Individuals have an inherent right to access their own health information. Patient data access can be a critical tool for proper care, but both providers and patients often face confusion about how HIPAA regulations impact the exchange and release of protected health information (PHI).
Access to Information
Patients will have greater control in their personal healthcare when they can have necessary access to their own information. Reviewing records can also help patients ensure that their provider has complete, correct, and up-to-date information about important issues, such as known allergies or medications, writes Elizabeth Snell, Editor, Xtelligentmedia.com on healthitsecurity.com features section.
Individuals can ask to view and obtain a copy of their health records, receive records as paper or electronic copies, and even have records sent to another entity for treatment, billing, or operations purposes. But patient care is a complicated issue, and often requires multiple stakeholders to collaborate and discuss sensitive issues related to the individual. Are caregivers allowed the same rights as the patient? What if an individual poses a threat to herself or to others? Can a hospital release certain information to law enforcement to help keep all involved parties safe?
Understanding the intricacies of patient data access under HIPAA regulations will help providers and patients work together toward an improved healthcare system that maintains PHI security.
Personal Health Information
Patients have the right to access their own health information, a right that is often misunderstood or not even realized. Both parties can be misinformed about how to handle requests to access health information, said AHIMA Director of HIM Practice Excellence Lesley Kadlec. In order to clarify how to proceed, AHIMA recently released a patient data access form that providers can use as a template. “We wanted to make sure that we had an easy tool that anyone could use to allow the patient to have that access or to give that access to their designated personal representative,” said Kadlec.
“This is just a suggested model form. We know that some organizations may have their own forms, and we certainly support that. But we wanted this form to be made available to those organizations that did not have an easy plain language form for patients to use to get that access to their information.” Individuals specifically have the right to request access to a “designated record set” which HHS defines as a “group of records maintained by or for a covered entity that is used, in whole or part, to make decisions about individuals, or that is a provider’s medical and billing records about individuals or a health plan’s enrollment, payment, claims adjudication, and case or medical management record systems.”
The AHIMA form also aligns with a 2017 ONC report that outlined how healthcare organizations need to improve their processes for patient data access measures. The agency interviewed 17 consumers about the challenges they encounter with accessing their own data. Medical record release information and forms from 50 US large health systems and hospitals representing 32 states were also analyzed.
“In the current records request process, patients and health systems are often at odds, as each struggles through an inefficient system to accomplish needed tasks with limited resources,” report authors wrote. “But ultimately, these two user groups have the same goals — and shared needs. That means that improving the records request process is a win-win.”
Patients should be able to easily request and receive their records from their patient portal, ONC recommended. Providers can also simplify the process by setting up an electronic records request system outside of the patient portal.
In the current records request process, patients and health systems are often at odds, as each struggle through an inefficient system to accomplish needed tasks with limited resources. Language should be plain, and easy to understand, ONC added. A status bar or progress tracker will also help consumers know where they are in the records request process. Online appointment scheduling, secure messaging, and prescription refills can also help encourage patients to use patient portals and hopefully – understand how to access their own records.
Authorized disclosure under HIPAA regulations contend that giving information to individuals or to their personal representatives, such as authorized caregivers, parents, or guardians, is allowed. However, the HIPAA Privacy Rule maintains that it will defer to state law with regard to when someone has the legal authority to act on behalf of another individual.
“The Privacy Rule would require that covered entities grant personal representatives with the right of access on behalf of an individual in an electronic environment, just as they do today with regard to paper-based information,” the Rule states. “Covered entities will want to make sure, however, that they have the capacity to identify, authenticate, and properly respond to requests from these individuals, whether electronically or otherwise, as the Privacy Rule requires.”