By Karen B. DeSalvo, M.D., M.P.H., M.Sc., and
Lucia Savage, Esq./ Chief Privacy Officer
In order to effectively manage their health, individuals need to be able to access and use their health information when, where, and how they want, including sending it to the people and tools helping them become or stay healthy – neighbors, friends, relatives, health care providers who are treating or consulting with the individual, or even third-party software tools used for self-management. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) governs the privacy of individuals’ protected health information (PHI) and when and how that information can be shared. HIPAA also governs security protections for certain health information and establishes an array of individual rights with respect to that information. For example, HIPAA has long required that individuals be given copies of their health information referred to as the “right to access” or be able to direct that third parties of their choosing receive copies. The specific regulation is 45 CFR 164.524, and can be found in the HIPAA Privacy Rule.
Last week, the U.S. Department of Health and Human Services Office for Civil Rights, the entity responsible for interpreting and enforcing HIPAA, published an important set of Frequently Asked Questions (FAQs) clarifying how an individual’s right to access their individual health information operates, including key points related to electronic health information sharing. The clarifications made by this guidance will help ensure that all Americans have access to their health information, in the form and format requested, when and where they need it most—a fundamental component of a high quality, person-centered health system as reflected in the Office of the National Coordinator for Health IT’s (ONC’s) recently released Connecting Health and Care for the Nation: A Shared Nationwide Interoperability Roadmap version 1.0 (Roadmap). The Roadmap, developed with input from the private sector and consumers, champions access to one’s health information as a critical underpinning of a vibrant, learning health system where individuals are at the center of their care and where providers can seamlessly and securely access and use health information from different sources.
Specifically, in their FAQs on HIPAA privacy rights, the Office for Civil Rights has made clear that:
- Accessing and obtaining copies of one’s health information for one’s own purposes is a right, not a privilege. A disclosing provider or plan covered under HIPAA can refuse access only in very limited circumstances.
- This right extends to a broad array of information, including labs, images, prescription history, physician notes, diagnoses, and similar information.
- The right includes access to an electronic copy of one’s health information contained in an electronic health record (EHR) or otherwise maintained in an electronic format, whenever the provider or its business associate is capable of producing an electronic copy, not just if they are willing to produce such information.
- Functions specified in ONC’s regulations on Certified EHR Technology empower individuals to take advantage of this HIPAA right because ONC’s rule makes transmission by the consumer a required functionality of certified EHR software.
The Office for Civil Rights also provided important guidance about transmission of this information from covered entities to requesting individuals, as well as liability for any. For example, the FAQs state that “while covered entities are responsible for adopting reasonable safeguards in implementing the individual’s request (e.g., correctly entering the e-mail address), covered entities are not responsible for a disclosure of PHI while in transmission to the individual based on the individual’s access request to receive the PHI in an unsecure manner (assuming the individual was warned of and accepted the risks associated with the unsecure transmission). This includes breach notification obligations and liability for disclosures that occur in transit. Further, covered entities are not responsible for safeguarding the information once delivered to the individual.” Health IT Buzz readers may recall that ONC’s 2015 Final Rule supports this concept as well, as it requires certified EHR technology to permit an individual to choose between an encrypted and an unencrypted form of transmission of their PHI to a third party. (See specifically 45 CFR 170.315(e)(1)(i)(C)).
ONC recently called on all stakeholders to take up three commitments to support interoperability, one of which is:
“to help consumers easily and securely access their electronic health information, direct it to any desired location, learn how their information can be shared and used, and be assured that this information will be effectively and safely used to benefit their health and that of their community.”
With the new guidance from the Office for Civil Rights, stakeholders have another tool to support this call to action with confidence that they are advancing interoperability while appropriately safeguarding health information.
We hope all stakeholders will step up and embrace this guidance and these shared commitments. This is a major step forward that will advance our goals of nationwide interoperability and a system of better care, smarter spending, and healthier people. For more information, please see the following resources:
- ONC Individual Access Guidance (including FAQs)
- ONC Video on Consumer Right to Access Their Data
- National Blue Button Campaign
- ONC Guide to Privacy & Security of Electronic Health Information (2015)
- ONC 2014 Edition Certification Rule and related materials
- ONC 2015 Edition Final Rule
- Office for Civil Rights HIPAA Regulations Website
This post was originally published on the Health IT Buzz and is syndicated here with permission.