Skip to content Skip to navigation

New HHS Guidelines Illuminate Patients’ Right to Health Data

January 8, 2016
by Rajiv Leventhal
| Reprints

Although Health Insurance Portability and Accountability Act (HIPAA) laws have always provided individuals with the right to access their health data, consumers haven’t gotten much guidance from the feds on how to exercise that right—until now.

On Jan. 7, the Department of Health and Human Services’ (HHS) Office of Civil Rights (OCR) released guidelines to help ensure that individuals understand and can exercise their right to access their health information. In a blog post, Jocelyn Samuels, director, OCR, wrote, “Unfortunately, based on recent studies and our own enforcement experience, far too often individuals face obstacles to accessing their health information, even from entities required to comply with the HIPAA Privacy Rule.  This must change.”

Specifically, OCR released a fact sheet and the first in a series of topical Frequently Asked Questions (FAQs) to further clarify individuals’ core right under HIPAA to access and obtain a copy of their health information.  This set of FAQs addresses the scope of information covered by HIPAA’s access right, the very limited exceptions to this right, the form and format in which information is provided to individuals, the requirement to provide access to individuals in a timely manner, and the intersection of HIPAA’s right of access with the requirements for patient access under the HITECH Act’s Electronic Health Record (EHR) Incentive Program, the agency said.

Samuels’ blog post continues, “We will continue to develop additional guidance and other tools as necessary to ensure that individuals understand and can exercise their right to access their health information.  In addition, the Office for Civil Rights will work with the White House Social and Behavioral Sciences Team and the Department of Health and Human Services Office of the National Coordinator for Health Information Technology (ONC) to produce consumer-friendly resources, including sample communications tools to encourage patients to access their digital health information.”

The guidance was received with praise from many in the industry, including from Jodi Daniel, partner in the Washington, D.C.-based Crowell & Moring’s healthcare group, and former director of the Office of Policy in ONC. In a statement, Daniel said, “The government has heard for years that the reason patients don’t ask for access to their records is because there are unfair costs and other barriers to getting the information and obtaining it in the form and format that would be most useful. In this guidance, OCR is clearly trying to clarify misperceptions and direct covered entities to make information more easily available for patient access.”

Daniel continued, “The OCR guidance does a good job of clarifying misperceptions of patients’ right to access their health information in order to make the information more easily available. However, in the world of electronic information, the right of access itself does not go far enough to ensure that health information can be readily available to patients where and when they need it and in a form that is useful. In light of this guidance, covered entities and business associates should consider their practices for providing patient access to their data to ensure they are complying with the HIPAA privacy rule.”



EHNAC and HITRUST Combine HIPAA Security Criteria, CSF Framework

The Electronic Healthcare Network Accreditation Commission (EHNAC) and the Health Information Trust Alliance (HITRUST) announced plans to streamline their accreditation and certification programs.

Halamka on MACRA Final Rule: “CMS is Listening and I Thank Them”

Health IT notable expert John Halamka, M.D., CIO of Beth Israel Deaconess Medical Center in Boston, recently weighed in on the Medicare Access and CHIP Reauthorization Act (MACRA) final rule.

Texas Patient Care Clinic Hit with Ransomware Attack

Grand Prairie, Texas-based Rainbow Children's Clinic was the victim of a ransomware attack on its IT systems in August, affecting more than 33,000 patients, according to multiple news media reports this week.

Healthcare Organizations Again Go to Bat for AHRQ

Healthcare organizations are once again urging U.S. Senate and House leaders to protect the Department of Health and Human Services’ Agency for Healthcare Research and Quality (AHRQ) from more budget cuts for 2017.

ONC Pilot Projects Focus on Using, Sharing Patient-Generated Health Data

Accenture Federal Services (AFS) has announced two pilot demonstrations with the Office of the National Coordinator for Health Information Technology (ONC) to determine how patient-generated health data can be used by care teams and researchers.

Is it Unethical to Identify Patients as “Frequent Flyers” in Health IT Systems?

Several researchers from the University of Pennsylvania addressed the ethics of behavioral health IT as it relates to “frequent flyer” icons and the potential for implicit bias in an article published in JAMA.