them all these documents that they're demanding, but they don't get down the path of, of, in their, in their, uh, correspondence in their dialogue telling that story, that can be very helpful to an investigator. Uh, who's looking at this case to understand context, right? Um, then maybe the policy isn't perfectly clear, but how you responded in this case would lend some real clarity for them. So I think that's a fantastic point, uh, getting ahead of the issue. Couldn't think of anything that I would say that would be more important taking advantage of the technical offerings, all those sorts of things. I think those are all fantastic best practices. Are there any others that you would, uh, want to end on in this conversation that you would think would be of value to, uh, our listeners today?
Speaker 3:Yeah. I mean, playing off of the, you know, you're only as secure as your weakest link. I mean, I, I think when you have scenarios like this, you know, you're only as compliant as your documentation shows. Um, so I think, think that's a really important element is that, you know, you need to be recording what happened in these access requests, particularly when you spot an issue or you have the potential for there to be an issue, a and make sure that you're tracking in real time, who did what, what happened, what was explained to the patient, what the back and forth was, you know, what forms were filled out, out what came in from the patient, what went out to the patient so that, you know, if, if in a month or longer time down the road, you've got that and you can show here's exactly what happened in this scenario with this particular patient. Here's what we did. Here's what, you know, came in, here's the response. Um, and so you're not trying to recreate it if, if a question comes in from OCR,
Speaker 2:Fantastic. And any final thoughts that you would like to give to wrap up this whole subject?
Speaker 3:I mean, I, I, my only final thought is that I don't think this is going away. Um, as we're seeing, you know, these enforce enforcement actions that gave us something new to talk about today that just came out. So I, I think that organizations, you know, particularly with the, the looming, um, information blocking enforcement really, really need to get, um, a handle on their compliance programs and, and make sure their, their house in, in good order. Um, you know, as, as we move forward.
Speaker 2:And if the rules change under this, uh, notice proposed rule, making that those things are integrated as quickly as possible into the process. Right.
Speaker 3:Absolutely.
Speaker 2:Yeah. So we'll see what happens with that one. Well, Valerie, thank you very much. It was a great pleasure to speak with you this morning to get your insights and your thoughts on this. And, uh, so we'll wrap up by, uh, saying thank you to our listeners today on behalf of myself, uh, Valerie and our organizations. We thank you. Have a great day.
Speaker 1:Thank you for listening. If you enjoy this episode, be sure to subscribe to ALA speaking of health law, wherever you get your podcasts to learn more about ALA and the educational resources available to the health law community, visit American health law.org.