Responding to complaints that the Health Insurance Portability and Accountability Act (HIPAA) sometimes makes it difficult for patients to obtain their own medical records, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) recently issued guidance to help people better exercise their existing rights for accessing that information. The guidance also might prove useful to healthcare providers when patients make unreasonable demands for information.
HIPAA always has allowed patients to access and obtain a copy of their personal health information under the HIPAA Privacy Rule, explains OCR Director Jocelyn Samuels in a blog post announcing the guidelines. (Her blog is available online at http://tinyurl.com/gptzh6m.)
Samuels says the guidance explains the scope of information covered by HIPAA’s access right; the narrow exceptions to the right and other mandated elements, including timeliness; the form and format for providing access; and how the HIPAA access right intersects with patient access requirements under the electronic health record meaningful use and incentive program.
“The HIPAA Privacy Rule has always provided individuals with the right to access and receive a copy of their health information from their doctors, hospitals and health insurance plans,” Samuels writes in her blog. “Unfortunately, based on recent studies and our own enforcement experience, far too often individuals face obstacles to accessing their health information, even from entities required to comply with the HIPAA Privacy Rule. This must change.”
Samuels announced the release of a fact sheet and the first in a series of topical Frequently Asked Questions (FAQs) to further clarify individuals’ right under HIPAA to access and obtain a copy of their health information. The set of FAQs addresses the scope of information covered by HIPAA’s access right, the very limited exceptions to this right, the form and format in which information is provided to individuals, the requirement to provide access to individuals in a timely manner, and the intersection of HIPAA’s right of access with the requirements for patient access under the HITECH Act’s Electronic Health Record (EHR) Incentive Program.
A key explanation in the guidance addresses how individuals have a right to access protected health information (PHI) in a “designated record set.” It also delineates the limits of what healthcare providers are required to provide. OCR explains that a designated record set is defined at 45 CFR 164.501 as a group of records maintained by or for a covered entity that includes these documents:
- medical records and billing records about individuals maintained by or for a covered healthcare provider;
- enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan;
- or other records that are used, in whole or in part, by or for the covered entity to make decisions about individuals. This last category includes records that are used to make decisions about any individuals, whether or not the records have been used to make a decision about the particular individual requesting access.
“Thus, individuals have a right to a broad array of health information about themselves maintained by or for covered entities, including: medical records; billing and payment records; insurance information; clinical laboratory test results; medical images, such as X-rays; wellness and disease management program files; and clinical case notes; among other information used to make decisions about individuals,” the guidance notes. “In responding to a request for access, a covered entity is not, however, required to create new information, such as explanatory materials or analyses, that does not already exist in the designated record set.”
The OCR fact sheet and FAQs are available online at http://tinyurl.com/gsu7zao.
