Although Health Insurance Portability and Accountability Act (HIPAA) laws have always provided individuals with the right to access their health data, consumers haven’t gotten much guidance from the feds on how to exercise that right—until now.
On Jan. 7, the Department of Health and Human Services’ (HHS) Office of Civil Rights (OCR) released guidelines to help ensure that individuals understand and can exercise their right to access their health information. In a blog post, Jocelyn Samuels, director, OCR, wrote, “Unfortunately, based on recent studies and our own enforcement experience, far too often individuals face obstacles to accessing their health information, even from entities required to comply with the HIPAA Privacy Rule. This must change.”
Specifically, OCR released a fact sheet and the first in a series of topical Frequently Asked Questions (FAQs) to further clarify individuals’ core right under HIPAA to access and obtain a copy of their health information. This set of FAQs addresses the scope of information covered by HIPAA’s access right, the very limited exceptions to this right, the form and format in which information is provided to individuals, the requirement to provide access to individuals in a timely manner, and the intersection of HIPAA’s right of access with the requirements for patient access under the HITECH Act’s Electronic Health Record (EHR) Incentive Program, the agency said.
Samuels’ blog post continues, “We will continue to develop additional guidance and other tools as necessary to ensure that individuals understand and can exercise their right to access their health information. In addition, the Office for Civil Rights will work with the White House Social and Behavioral Sciences Team and the Department of Health and Human Services Office of the National Coordinator for Health Information Technology (ONC) to produce consumer-friendly resources, including sample communications tools to encourage patients to access their digital health information.”
The guidance was received with praise from many in the industry, including from Jodi Daniel, partner in the Washington, D.C.-based Crowell & Moring’s healthcare group, and former director of the Office of Policy in ONC. In a statement, Daniel said, “The government has heard for years that the reason patients don’t ask for access to their records is because there are unfair costs and other barriers to getting the information and obtaining it in the form and format that would be most useful. In this guidance, OCR is clearly trying to clarify misperceptions and direct covered entities to make information more easily available for patient access.”
Daniel continued, “The OCR guidance does a good job of clarifying misperceptions of patients’ right to access their health information in order to make the information more easily available. However, in the world of electronic information, the right of access itself does not go far enough to ensure that health information can be readily available to patients where and when they need it and in a form that is useful. In light of this guidance, covered entities and business associates should consider their practices for providing patient access to their data to ensure they are complying with the HIPAA privacy rule.”