HospitalInspections.org

Based on a review of facility policy and procedures, state and federal codes, a logbook, medical record request form, and staff interviews, it was determined that the facility failed to comply with state and federal laws related to granting immediate access upon reasonable request to review medical records. Specifically, the facility failed to:

1. Fulfill a medical records request made by the Department of Community on 11/27/24 for the purpose of a Center for Medicare and Medicaid Services authorized complaint investigation.
2. To provide a written explanation of why the request could not be fulfilled within 24 hours.
3. To record the request in the medical records request log.
This non-compliance resulted the initiation of an on-site investigation and delayed the survey process.


Findings include:


A review of the facility's policy titled "Privacy and Confidentiality of Patient Information," #A-019, last revised 10/28/08, revealed that the policy's purpose was to assure health information privacy and confidentiality for all patients receiving services at the facility while permitting appropriate information disclosure to accomplish patient care and other organizational objectives.

E. PERMITTED USES AND DISCLOSURE OF PHI WITHOUT PATIENT AUTHORIZATION
4. Mandatory Reports. PHI may be released without a patient's written authorization, where reporting is required by state or federal law after consultation with the facility's privacy officer or legal services department. The facility may also release PHI to a health oversight agency for activities authorized under law after consultation with the facility Privacy Officer or Legal Services Department.
9. Requests Made in Connection with Public Health. Northside may use or disclose PHI (ii) to a public health authority or other appropriate government authority authorized by law to receive reports of child abuse or neglect. Such requests must be referred to the HIM Department for release, which will notify or consult with the Risk Management Department or Legal Services Department as necessary prior to releasing PHI.
15. Other Requests for Disclosure. This Policy addresses the most common situations in which disclosure of PHI is requested. Disclosure of PHI may be permitted upon approval by the facility's Legal Services Department, Compliance Department, or Risk Management Department in other less common circumstances (i.e., national security). Any request for disclosure not specifically identified above should be referred to the facility's Legal Services Department or Risk Management Department for evaluation under applicable state and federal laws.

H. PATIENT RIGHTS UNDER HIPAA
Patients may exercise their HIPAA rights regarding their PHI through the following procedures and using the attached Privacy and Confidentiality of Patient Information Forms.
d. Third Party Requests to Receive Patient Records. If any third party (someone other than the patient) would be the recipient of the medical records, the patient must complete the facility-approved Authorization form prior to the release of the patient's medical records to a third party. The Northside HIM Department (or an approved facility medical record processing vendor) will review the request, verify the patient's identity, consult as needed with the facility Risk Management Department or Legal Services Department, and respond promptly to the requestor within thirty (30) days. If an extension is necessary, the requesting individual must be notified in writing and provided with the reason for the delay and the anticipated date of response.
In the event Northside chooses to deny an individual access to his/her record, it must review that determination with the Legal Services Department or Chief Compliance Officer. If Northside elects to deny a request, written notice must be provided to the requestor in plain language of this decision and inform the requestor of their right to have the decision reviewed and how to request such a review. The requestor must also be informed about their right to complain to Northside or HHS. All requests for such a review should be referred to the Legal Services Department or Chief Compliance Officer for evaluation.


A review of federal regulation Title 42: Public Health "PART 1001-PROGRAM INTEGRITY-MEDICARE AND STATE HEALTH CARE PROGRAMS," last revised 1/12/17, revealed that:

Subpart C-Permissive Exclusions
§1001.1301 Failure to grant immediate access.
(a) Circumstance for exclusion. (1) The OIG may exclude any individual or entity that fails to grant immediate access upon reasonable request to-

(i) The Secretary, a State survey agency, or other authorized entity for the purpose of determining, in accordance with section 1864(a) of the Act, whether-
(A) An institution is a hospital or skilled nursing facility;

(ii) The Secretary, a State survey agency or other authorized entity to perform the reviews and surveys required under State plans in accordance with sections 1902(a)(26) (relating to inpatient mental hospital services), 1902(a)(31) (relating to intermediate care facilities for individuals with intellectual disabilities), 1919(g) (relating to nursing facilities), 1929(i) (relating to providers of home and community care and community care settings), 1902(a)(33) and 1903(g) of the Act;

(iii) The OIG for reviewing records, documents, and other material or data in any medium (including electronically stored information and any tangible thing) necessary to the OIG's statutory functions; or
(iv) A State Medicaid fraud control unit for the purpose of conducting its activities.
(2) For purposes of paragraphs (a)(1)(i) and (a)(1)(ii) of this section, the term-

Failure to grant immediate access means the failure to grant access at the time of a reasonable request or to provide a compelling reason why access may not be granted.

Reasonable request means a written request made by a properly identified agent of the Secretary, of a State survey agency or of another authorized entity, during hours that the facility, agency or institution is open for business.

The request will include a statement of the authority for the request, the rights of the entity in responding to the request, the definition of reasonable request and immediate access, and the penalties for failure to comply, including when the exclusion will take effect.

(3) For purposes of paragraphs (a)(1)(iii) and (a)(1)(iv) of this section, the term-
Failure to grant immediate access means-

(i) The failure to produce or make available for inspection and copying the requested material upon reasonable request or to provide a compelling reason why they cannot be produced, within 24 hours of such request, except when the OIG or State Medicaid Fraud Control Unit (MFCU) reasonably believes that the requested material is about to be altered or destroyed, or

(ii) When the OIG or MFCU has reason to believe that the requested material is about to be altered or destroyed, the failure to provide access to the requested material at the time the request is made.
Reasonable request means a written request, signed by a designated representative of the OIG or MFCU and made by a properly identified agent of the OIG or an MFCU during reasonable business hours, where there is information to suggest that the person has violated statutory or regulatory requirements under Titles V, XI, XVIII, XIX, or XX of the Act. The request will include a statement of the authority for the request, the person's rights in responding to the request, the definition of "reasonable request" and "failure to grant immediate access" under part 1001, and the effective date, length, and scope and effect of the exclusion that would be imposed for failure to comply with the request, and the earliest date that a request for reinstatement would be considered.

(4) Nothing in this section shall in any way limit access otherwise authorized under State or Federal law.

(b) Length of exclusion.
(1) An exclusion of an individual under this section may be for a period equal to the sum of:
(i) The length of the period during which the immediate access was not granted, and
(ii) An additional period of up to 90 days.

(2) The exclusion of an entity may be for a longer period than the period in which immediate access was not granted based on consideration of the following factors-
(i) The impact of the failure to grant the requested immediate access to Medicare or any of the State health care programs, beneficiaries, or the public;
(ii) The circumstances under which such access was refused;
(iii) The impact of the exclusion on Medicare, Medicaid, or any of the other Federal health care programs, beneficiaries, or the public; and
(iv) Whether the entity has a documented history of criminal, civil, or administrative wrongdoing (The lack of any prior record is to be considered neutral).

(3) For purposes of paragraphs (b)(1) and (b)(2) of this section, the length of the period in which immediate access was not granted will be measured from the time the request is made or from the time by which access was required to be granted, whichever is later.
(c) The exclusion will be effective as of the date immediate access was not granted.

[57 FR 3330, Jan. 29, 1992, as amended at 58 FR 40753, July 30, 1993; 63 FR 46689, Sept. 2, 1998; 64 FR 39427, July 22, 1999; 82 FR 4115, Jan. 12, 2017]

A review of "Official Code of Georgia TITLE 31 Health (Ch's. 1 - 54) CHAPTER 2 Department of Community Health (55 31-2-1 - 31-2-20)" last amended 2021, revealed that:

31-2-8. Actions against certain applicants or licensees.
(a) This Code section shall be applicable to any agency, center, facility, institution, community living arrangement, drug abuse treatment, and education program, or entity subject to regulation by the department under Chapters 7, 13, 22, 23, and 44 of this title; Chapter 5 of Title 26; paragraph (8) of subsection (d) of Code Section 31-2-4; and Article 7 of Chapter 6 of Title 49. For purposes of this Code section, the term "license" shall be used to refer to any license, permit, registration, or commission issued by the department pursuant to the provisions of the law cited in this subsection.

(b) The department shall have the authority to take any of the actions enumerated in subsection (c) of this Code section upon a finding that the applicant or licensee has:
1. Failed or refused to provide the department with access to the premises subject to regulation or information pertinent to the initial or continued licensing of the agency, facility, institution, or entity;
2. Failed to comply with the licensing requirements of this state; or
3. Failed to comply with any provision of this Code section.

(c) When the department finds that any applicant or licensee has violated any provision of subsection

(b) of this Code section or laws, rules, regulations, or formal orders related to the initial or continued licensing of the agency, facility, institution, or entity, the department, subject to notice and opportunity for hearing, may take any of the following actions:
1. Refuse to grant a license; provided, however, that the department may refuse to grant a license without holding a hearing prior to taking such action;
2. Administer a public reprimand;
3. Suspend any license for a definite period or for an indefinite period in connection with any condition
which may be attached to the restoration of said license;

(5) Revoke any license;
1. Except as otherwise provided in subparagraph (B) of this paragraph, impose a fine of up to $2,000.00 per day for each violation of a law, rule, regulation, or formal order related to the initial or ongoing licensing of any agency, facility, institution, or entity, up to a total of $40,000.00;
2. Impose a mandatory fine of no less than $5,000.00 for a violation of a law, rule, regulation, or formal order related to the initial or ongoing licensing of a long-term care facility which has caused the death of or serious physical harm to a resident in such facility. For purposes of this subparagraph, the term "serious physical harm" means an injury which causes any significant impairment of the physical condition of the resident as determined by qualified medical personnel.

(g) The department shall have the authority to make public or private investigations or examinations inside or outside of this state to determine whether the provisions of this Code section or any other law, rule, regulation, or formal order relating to the licensing of any agency, facility, institution, or entity has been violated. Such investigations may be initiated at any time, at the discretion of the department, and may continue during the pendency of any action initiated by the department pursuant to subsection (c) of this Code section.

1. For the purpose of conducting any investigation, inspection, or survey, the department shall have the authority to require the production of any books, records, papers, or other information related to the initial or continued licensing of any agency, facility, institution, or entity.

2. Pursuant to the investigation, inspection, and enforcement powers given to the department by this Code section and other applicable laws, the department may assess against an agency, facility, institution, or entity reasonable and necessary expenses incurred by the department pursuant to any administrative or legal action required by the failure of the agency, facility, institution, or entity to fully comply with the provisions of any law, rule, regulation, or formal order related to the initial or continued licensing.


A review of the Medical Records Request log dated 5/1/24 through 12/17/24 failed to reveal an entry made for P#1's medical records on 11/27/24 by the Department of Community Health.


A review of a medical record request by the Department of Community Health, dated 11/27/24, revealed that it was sent to the facility on 11/27/24.


During an interview on 12/17/24 at 4:15 p.m., with System Director (SM) AA, SM AA explained that a third-party vendor receives medical record requests and is responsible for validating the requestor's information and the patient's medical record information. Once the information is verified, the vendor will forward the request to the facility's Hospital Information System (HIS) Department to release the record. SM AA said that when a request is fulfilled or denied, it is logged into the medical records request log and should never be left off the logbook. Once verified and forwarded to the facility's HIS department, medical records requests will be released within ten or more business days.
SM AA added that she expects the Department of Community Health and the Centers for Medicare and Medicaid Services to follow the process she described when requesting medical records and if all of the information required to release a medical record is not provided when the Department of Community Health and the Centers for Medicare and Medicaid Services requests it, the request for medical records will be denied.
SM AA further explained that if a record request is received by a facility staff member who works outside of the HIS department, she expects the request to be forwarded to the HIS department for verification and processing.


A telephone interview was conducted on 12/18/24 at 1:00 p.m. with Medical Records Custodian (MRC) CC. MRC CC explained that she is an employee of a medical records vendor contracted by the facility and that she is responsible for overseeing the timely completion of medical record requests for several facility campuses.
MRC CC explained that all requests are entered into the medical records request log. She added that she was unsure why the state's request was not entered into the logbook but that 98 percent (%) of the log is accurate. She added that they try to prioritize state and federal agency requests, but she is unaware of any exclusions that apply to a state survey agency or other agencies for performing reviews and surveys requiring immediate access to medical records.


A follow-up telephone interview with SM AA was conducted on 12/18/24 at 1:15 p.m. SM AA explained that the contracted medical records vendor audits medical records requests and will forward reports for the facility to review but that the facility does not provide direct oversight of the medical records requests. She added that she is unaware of any exclusions that apply to a state survey agency or other agencies for performing reviews and surveys requiring immediate access to medical records.