Download HIPAA Privacy Rule's Right of Access to Electronic Health Information and more Study notes Information Technology in PDF only on Docsity!
T HE HIPAA P RIVACY R ULE ’ S
R IGHT OF A CCESS AND H EALTH
I NFORMATION T ECHNOLOGY
B ACKGROUND AND I NTRODUCTION
Since its inception, the HIPAA Privacy Rule’s right of an individual to access protected health information (PHI) about him or her held by a covered entity has operated in a primarily paper- based environment. While it has been common for covered entities to create, maintain, and exchange PHI in paper form, an increasing number of covered entities are beginning to utilize new forms of health information technology (health IT), which often involve the transition of PHI from paper to electronic form. Many health care providers, for example, are adopting comprehensive electronic health records (EHRs) to enhance the quality and efficiency of care they deliver. Health IT also may create mechanisms by which individuals can electronically request access to their PHI and by which covered entities can respond by providing or denying access electronically.
An individual’s right to access his or her PHI is a critical aspect of the Privacy Rule, the application of which naturally extends to an electronic environment. The Privacy Rule establishes, with limited exceptions, an enforceable means by which individuals have a right to review or obtain copies of their PHI, to the extent it is maintained in the designated record set(s) of a covered entity. The Privacy Rule’s specific, yet flexible, standards also address individuals’ requests for access and timely action by the covered entity, including the provision of access, denial of access, and documentation. See 45 C.F.R. § 164.524.
Health IT has the potential to facilitate the Privacy Rule’s right of access from both an individual’s and a covered entity’s perspective. Because the right of access operates regardless of the format of the PHI, its application in an electronic environment is similar to that in a paper-based environment. Several provisions, however, such as those related to requests for access, timely action, verification, form or format of access, and denial of access, may apply slightly differently and, thus, require additional consideration. The discussion that follows addresses an individual’s right to request access electronically, a covered entity’s electronic provision or denial of access and other specific applications of the Privacy Rule that will assist covered entities in tailoring their compliance appropriately.
The guidance also is meant to serve as a stepping stone for covered entities that are considering how an individual’s access rights may be fulfilled within an electronic health information exchange environment. To that end, the guidance demonstrates how the Privacy Rule’s access standard provides a strong foundation from which covered entities can develop policies and procedures which also meet several of the objectives enumerated in the Individual Access Principle identified within The Nationwide Privacy and Security Framework for Electronic Exchange of Individually Identifiable Health Information.
R EQUESTS FOR A CCESS
The Privacy Rule allows covered entities to require that individuals make requests for access in writing, provided they inform individuals of such a requirement. See 45 C.F.R. § 164.524(b)(1). In addition, the Privacy Rule has always considered electronic documents to qualify as written documents. Thus, the Privacy Rule supports covered entities’ offering individuals the option of using electronic means (e.g., e-mail, web portal) to make requests for access.
T IMELY A CTION
The Privacy Rule requires covered entities to respond to requests for access in a timely manner. Except as otherwise specified, the Privacy Rule requires the individual be notified of the decision within 30 days of the covered entity’s receipt of the request. See 45 C.F.R. § 164.524(b)(2)(i). While the Privacy Rule establishes the 30 days as an outside limit, it does not preclude covered entities from responding sooner. Indeed, a covered entity may have the capacity through the use of some electronic systems to provide automated access to an individual’s PHI or respond to requests with immediate access, twenty-four hours a day. Not all electronic systems, however, may allow for the provision of immediate access, and the covered entity’s response time-frame will normally depend, in part, on its system capacity.
As in a paper-based system, other factors also will impact a covered entity’s response time in an electronic environment. For example, the Privacy Rule’s 30 day parameter was originally conceptualized to allow covered entities sufficient time to accommodate normal business functions (e.g., interpretation of test results), as well as those unusual circumstances that might delay a response (e.g., reporting suspected child abuse). Similar allowances may be necessary in an electronic health information environment as well.
As a practical matter, individuals might expect, when making a request of a technologically sophisticated covered entity, that their requests could be responded to instantaneously or well before the current required time-frame. This might be the case, for example, when access is provided through a direct view or portal into a health care provider’s EHR. Providing more timely access than the Privacy Rule requires may be a means by which covered entities distinguish themselves within the market.
C O N T E N T ‐ D E S I G N A T ED R E C O R D S E T S
An individual’s right of access generally applies to the information that exists within a covered entity’s designated record set(s), including: (1) a health care provider’s medical and billing records, (2) a health plan’s enrollment, payment, claims adjudication, and case or medical management record systems, and (3) any information used, in whole or in part, by or for the covered entity to make decisions about individuals. A record is any item, collection, or grouping of information that includes PHI and is maintained, collected, used, or disseminated by or for the covered entity. See 45 C.F.R. § 164.501 (definition of “designated record set”).
Covered entities that use electronic records (e.g., EHRs or electronic claims systems) will want to remain cognizant that the right of access applies regardless of the information’s format. The term “designated record set,” therefore, cannot be limited to information contained in an electronic record, but also will include any non-duplicative, electronic or paper-based information that meets the term’s definition. While overlap may initially exist between electronic and paper-based record sets, covered entities will likely find their access-related obligations to be less time and labor intensive the more PHI they convert to being electronic.
Further, a covered entity that utilizes a business associate to maintain or otherwise operate its electronic records will want to ensure the business associate is obligated to share non- duplicative information pursuant to electronic access requests. The same would be true if a health information organization (HIO), as a business associate, maintains an electronic repository of some or all of a covered entity’s PHI.
F ORM OR F ORMAT OF A CCESS P ROVIDED
The Privacy Rule requires covered entities to provide access to the PHI in the form or format requested by the individual, if it is readily producible in such form or format. If the PHI is not readily producible in the form or format requested, access must be provided in a readable hard copy form, or in the alternative, some other form or format as agreed to by the covered entity and the individual. The covered entity also may provide the individual with a summary of the PHI or may provide an explanation of the PHI which has been provided, so long as the individual agrees to the alternative form and associated fees. See 45 C.F.R. § 164.524(c)(2).
To the extent individuals request that access to their PHI be provided in an electronic form or format, covered entities’ utilization of electronic records will likely increase the amount of PHI that is “readily producible” in electronic form, thereby benefiting both the requesting individual, as well as the covered entity:
Electronic access may provide individuals with more timely access to more information in a more convenient manner. For example:
- Electronic copies of PHI may be downloaded to USB thumb-drives or copied to compact discs relatively quickly and may provide individuals with a more convenient means of transporting and maintaining the information.
- EHRs may enable covered entities to offer individuals an immediate and ongoing view into the covered entity’s designated record set(s), either through a personal health record (PHR) or otherwise, while limiting the time, expense, and labor that may be required otherwise in order to provide access to the individual.
Electronic access also may be a means by which covered entities can limit the time, resources and other expenses required to provide the individual with access.
- Electronic copies of PHI that are downloaded to USB thumb-drives or copied to compact discs may require less labor and overhead than access to paper records would require.
- Covered entities may find that providing individuals with electronic access to PHI could save them time and resources by limiting, if not eliminating, the need to provide hard copies of the information or some other, more expensive, form or format.
- Providing such “readily producible” electronic access may have the secondary effect of enhancing their communication with individuals, which may in turn, lead to improved quality of care and strengthened consumer satisfaction.
The right of access also affords covered entities the option of making alternative agreements with individuals as to the form or format of access provided. If, for example, a covered entity’s default administrative safeguards policies and procedures limit the provision of electronic access to stand-alone devices and secure, web-based portals, and an individual requests access via electronic mail (e-mail), the Privacy Rule would permit alternative agreements which satisfy both parties, so long as reasonable safeguards are otherwise in place.
To the extent that individuals request access to their PHI in hard-copy form, the covered entity must provide such access, even if the information is stored in an electronic record.
D C
G R O U N D S F O R D E N I A L
ENIAL OF A CESS
The Privacy Rule contemplates circumstances under which covered entities may deny an individual access to PHI and distinguishes those grounds for denial which are reviewable from those which are not.
Unreviewable grounds for denial are: situations involving (i) psychotherapy notes, information compiled for use in legal proceedings, and certain information held by clinical laboratories; (ii) certain requests which are made by inmates of correctional institutions; (iii) information created or obtained during research that includes treatment if certain conditions are met; (iv) denials permitted by the Privacy Act; and (v)
F REQUENTLY A SKED Q UESTIONS
Q1: In an electronic health information exchange environment, what is a designated record set for purposes of an individual’s right of access under the HIPAA Privacy Rule?
A1: To the extent covered entities maintain their own electronic records systems, their choice to link those systems to a network for electronic health information exchange purposes would not necessarily change the status of information maintained within their designated record sets. That is, information that meets the definition of a designated record set remains part of the designated record set even if that information is linked to a network. See 45 C.F.R. § 164.501 (definition of “designated record set”). Covered entities should be aware, however, that whatever information they import into their electronic records via a network may become an integrated part of their designated record set(s). Network participation alone, however, would not make all other information about the individual that is accessible through the network part of a covered entity’s designated record set. Thus, the ability to link to information through a network does not obligate a covered entity to provide access to the designated record set of another entity participating in the network.
Q2: How would a covered entity or health information organization (HIO), acting on its behalf, know if someone were a personal representative for the purpose of granting access under the HIPAA Privacy Rule?
A2: The Privacy Rule’s verification standard requires that covered entities develop and implement reasonable policies and procedures to verify the identity and authority of such persons, if otherwise unknown to them, before granting them access to protected health information (PHI). See 45 C.F.R. § 164.514(h). Once verified, the personal representative can then be given the appropriate credentials for authentication and access through an electronic system. The Privacy Rule allows covered entities to rely on their professional judgment, as well as industry standards, in designing reasonable verification and authentication processes.
The Privacy Rule permits a covered entity to assign this function to a HIO, acting as its business associate, so long as the relevant standards are complied with. For example, a covered entity could use the HIO to assign the appropriate credentials and authenticate personal representatives, and any others, seeking access to PHI.
Q3: How may judgments be made electronically about denial of access under the HIPAA Privacy Rule?
A3: The Privacy Rule differentiates between two types of denial, reviewable and unreviewable. See 45 C.F.R. § 164.524(a)(2), (3). As to the unreviewable grounds for denial, there are essentially two decisions a covered entity will need to make with respect to electronic access: 1) whether it may deny access based on one or more of the grounds identified by the Privacy Rule; and 2) how to implement such decisions categorically in the electronic environment.
A covered entity may decide, for example, to categorically deny access to certain types of information to which no access right exists, such as psychotherapy notes. The Privacy Rule would permit denial without review, and a case-by-case judgment would not be necessary. Similarly, the covered entity may make such a system-wide decision with respect to other types of protected health information where the Privacy Rule permits an unreviewable denial of access.
In contrast, reviewable grounds for denial of access require decisions be made on a case-by-case basis through the professional judgment of licensed health care providers. Professional judgment also would be required if individuals exercise their right to appeal a denial of access made on reviewable grounds. As computer logic cannot be a substitute for professional judgment in these cases, these types of activities cannot be carried out categorically or in an automated way. Neither could these decisions be delegated to a health information organization (HIO), unless a licensed health care professional at the HIO were assigned the task of making the access determinations.
