Third Party Rights Under HIPAA

The right for individuals to access and receive copies of their “protected health information” (PHI) has existed since the HIPAA Privacy Rule was first effective in 2003. In 2009, Congress improved this right in the Health Information Technology for Economic and Clinical Health Act (HITECH) by allowing individuals to use their right of access to have information from an "electronic health record" sent directly to a third party of their choice. To exercise this right, individuals merely needed to make sure that their choice of third party was “clear, conspicuous, and specific” (Section 13405(e)(1)).  

In the final Omnibus Rule, which was issued in January 2013, HHS used its broad authority under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) to expand this right and enable individuals to use their right of access to send PHI from any source (not just from an “electronic health record”) to third party designees.  Individuals merely needed to make this request in writing (which could be electronic) and be clear about the destination. Hospitals, physician practices, and health plans were required to honor this designation and provide the PHI under the same terms and conditions as apply to PHI delivered to the individual (e.g., provided within 30 days, at low cost, in the form or format requested by the individual).

Before Congress and HHS established the right of individuals to have information sent directly to third parties, individuals had the right to access their PHI themselves. But to get that information to a third party, such as another doctor or a caregiver, the individual had to be an intermediary in the middle, personally obtaining the information and then sending it along to its destination.  

HHS gave entities like hospitals and physician practices 60 days to get into compliance with this new rule; thus, for more than five years individuals should have enjoyed the right to have their health information sent directly to the third party of their choice.  

Yet, when I was the Deputy Director for Health Information Privacy at the HHS Office for Civil Rights, I heard many stories of individuals who faced obstacles in trying to get their health information from point A to point B and found it difficult to have it shared with a loved one, with another medical provider for treatment, or with an insurance provider in order to get a claim fully paid.

OCR issued comprehensive guidance in 2016 to entities covered by HIPAA to be more clear about the right of individuals to “get out of the middle” of routing their health information — to enable them to use the right of access to have information sent to the third party of their choice.  OCR also, jointly with the HHS Office of the National Coordinator for Health IT (ONC), issued fact sheets for consumers, and as well as some videos. The guidance makes clear that:

  • Individuals have the right to use the HIPAA right of access to send information to any third party they want, for any purpose.

  • All of the provisions of HIPAA that apply to the right of access also apply when the individual is asking to have their PHI sent to a designated third party — for example, the right to have information sent in the form or format the individual wants (including the right to get information digitally); the right to have information sent within 30 days in most circumstances; and the right to have that information at a reasonable-cost based fee (for the labor associated with making the requested copy and any necessary supplies)

At Ciitizen, our users seek their health information from all of their medical providers in order to have it aggregated and neatly organized in their Ciitizen profile, allowing them to share it for care coordination, donate it for research purposes, or use it for any other purpose that suits their needs. The individuals request their health information under the right of access and clearly, conspicuously, and specifically designate Ciitizen as the third party to receive those records, in accordance with HIPAA’s rules and guidelines.

In Thursday's blog you will hear more about our experiences in helping our users get their health information as our users’ third party designee.

-Deven McGraw