Expanding Healthcare Information Access for Patients
In March, the Office for Civil Rights (OCR) released a document detailing individuals’ rights to access their health information under HIPAA. It’s been shown that individuals who are more engaged with their health care are able to achieve better health outcomes at a lower cost and having access to health information increases engagement, enabling individuals to make more informed treatment decisions, adopt healthy behaviors, and take medication as advised.
The HIPAA Privacy Rule allows individuals to get a copy of their health information from most covered entities and establishes minimum standards for the processes involved, including access provided, the denial of access, and documentation of actions. This rule and the 2009 Health Information Technology for Economic and Clinical Health Act (HITECH) specify that covered entities must provide a copy of PHI within thirty days of a request, provide it in the format requested (if it is readily available), and may not charge individuals more than a reasonable, cost-based fee. If electronic health record technology has been adopted by the entity, they must provide access to the information in electronic format. If an individual wishes, they may designate a person or entity to receive a copy of their records.
Despite the progress that these efforts and others have made towards giving patients quick, easy access to their health information, some barriers remain. For example, many individuals are unaware of their legal right to ask for a copy of their health information from their providers and to elect a personal representative to receive this information if they choose. Additionally, some health care providers do not store health information in electronic form, and patients must wait until physical copies are made and mailed to them, which can slow down access. To help remove these barriers, there are many steps entities can take.
Recognize and make patients aware that authorization is not required for access to their own PHI
To be HIPAA-compliant, entities must require authorization when a third party requests access to a patient’s PHI. However, it’s important to note that authorization is not required for individuals or their designated representative. Patients can simply submit a request in writing to the healthcare provider in order to receive the PHI. This request may be required to be in a specific format (such as a form specified by the entity) but this format must not limit accessibility.
Honor requests from personal representatives requesting PHI
If an individual has designated another person or entity to receive their healthcare information (healthcare power of attorneys or parent/guardians of minors, for example), this representative has the same right to access the patient’s PHI as the patient. Once the entity has ensured that the representative's authority to act on behalf of the patient is valid, they must provide the PHI in the same manner and under the same rules as if they were dealing with the individual directly.
Ensure timeliness when providing access
As stated above, entities must provide access to PHI within thirty days of a request. However, this is an outer limit of what is considered compliant, and it’s advantageous to respond as soon as possible. With the advent of electronic records, entities may be able to provide very prompt, if not immediate, access to their information. In addition, while no criteria has been established regarding how easy it is for individuals to understand the information within their health records, ensuring that the information is readable and simple to comprehend is the best path to increasing patient engagement with their health care.