Safe & Sound with Marianne Kolbasuk McGee

Electronic Healthcare Records , Governance & Risk Management , HIPAA/HITECH

Patient Access to Records: The Requirements and Risks

HHS Pushing Awareness of Rights While Highlighting Privacy Concerns
Patient Access to Records: The Requirements and Risks

HIPAA has long provided patients with the right to access their own "designated record set" of protected health information. But federal regulators are on a campaign to help patients and healthcare organizations understand records access rights, as well as the related privacy risks.

See Also: 5 Requirements for Modern DLP

The Department of Health and Human Services has been focusing a great deal of attention on the issue lately, with recent guidance, a "patient engagement playbook" for covered entities and new educational material - including three videos - directed at patients.

"Having easy access to their health information empowers individuals to be more in control of decisions regarding their health and well-being," HHS writes. "Individuals can monitor chronic conditions better, understand and stay on track with treatment plans, find and fix errors and contribute information to research if they choose."

Back when the HIPAA Privacy Rule was first enforced in 2003, the vast majority of patient records were still on paper. Today, seven years after the enactment of the HITECH Act, which provided financial incentives for adopting EHRs, digitized records are far more commonplace, with more than 80 percent of hospitals using EHRs, HHS reports.

Patient Education

While some hospitals and physician organizations are getting better at securely sharing electronic data with each other, providing their patients with secure access is often another issue.

"Many people are not fully aware of their right to access their own medical records under HIPAA, including the right to access a copy when their health information is stored electronically," says Lucia Savage, chief privacy officer at HHS' Office of the National Coordinator for Health IT, in a June 2 statement announcing the educational videos geared to patients.

The videos "highlight the basics for individuals to get access to their electronic health information and direct it where they wish, including to third party applications," she notes.

The material also provides caveats to patients about the importance of protecting their health data. For instance, covered entities must provide patients - or a chosen third-party - with access to their health information in the format the patient requests - even if that request instructs the healthcare entity to electronically transmit health records via unencrypted email.

But patients also need to be aware of the risks involved. "Your provider is no longer responsible for the security of your health information after it is sent to a third party," HHS warns in the new patient material. "Once you have a copy of your health information, it's important to keep it protected," including using passwords on mobile devices and computers, HHS adds.

Portal Playbook

Meanwhile, HHS' new patient engagement playbook instructs healthcare entities on a number of important issues involving providing patients - and their proxies - secure access to health information via patient web portals.

For instance, the playbook highlights steps healthcare providers can take to give patients and caregivers "the privacy and access they need." That includes:

  • Talking with patients to find out who's involved in their care;
  • Asking about the patient's preferences for giving caregivers access to their health information, and making the patient aware that unless the individual objects, HIPAA generally allows a provider to share health information with family members or friends involved in the patient's care;
  • Working with the EHR vendor to ensure the system can give each personal representative a unique, secure login to access the patient's portal.

Healthcare providers should be prepared to provide patients with access to their healthcare information, whether through secure web portals or another format requested by patients. If not, these entities face the potential wrath of federal regulators.

Enforcement Actions

Complaints from patients about denial of records access are among the top gripes that OCR hears.

For example, in May, the American Civil Liberties Union filed a complaint with HHS' Office for Civil Rights, which enforces HIPAA, against lab testing firm Myriad Genetics for its alleged refusal to provide patients with their genetic information.

Back in 2011, OCR issued a $4.3 million civil monetary penalty to Cignet Health after it allegedly denied patients access to their health records - and then refused to cooperate with investigators during the OCR investigation.

Covered entities selected for an upcoming random HIPAA compliance audit by OCR could be required to submit documentation describing processes for providing individuals access to their health information, Deven McGraw, OCR's deputy director of health information policy, told me in a recent interview.

Clearly, it's essential that covered entities implement secure ways of providing patients access to their health records. It may not always be easy, but it's the law.

About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.