Policy, Patient Engagement

Patient advocates react cautiously to OCR HIPAA access guidance

For years, hospitals have been using HIPAA as an excuse not to release records, even though the rules actually say otherwise.

data networkPatient advocates are cautiously lauding a long-awaited move by the Department of Health and Human Services to let the public know that HIPAA actually gives them the right to access their own health information. For years, hospitals have been using HIPAA as an excuse not to release records, even though the rules actually say otherwise.

Thursday, the HHS Office for Civil Rights, which enforces the HIPAA privacy and security rules, issued a guidance on the right to access, probably something that should never have been required. The guidance said, in part:

The Privacy Rule generally requires HIPAA covered entities (health plans and most health care providers) to provide individuals, upon request, with access to the protected health information (PHI) about them in one or more “designated record sets” maintained by or for the covered entity. This includes the right to inspect or obtain a copy, or both, of the PHI, as well as to direct the covered entity to transmit a copy to a designated person or entity of the individual’s choice.  Individuals have a right to access this PHI for as long as the information is maintained by a covered entity, or by a business associate on behalf of a covered entity, regardless of the date the information was created; whether the information is maintained in paper or electronic systems onsite, remotely, or is archived; or where the PHI originated (e.g., whether the covered entity, another provider, the patient, etc.).

In a blog post, OCR Director Jocelyn Samuels explained, “Unfortunately, based on recent studies and our own enforcement experience, far too often individuals face obstacles to accessing their health information, even from entities required to comply with the HIPAA Privacy Rule. This must change.”

Samuels said the guidance is the first in a planned series of FAQs clarifying individual rights under HIPAA.

“We hope that the next guidance from HHS will clarify permissible fees and encourage providers to offer the first copy of health information to the patient at minimal or no charge,” said Lynne Thomas Gordon, CEO of the American Health Information Management Association.

The Get My Health Data campaign, launched in July to push for greater patient access to their health information, offered qualified praise for the move. Christine Bechtel, Get My Health Data campaign coordinator and advisor to the National Partnership for Women & Families, offered the following statement on Friday:

The guidance released yesterday is an important step forward in helping patients exercise their right to access their health information under HIPAA, including electronically. Our cadre of volunteer “Tracer” patients has found that, unfortunately, confusion surrounding HIPAA persists and often means that patients don’t get the kind of access to their health care information they need. We are hopeful that the clarifications HHS issued yesterday will help both providers and patients better understand the law and the opportunities it presents. When all patients can get and use their health data electronically, they will be able to more fully engage in their health and care.

The campaign echoed the recommendation from OCR that that healthcare organizations make better use of electronic tools to improve records access. According to Bechtel, providers should respond far more quickly than the 30 days the law allows, and should not require people to pick up copies of their records in person.

Jodi Daniel, formerly the director of the Office of Policy in the Office of the National Coordinator for Health Information Technology, echoed this sentiment.

“The OCR guidance does a good job of clarifying misperceptions of the patients right to access their health information in order to make the information more easily available. However, in the world of electronic information, the right of access itself does not go far enough to ensure that health information can be readily available to patients where and when they need it and in a form that is useful,” said Daniel, now a partner at the law firm of Crowell & Moring.

Photo: freedigitalphotos user sheelamohan