The first patient access settlement has been announced by OCR. Severino mentioned they would be putting an emphasis on this issue and we now have the first enforcement come through. What should you learn from this settlement?
It makes sense to explain the timeline of what happened. Once you hear this you will definitely understand why the enforcement in this case happened and $85K was required to cover a single patient case. It all goes back to a request for medical records filed in Oct 2017.
- A patient requested records on Oct 18, 2017, for a recent fetal heart monitor performed by Bayfront Health – St. Petersburg. Bayfront responded by saying they did not have those records.
- The patient retained counsel and they again requested the records on Jan 2, 2018, with no response.
- The attorney requested the records a third time on Feb 12, 2018.
- In March 2018 Bayfront sent them an incomplete set of records. (Yeah, the ones that didn’t exist.)
- Finally, the patient filed a complaint with OCR on August 14, 2018.
Bayfront supplied the complete set of records to the patient’s counsel on August 23, 2018. Let’s be clear they did not send them directly to the patient but to the lawyer who got the information to the patient. However, the request was to send them to the patient and the law says they should send them only to the patient, not the attorney which was how this one was apparently requested. They still did not supply them to the patient, though.
On February 7, 2019, Bayfront provided the fetal heart monitor records directly to the patient. The records sent to anyone only happened after OCR got involved in August. It was amazing that just over a week after OCR got the complaint there was miraculously a complete set sent out that did not exist before. I assume they were legit records or we would be hearing about another issue for fabricating records which we don’t want to go down that path at all.
That is 477 days to fulfill a patient request for their medical records. Seriously! I would guess the hospital would argue they met their obligation by sending the records to the attorney which occurred in 309 days. Is that really better, though, is it? A patient record request should be fulfilled in 30 days. If there is a problem you might get one additional 30-day extension but that is it not hundreds of days to provide what a patient has a right to receive. One has to wonder if the problem is mismanagement of records or is it mismanagement of patients that allowed this to happen for one patient over and over again. There is a very small chance this was the only patient but who wants to put some money on that wager?
A patient should be able to get the information from their records just like we have talked about several times this year. It is about patient care and patient engagement not about patients trying to make our jobs harder yet this is what many patients see is an institution that won’t help them. I know that everyone has a bad day or even a bad year but most all of us in the healthcare world should remember daily that our job is to make sure patients can be properly treated no matter what their problem may be or where they connect with us in the supply chain.
It appears that Bayfront is one of those hospitals tied up in the old Health Management Associates from Naples that got in big trouble for billing fraud paying around $500 million to settle lawsuits both civil and the Dept of Justice. Community Health Systems, Inc. bought them and then found out about all the problems there afterward. Assuming that is the case they look an $85,000 settlement as lunch money. Nonetheless, there is a one year CAP with the deal and they are being pointed out as an example of what NOT to do when patients request their records.
Here is the first element of the CAP which is pretty interesting the way it is worded.
It doesn’t just reference the patient right of access requirements but the entire Privacy Rule along with the General Provisions section. There is the normal requirements to have it back for approval by OCR within 60 days and the back and forth until final approval followed by OCR. Then there is a 30-day time limit to distribute and implement them with the staff.
Interesting enough they also specifically define the minimum requirements of the patient right of access policies which include the following requirements:
The Policies and Procedures shall include, but not be limited to:
1. Review and update as necessary Bayfront’s Designated Record Set Policy contained within its Right of Access to PHI policy to ensure comprehensive responses to requests for records.
This may mean that the records for the requested fetal heart monitor was not clearly part of the designated record set in their policies and procedures. It could also mean they didn’t have any definition of the record set at all.
2. Protocols for training all Bayfront’s workforce members and business associates that are involved in receiving or fulfilling access requests as necessary and appropriate to ensure compliance with the policies and procedures provided for in section V(A) above.
3. Application of appropriate sanctions against Bayfront workforce members who fail to comply with the policies and procedures provided for in subparagraph (1) above.
We often point out that everyone should be certain that they review their sanction policy and make sure it is being followed properly and equally across all of their workforce. So many sanction policies simply say that the people in charge will evaluate each case and apply sanctions which often results in a lack of sanctions being applied for any violations. We recommend having a policy that includes some very specific repercussions for specific behaviors along with the ability to mitigate the damage with other considerations.
4. A process for reviewing business associate performance with regard to access requests and responses and terminating relationships with business associates who fail to permit Bayfront to comply with the policies and procedures provided for in subparagraph (1) above.
5. Designation of one or more individuals who are responsible for ensuring that Bayfront’s business associate agreement with any business associates involved in Bayfront’s access responsibilities under the Privacy Rule are properly executed.
Those last two are very interesting requirements of the CAP that have to do with Business Associate management which makes me think that they were possibly using a BA for release of information responses. The following requirement also says:
Within 30 days of the Effective Date and for one year following the Effective Date, Bayfront shall provide HHS with the following: (a) the names of all Bayfront’s business associates that receive, approve, deny, bill for, and/or fulfill access requests for access to copies or inspection of an individual’s PHI, and (b) copies of the business associate agreements that Bayfront maintains with such business associates.
It does seem pretty clear that a BA was involved in this clear failure to provide a patient with the information they asked for and should have received with no questions asked other than how do you want it and where do I send it. There are questions about having proper BAAs in the place or the issue wouldn’t be in the CAP like it is multiple times.
Here is the big point that most folks don’t realize today and won’t get if they are only reading the headlines and the basic case because it is only mentioned in the CAP section. They are supposed to make sure that someone is reviewing the performance of BAs who are processing patient access requests including having a process for terminating the BA relationship if they “fail to permit Bayfront to comply” with their own policies and procedures. That means your BAs need to understand what YOUR policies and procedures say must be done when a patient requests access to their own medical records.
That section is also followed by a training section and a section about reporting requirements under the CAP which we usually expect to see pretty standard language in them but this one had something different. The training requirements included making sure the BAs were trained properly:
The hospital may have been outsourcing the blame to the BA but the BA seems to have said it bounces off them and sticks to the hospital-based on reading between the lines in this settlement. We may see something else come through about the BA who they used to fill these requests or maybe not if the BA is one where the hospital or management company owned them too which happens all of the time. We will probably hear more details at some point to clarify how this whole thing involved a BA and then we will share more with you.
This is likely just the first one of these type settlements that will come out of OCR in the next 18 months because of the stated enforcement initiative they have been doing since earlier this year. I am certain there are many of these cases with these types of stories to give them plenty of enforcement options to choose from and more added on a regular basis.