Sara Koliner, Policy Analysis Project Assistant, Project HealthDesign National Program Office
Last week, Bloomberg BNA’s Health IT Law & Industry report provided an insightful overview of the new Omnibus Rule issued by the Department of Health and Human Services to modify HIPAA. This final rule, created in response to the Health Information for Economic and Clinical Health (HITECH) Act, finalizes proposed rule changes regarding privacy, security, and breach notification requirements. While we encourage you to read the entire report, we would like to specifically highlight the rule’s modifications to individuals’ electronic access to their medical records.
As Project HealthDesign legal and policy consultant Robert Belfort et al. explain in their summary for Bloomberg BNA, this particular rule builds on the “right to an electronic copy on any PHI [Protected Health Information] maintained in an EHR” outlined in the HITECH Act. The limitation of the prior requirement to Electronic Health Records left a wide range of protected, electronically-maintained health information unaccounted for, creating a potential for disparate access requirements between EHRs and otherwise. The Omnibus Rule extends the right to an electronic copy to “all protected health information maintained in one or more designated record sets electronically, regardless of whether the designated record set is an EHR.” Should a copy of this information not be readily producible, it should be provided in a standard digital form (such as a .txt, .pdf, or .doc file).
Allowable fees are also identified. Covered entities will be able to charge a “reasonable, cost-based fee” for costs involved with the providing the service, such as supplies (such as a CD), labor, and postage, if necessary. To clarify, “labor” would not include the cost of retrieval, and costs associated with the digital infrastructure or system maintenance would not be permissible.
Perhaps the most beneficial modification to consumers is the removal of the 60 day window within which requested health information maintained off-site must be delivered. Now, covered entities must respond to all requests within 30 days (maintaining the possibility of a one-time 30 day extension if necessary). Especially when technology has advanced to the point of near-instantaneous information delivery, this amendment incentivizes healthcare providers to meet the demands of the modern consumer. Furthermore, increasing the timeliness of health data delivery will significantly improve patient engagement, paving the way for information to flow more readily in both directions.
Aside from some exemptions, the Omnibus Rule requires compliance by September 23, 2013. Increasing the convenience and ease of access to protected health information is an important step in encouraging use among patients. We are happy to see HHS making strides in this direction.