Health IT Pulse

Jan 12 2016   11:22AM GMT

OCR issues reminder about patient health information access under HIPAA

Alex Delvecchio Alex Delvecchio Profile: Alex Delvecchio

HIPAA business associate

The U.S Department of Health and Human Services is trying to change the perception of what HIPAA does for patients. HIPAA is commonly thought of as a rule that requires health organizations to secure patients’ protected health information (PHI). While that remains true, HHS wants more people to be aware that HIPAA also affords them the right to freely access their own patient health information.

Jocelyn Samuels, director of the HHS Office for Civil Rights (OCR), authored a blog post that accompanied a frequently asked questions (FAQ) section and fact sheet detailing the information which patients must be allowed to receive. Patients are entitled to a “designated record set”, a collection of the patient’s PHI, which contains the following:

  •  Medical and billing records maintained by a covered healthcare provider
  • Enrollment, payment and claims adjudication records
  • Any other records used by providers to make a decision about an individual patient

In her blog, Samuels promised OCR and HHS “will continue to develop additional guidance and other tools as necessary to ensure that individuals understand and can exercise their right to access their health information.”

Patients can ask for a copy of their PHI, either in an electronic or paper format. If the record is not “readily producible” in the patient’s preferred format, the covered entity and individual must agree on an alternative format. A patient must be given access to their information within 30 days of their request, unless there is a delay in processing. If that occurs, the HIPAA covered entity has an additional 30 days to grant the patient’s request.

There are still limits to the information that patients can obtain, however. The HHS fact sheet specified psychotherapy notes, information to be used in a criminal or civil legal proceeding, and patient safety activity records as examples of information that is excluded from designated record sets, meaning that this information doesn’t have to be offered up to patients.

In the FAQ portion of its update, HHS addressed whether an individual’s ability to access old patient health information ever expires, if patients can be denied certain health information and whether PHI held by a covered entity’s business associate must also be disclosed to inquiring individuals. The answers to all of the questions are tilted in favor of patient access.

 Comment on this Post

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: