Patients' Records Access Rights Under HIPAA ClarifiedNew Guidance Designed to Overcome Perceived Obstacles
In an effort to help remove perceived obstacles, federal regulators have issued new guidance clarifying patients' rights under HIPAA to access their health information, including certain data contained in electronic health records.
Jocelyn Samuels director of the Department of Health and Human Services' Office for Civil Rights, which enforces HIPAA, says OCR issued the guidance because "unfortunately, based on recent studies and our own enforcement experience, far too often individuals face obstacles to accessing their health information, even from entities required to comply with the HIPAA Privacy Rule. This must change."
A significant provision in the new guidance deals with the issue of encryption.
The guidance includes "the formalization of a requirement that covered entities or business associates have to provide individuals a copy of their PHI by unencrypted e-mail if the individual requests it be delivered to them through that medium," notes privacy attorney David Holtzman, a former OCR staff member who's now vice president of compliance at the security consulting firm CynergisTek.
"The guidance also formalizes a requirement that the covered entity or business associate must provide a brief warning to the individual that there is some level of risk that the individual's [unencrypted] PHI could be read or otherwise accessed by a third party while in transit, and confirm that the individual still wants to receive her PHI by unencrypted e-mail. If the individual says 'yes,' the covered entity must comply with the request."
The new guidance also points out that healthcare providers must provide patients, upon request, an electronic copy of PHI even if the covered entity maintains the record on paper - if the covered entity can readily scan the paper record into an electronic format, Holtzman notes.
The guidance is aimed at helping to resolve misunderstandings by individuals, covered entities and business associates about the protected health information in "designated record sets" that patients have the right to access under HIPAA.
"This includes the right to inspect or obtain a copy, or both, of the PHI, as well as to direct the covered entity to transmit a copy to a designated person or entity of the individual's choice," the guidance notes. "Individuals have a right to access this PHI for as long as the information is maintained by a covered entity, or by a business associate on behalf of a covered entity, regardless of the date the information was created; whether the information is maintained in paper or electronic systems onsite, remotely, or is archived; or where the PHI originated, for example whether the covered entity, another provider, the patient, etc."
OCR's Samuels says her office will continue to develop additional guidance and other tools as necessary to ensure that individuals understand and can exercise their right to access their health information. "In addition, the OCR will work with the White House Social and Behavioral Sciences Team and the HHS Office of the National Coordinator for Health Information Technology to produce consumer-friendly resources, including sample communications tools to encourage patients to access their digital health information."
What Patients Can Access
Under HIPAA, information included in "designated record sets" that patients have a right to access, the new guidance explains, includes:
- Medical records and billing records about individuals maintained by or for a covered healthcare provider;
- Enrollment, payment, claims adjudication and case or medical management record systems maintained by or for a health plan; and
- Other records that are used to make decisions about individuals.
Some information, however, is excluded from patients' access rights. That includes psychotherapy notes - the personal notes of a mental health care provider documenting or analyzing the contents of a counseling session, which are maintained separately from the rest of the patient's medical record; and information compiled in reasonable anticipation of, or for use in, a civil, criminal or administrative action or proceeding.
The guidance information OCR posted on its website includes a fact sheet and the first in a series of topical "frequently asked questions."
OCR notes that healthcare providers participating in the HITECH Act EHR incentive program are required to provide individuals with access to certain information in faster timelines than required under HIPAA.
"Healthcare providers participating in the EHR incentive program may use the patient engagement tools [such as web portals] ... to make certain information available to patients quickly and satisfy their EHR incentive program objectives," OCR notes in the guidance. "Doing so also has the added benefit of satisfying an individual's request for access under HIPAA, where the PHI requested by the individual is available through the certified EHR technology, and the individual agrees to access the information in this way."
OCR also notes in the guidance: "While the Privacy Rule permits a covered entity to take up to 30 calendar days from receipt of a request to provide access - with one extension for up to an additional 30 calendar days when necessary - covered entities are strongly encouraged to provide individuals with access to their health information much sooner, and to take advantage of technologies that enable individuals to have faster or even immediate access to the information."
An OCR spokeswoman tells Information Security Media Group: "Since OCR began enforcing the HIPAA Privacy Rule, access to medical records has remained one of our top five most investigated issues, and these cases account for a substantial complaint volume." The next set of FAQs that OCR will issue will focus on fees and the right of individuals to have their information sent to a third party. "We hope to release this additional guidance soon," she says.