Health Information Management

Best practices to ensure appropriate patient access to their medical records and PHI

HIM-HIPAA Insider, July 19, 2011

Want to receive articles like this one in your inbox? Subscribe to HIM-HIPAA Insider!

Lou Ann Wiedemann, MS, RHIA, FAHIMA, CPEHR, director of professional practice resources at AHIMA in Chicago, recommends the following three steps to ensure that patients have access to their PHI: 

  • Review your policies and procedures. Update your policies and procedures so they apply to EHRs, Wiedemann says. For example, if you have a policy that prohibits the use of external electronic devices on your organization’s computer systems, you may need to update that policy if your organization is applying for meaningful use incentives.
  • Know who is releasing your PHI. “The HIPAA Privacy and Security Rule grants patients access rights and amendment rights. It does not release organizations from due diligence regarding the appropriateness of the request,” Wiedemann says. Think about these types of questions: Is it an appropriate consent? Did you meet the minimum necessary requirement? Are you providing the records patients ask for in the required time frame? Educate the staff member who manages patient access requests about these issues. He or she will be making important decisions regarding access to PHI, says Wiedemann. However, don’t limit training to this individual alone—educate all staff members who may need to know this information.
  • Keep a handle on the flow of information. Determine all the places in your organization from which patients can access their information. Are patients going to your radiology department to get their films? Do they go directly to the laboratory or the sleep lab for test results? Per the accounting of disclosures rule, you need to know this, Wiedemann says.
Editor’s note: These tips originally appeared in the July issue of Briefings on HIPAA.

Want to receive articles like this one in your inbox? Subscribe to HIM-HIPAA Insider!

Most Popular