5.1 Domain 2 Compliance Decision Frame

Build the Domain 2 Compliance Lens

AHIMA's current RHIA exam outline names Domain 2 as Compliance with Access, Use, and Disclosure of Health Information, weighted at 15-18% of the exam. That official framing matters because the RHIA credential is an administrator-level health information management credential. The test is likely to ask what a leader should approve, monitor, escalate, document, or correct when protected health information is accessed, used, requested, disclosed, or exchanged.

For this chapter, think beyond a single release of information task. Domain 2 includes patient access and portals, advocacy for patients and families obtaining health information, request processing under legal and regulatory standards, and monitoring internal and external access to protected health information, including health information exchange. A release desk may complete the transaction, but the RHIA-level responsibility is the policy, workflow, training, audit trail, and escalation structure that make the transaction defensible.

The first exam habit is to separate access, use, and disclosure. Access is the ability to view or retrieve information. Use is what the organization does with information internally for an allowed purpose. Disclosure is information leaving the organization or being made available outside the original internal context. A portal view, a coder opening a record, a quality report, a subpoena response, a payer audit packet, and an HIE query all raise different control questions.

The second habit is to identify the patient's right in the scenario. Patient access is not the same as a third-party request. A patient portal workflow should help the patient obtain information, understand status, and route problems. An authorization workflow should verify what the patient directed, what information is covered, who will receive it, and whether any limit or revocation applies. A family request may be valid in some circumstances and invalid in others, so the answer should not jump straight to release or refusal without checking authority.

The third habit is to treat legal and regulatory standards as workflow design requirements. Policies should tell staff what to collect, how to verify identity, when to route to privacy or legal counsel, how to handle sensitive categories, how to document denials or partial releases, and how to track turnaround performance. Training should use realistic examples because a poorly trained employee can create the same risk as a broken system setting.

RHIA Exam Checklist

• Identify the requestor, purpose, authority, scope, recipient, delivery method, and deadline set by policy.
• Use the current AHIMA Domain 2 task language as the study map for patient access, request workflows, monitoring, and HIE.
• Choose escalation when the request is incomplete, unusually broad, legally complex, sensitive, or inconsistent with policy.
• Preserve evidence of the decision, not just the final disclosure.
• Remember that the best answer often improves the process for future requests, not only the single case in front of the employee.

A common exam trap is choosing the fastest action instead of the controlled action. Speed matters in patient access, but speed without verification can create impermissible disclosure. Another trap is over-restricting access in a way that frustrates patient rights. The RHIA balance is to support access and exchange while maintaining clear authority, limited scope, secure delivery, and measurable compliance oversight.