Health Information Compliance Alert

Compliance:

Are You Complying With The 6 Key Aspects Of HIPAA's Access Rights?

Learn how HIPAA rule and EHR Incentive Program differ and interact.

If you’re unsure about when and how you must provide patients with access to their health information, the HHS Office for Civil Rights (OCR) wants to lend a helping hand.

On Jan. 7, OCR released a fact sheet and the first in a series of frequently asked questions (FAQs) to further clarify individuals’ rights under HIPAA to access and obtain copies of their health information. The HIPAA Privacy Rule generally requires covered entities (CEs), including health plans and most healthcare providers, to provide individuals, upon request, with access to their protected health information (PHI).

Pay Attention to These Important Areas

This first set of FAQs address the scope of information that HIPAA’s access right covers, as well as the very limited exceptions to this right, the form and format in which you may provide information to individuals, the requirement to provide access in a timely manner, and the intersection of HIPAA’s access right with the requirements for patient access under the Health Information Technology for Economic and Clinical Health (HITECH) Act’s Electronic Health Record (EHR) Incentive Program.

Also, the fact sheet covers key aspects of the right of access provisions, including:

1. What information is included and excluded from the right of access;
2. The rules for requesting access;
3. How you must provide access, including fees you may impose;
4. When you may deny access;
5. How to comply with an individual’s right to direct PHI to another person; and
6. How differing state laws affect the federal regulations.

More to come: In the Jan. 7 announcement, OCR said that it will continue to develop additional guidance and other tools on individuals’ right of access. Also, OCR will work with the White House Social and Behavioral Science Team and the HHS Office of the National Coordinator for Health Information Technology (ONC) to produce consumer-friendly resources, including sample communications tools to encourage patients to access their electronic health information.

Downside: Some Parts are Potentially Confusing

Although the fact sheet and FAQs are generally rather helpful for healthcare entities, some experts believe that certain aspects of the guidance on right of access could cause confusion.

“The guidance has the potential to create confusion … for individuals and healthcare providers to the extent that a state law is more stringent,” warned partner attorney Laurie Cohen in a Jan. 11 blog posting for the law firm Nixon Peabody LLP.

For instance: Under the HIPAA Privacy Rule, a healthcare provider must respond to a request for a copy of health information within 30 days and may charge a reasonable, cost-based fee for such copies, Cohen illustrated. Under New York State law, however, a healthcare facility or practitioner must respond to such a request within 10 days and may impose a reasonable charge for all inspections and copies, not exceeding the incurred costs, and the reasonable charge for paper copies must not exceed $0.75 per page.

HIPAA Access vs. EHR Incentive Program: What You Need to know

One of the key issues that OCR tried to address in the FAQs is how the HIPAA right of access and the HITECH Act’s EHR Incentive Program’s “View, Download, and Transmit” provisions intersect, as well as how they differ. OCR provided the following chart that illustrates some key distinctions between the access rule and the Incentive Program’s requirements:

Resources: The new OCR materials on individuals’ right of access are available at www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html.