The HIPAA Privacy Rule Right of Individual Access guarantees that patients can get copies, physical or digital, of their healthcare records from their providers. Simple as that. But then again, it’s not as simple as it might first sound. Many provider organizations misinterpret this area of HIPAA law. One mistake can lead a hospital, health system or group practice into noncompliance with HIPAA – the consequences of which can include substantial fines.
Where a right goes wrong
Deven McGraw, chief regulatory officer at Ciitizen, a company that helps consumers get digital copies of their medical records, is very familiar with the places where provider organizations get the HIPAA Privacy Rule Right of Individual Access wrong.
In her recent HIMSS20 Digital educational session on the subject, Patient Access to Medical Records: The Rocky Road to APIs, McGraw – who also served as chief privacy officer at the Office of the National Coordinator for Health IT – offered some detailed insights into how providers should be thinking about this law, especially in light of new patient-access rules from ONC and CMS.
“A covered entity may require that a request is in writing, and most do,” she explained. “And this request can be accepted electronically, and that is often the easiest way for patients in this day and age to get a request into the covered entity. Entities are required to take reasonable steps to verify the identity of the patient. But you can’t establish those identity verification requirements in a way that ends up creating an obstacle to or barrier to access, or unreasonable delay.”
McGraw said there are three ways that healthcare provider organizations typically find themselves in noncompliance with the right of individual access, and that organizations must do everything they can not to fall into these traps.
“Some entities – and these are not just small entities, these are entities that have privacy officials and compliance staff – say they will only take in requests by mail, or just by fax,” she noted. The law and the guidance say that covered entities must accept requests physically and digitally.
Sign on the digital line
On another front, some entities also struggle with digital signature, she said. “How do I know the patient has actually signed this request form when it is done digitally?” McGraw asked. “That I think is an open question that can be difficult to solve. But nevertheless, you have to have a way for people to be able to remotely request their information, because you can’t require an in-person visit. The guidance makes this very clear.”
And finally, some covered entities still require patients to come in person to make a records request, she said. “Even though guidance makes clear that an entity cannot require an individual to make a separate trip to the office to request access,” she said. McGraw, along with co-presenter Jodi G. Daniel, partner at Crowell & Moring and former policy director at ONC, does a deep dive into the subject of patients accessing their records and the application programming interfaces that are making the digital sharing of records easier. To attend the digital session, click here.
