Deven McGraw, Project HealthDesign Regulatory and Assurance Advisory Group, Center for Democracy & Technology
Last month, the Administration released long-awaited final regulations to implement most of the improvements to federal health privacy protections enacted by Congress in the HITECH provisions of the 2009 economic stimulus legislation. As described earlier this month in iHealthBeat, the regulations include strengthened prohibitions against use of patient data without consent for marketing communications; extension of federal privacy and security protections to contractors (and subcontractors) of doctors, hospitals and insurers; improved right of individuals to be notified of breaches of their health data; and clarity regarding an individual’s right to receive digital copies of her health information. This blog post will focus specifically on the rights of patients under HIPAA to access their data.
The HIPAA Privacy Rule has always provided individuals with the right to access and obtain copies of health information maintained in provider or health plan records. Under the existing regulations, when a patient makes such a request, the provider or plan has up to 30 days to provide the requested access or copy; however, the provider or plan can take up to an additional 60 days if the information requested is stored off-site. Patients can also be charged a reasonable, cost-based fee for copies of their information, covering the costs of both the labor and supplies. State law frequently sets maximum rates to be to be paid by patients for copies of their medical records. Although this right of access has been part of the Privacy Rule since it was first implemented, many patients have faced obstacles in trying to obtain timely copies of their health information.
The Privacy Rule covers identifiable health information in both paper and digital form, so this right of patient access has always applied to information kept in electronic as well as paper medical records. However, in HITECH, Congress made it clear that when a patient’s information is stored electronically, patients have the right to obtain an electronic copy and to have that copy sent at their request to another person or entity, like a doctor, a caregiver, or a personal health record or mobile health app.
The new regulations released last month implement this mandate and also clarify how this right to digital data can be exercised. Patients have the right to an electronic copy “in the form or format they request” – but only if the provider or plan is capable of producing the copy in the requested format. If the data isn’t “readily producible” in the format requested by the patient, the provider or plan and the patient are expected to come to an agreement on an acceptable, machine-readable digital format. In other words, patients cannot demand that their providers run out and purchase new technology in order to produce data in a specific, desired format; however, providers must have the capability of providing patients with some type of machine readable, electronic copy of their data. HHS suggests that MS Word, Excel, text, HTML or PDF are among the possible options. The patient can also choose to obtain a paper copy if none of the provider’s digital formats meets the patient’s needs.
The new rules still allow providers and plans to ask patients to submit written requests for copies of their health information, although this is not required by the Privacy Rule. However, if the patient wants to have the electronic copy transmitted directly to a third party, the new rules require that this request be in writing, be signed by the patient, and clearly identify designated recipient and where the information is to be sent. (The writing and signature can be digital.) Per existing requirements of the HIPAA Privacy and Security rules, providers or plans sending identifiable health information per a patient’s request must take steps to verify the identity of the patient, send the right records, and implement safeguards to protect the information in transit.
Of note, although the Security Rule requires providers and plans to implement safeguards for transmitting identifiable health information, patients also have the right to get their copies through unencrypted e-mail if they so choose – a point that was clarified in the material accompanying the new regulations. Providers and plans are first required to advise patients of the risk of receiving information through unsecure channels; but if the patient opts for the unsecure method, she has the right to receive her information in this way. (This advice on the risks of unsecure e-mail does not have to be extensive; it is enough to notify the patient there is “some level of risk that the information in the e-mail could be read by a third party.” ) Some patients prefer the convenience of having their data sent directly to them at their regular e-mail address; others will welcome the option of having a secure method. HHS makes clear in the new regulations that the patient has the right to choose.
Patients can still be charged for digital copies of their data – but only for the labor costs associated with preparing the copy (not including fees for “retrieval”). If the patient chooses to purchase supplies (like a flash drive) from the provider or plan, there may be a reasonable charge imposed for those.
Although the new regulations make important clarifications to HIPAA’s patient access right, providers and plans can still take a fairly long time to respond to patient requests for data: up to 30 days, and an additional 30 days for information stored off-site. HHS encourages faster response times but noted a need to set the outer boundaries at a level that would enable entities to comply regardless of the nature of the patient’s request or the location of the data. As noted in a previous blog post, the requirements for Stage 2 will provide some patients with more timely, on-line access to relevant digital health information. However, these requirements apply only to entities participating in the Meaningful Use program, and those entities are only required to make this access available to a portion of their patients. The HIPAA access rules provide the baseline for all providers using digital records and for some patients will constitute the only available pathway for obtaining copies of their data.
The final rules are effective March 26, 2013; entities covered by the rule have another 180 days to come into compliance with most provisions. Until the effective date, the existing HIPAA rules on patient access remain in place.