Covered entities have an obligation under the HIPAA Rule to provide individuals with the right to access and receive copies of their health information. Last week we covered the scope of this right, which is all information that is part of the “designated record set,” including images and clinician notes.
This week we’re going to talk about covered entities’ obligations to adopt policies and procedures to assure that individuals can actually exercise this access right. In other words, to both honor this right and handle the influx of requests, covered entities must establish processes to receive and service these requests in ways that are compliant with HIPAA (45 CFR 164.130(i)(1)).
OCR has made clear in guidance that these processes "may not impose unreasonable measures on an individual requesting access that serve as barriers to or unreasonably delay the individual from obtaining access.”
For example, a doctor may not require an individual:
Who wants a copy of her medical record mailed to her home address to physically come to the doctor’s office to request access and provide proof of identity in person.
To use a web portal for requesting access, as not all individuals will have ready access to the portal.
To mail an access request, as this would unreasonably delay the covered entity’s receipt of the request and thus the individual’s access.
While a covered entity may not require individuals to use mail, use a portal, or submit requests in person, entities may permit an individual to do so if desired. In general, covered entities are encouraged to offer individuals multiple options for requesting access in order to make it easier on the patient. At a minimum, covered entities must inform individuals that they have a right to access and get a copy of their health information in their Notice of Privacy Practices (which you are likely familiar with, as you should have been provided with a copy on your first visit to a new doctor or hospital, or when you enroll in a new health plan). Unfortunately, this notice only informs you of what your rights are, and typically information about how to exercise those rights is found elsewhere (such as on an institution’s website).
In addition to establishing HIPAA-compliant processes for receiving individual requests, a covered entity must respond to that request in way that is compliant with the HIPAA Privacy Rule. For example:
Individuals can say how they would like to receive the information - such as wanting a digital copy and/or wanting the information to be e-mailed - and this request must be honored as long as the covered entity can “readily produce” the copy in the way the individual wants it. OCR has made clear in the above guidance that “readily producible” means the entity is capable of honoring the request (vs. what the entity would prefer). The records must honor the individual’s request regarding form and format of information as long as it is readily producible.
Covered entities cannot charge fees greater than a reasonable, cost-based fee for the labor costs associated with making the copy requested by the individual and any supplies necessary to fulfill the individual’s request.
Covered entities must send the information to an individual’s designated third party and must do so within 30 days in most circumstances.
Covered entities are also required to train staff on what HIPAA requires, including on the elements of the right of access (45 CFR 164.530(b)). Because the right of access is an individual right under the HIPAA Privacy Rule, OCR has maintained that covered entities are accountable to OCR for assuring they are in compliance with this right. This means that if a covered entity hires a vendor to service patient access requests on its behalf, the covered entity is liable if that vendor is out of compliance with HIPAA. This helps make certain that everyone involved in the records supply chain is accountable.
All covered entities must also have the capability of obtaining the information requested by an individual that is maintained by a covered entity’s business associate; for example, information held by a provider electronic health record vendor or storage company that keeps historical records. Thus, there’s no HIPAA loophole for institutions who claim they do not have to provide records that are not onsite.
In a perfect world, these record request processes are easily accessible by consumers, and getting your health data is a simple, pain-free process. However, we’ve found that in our experience requesting records on behalf of our Ciitizen users, the reality in most cases is far from ideal.
See our blog post on Thursday for more examples of noncompliance.