Before I came to work at Ciitizen, I was the Deputy Director for Health Information Privacy at the HHS Office for Civil Rights, which is the office that oversees the Health Insurance Portability and Accountability Act (HIPAA) privacy, security and breach notification regulations. When you’re a privacy nerd like me, it can be a challenge to pick your favorite HIPAA provision (and trust me, I don’t love them all) – but without a doubt, the strong right in the HIPAA Privacy Rule for individuals to obtain access to, and copies of, all of their health information has always deeply resonated with me. When you possess and can control all of your health information, you have power. You have options. You can make better informed choices based on what’s important to you. You can share it as you please, to help yourself and to help others like you. The HIPAA right of access is not only an essential civil right; it is foundational to making health care more patient- or person-centered.
I was fortunate to be able to work on and get finalized comprehensive guidance in 2016 on the HIPAA regulations establishing right of individual access during my tenure as Deputy Director. It was a goal of mine when I took the job – and immensely gratifying to see it become a reality within the first year of my tenure. We had a lot of help – both within HHS and also throughout the Administration – to get it over the finish line, and the list of people who can at least take partial credit for this milestone is too long for this blog post.
I left HHS to come to Ciitizen to help more people get all of their health information and use it and share it as they see fit. There is so much more momentum now for getting patients their data than there was in 2016 – more advocates focusing on it, more companies trying to make it a reality for people, and U.S. government (and also some state and international) policies trending in the right direction. I was ready to hit the ground running….and then reality punched me hard in the stomach.
With a few exceptions, getting your medical records today doesn’t seem to be much better than it was before OCR issued the guidance – especially if you’re sick, and looking to collect your comprehensive health history, much more information that might be viewable or even downloadable from your doctor or hospital’s online portal. We have begun seeking this information via hospital, laboratory and physician medical records offices on behalf of the earliest users of Ciitizen’s platform, and the obstacles we are confronting make my blood boil – especially because I know so many of the roadblocks are flat-out failures to comply with the HIPAA regulations.
Keep an eye on this blog – and on our website – because in the coming weeks, we’ll be talking more about some of the ways too many institutions and organizations (I would like to continue to hope, unintentionally) make it difficult for individuals and caregivers to collect and share health information, and the ways in the hope that by talking more about it, we can be even more of a catalyst for change.
In the meantime, know this:
With a few exceptions (that so rarely occur they probably don’t apply to you), you have the right to all of your health information from your medical providers and your health plans. Doesn’t matter how old it is, or where it originated – if they have the information you’re requesting, you have a right to it.
You have the right to an electronic copy of any information that is maintained electronically (such as in an electronic medical record) – and you even have the right to have paper copies scanned into an electronic format (such as pdf) if the institution or organization has scanning capabilities.
You have the right to get your health information sent to you by e-mail – even if your e-mail isn’t secure, as long as you acknowledge that you are comfortable with receiving your health information this way.
You have the right to have your copies sent directly to the third party of your choice – like to Ciitizen, or another personal health record, or a caregiver, medical professional or favorite research initiative.
While HIPAA does not require entities to give you your information for free, the regulations do significantly limit the costs that can be charged, particularly for electronic copies.
You have the right to get your copies within 30 days – way too long, I agree, and yet many patients are made to wait much longer.
This strong right in HIPAA – which is a federal law – preempts or overrides state laws that provide fewer individual rights. (Of course, where a state has done better than HIPAA, you can rely on that state law to get better access (for example, with quicker turnaround or at a lower cost).
We know what your rights are – and we’ll help you know them, too, and to fully exercise them.
Deven McGraw is the General Counsel and Chief Regulatory Officer for Ciitizen.