Maryland and DC Physician Employment Lawyer David M. Briglia
  • Home
  • About
  • Contact
  • Blog
  • Contract Review Fees

HHS OCR Clarifies Individuals' Right to Access Health Information under HIPAA

2/29/2016

3 Comments

 
Last month, the U.S. Department of Health and Human Services’ Office of Civil Rights (HHS OCR) published the first in a series of guidance materials which are meant to further clarify individuals' core right under HIPAA to access and obtain a copy of their health information. The new guidance, in the form of a Frequently Asked Questions (FAQs), addresses the scope of information covered by HIPAA's access right, the very limited exceptions to this right, the form and format in which information should be provided to individuals, the requirement to provide access to individuals in a timely manner, and the intersection of HIPAA's right of access with the requirements for patient access under the HITECH Act's Electronic Health Record (EHR) Incentive Program.

Among other things, the new guidance explains that, under the Privacy Rule, a health care provider cannot require patients to pick up their records in person if they ask for the records to be sent by mail or email. A provider cannot require an individual to use a web portal for requesting access, as not all individuals will have ready access to the Internet, or to mail an access request, as this would unreasonably delay the covered entity’s receipt of the request and thus, the individual’s access. A health care provider cannot deny a request for access to health information because a patient has failed to pay medical bills. And although a doctor or a hospital may charge a fee to cover the cost of copying, it cannot charge for the cost of searching for data and retrieving it.

The new guidance is available on HHS OCR's website at: http://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html

The HIPAA Privacy Rule has always provided individuals with the right to access and receive a copy of their health information from their doctors, hospitals and health insurance plans. The Privacy Rule is especially important in the era of EHR, which are supposed to empower consumers to easily transfer health information from provider to provider. HHS characterizes this as a right “critical to enabling individuals to take ownership of their health and well-being.” HHS OCR’s press release argues that, with “more targeted treatments discovered through the new precision medicine model of patient-powered research, it is more important than ever for individuals to have ready access to their health information.” HHS OCR’s stated reason for rolling out a series of explanatory information products concerning the Privacy Rule is its perception that providers have raised unjustified roadblocks to individuals’ access of their own health information. 

The Privacy Rule has been an area of heightened enforcement activity for HHS OCR over the last few years. OCR has the power to levy penalties against providers who violate HIPAA, but it doesn’t often do so. And individuals do not have a private right to sue covered entities for violations of HIPAA.
So why should health care providers worry about complying with the Privacy Rule in particular, and HIPPA more broadly? Because individuals have found ways to circumvent the federal statute’s preclusion of private rights of action by filing actions in state courts under state law. HIPAA does not preempt state-law causes of action for the wrongful disclosure of health care information. If an individual were to be harmed by the wrongful withholding of health care information, there’s no obvious reason why a state cause of action wouldn’t lie against the responsible provider.

State courts have allowed plaintiffs to use HIPAA as a standard for measuring the duty to maintain confidentiality in negligence, privacy, and professional liability cases. Due to the broadness of state tort laws pertaining to negligence and the substantial damages awarded by some state courts in lawsuits arising out of conduct that violated HIPAA, covered providers need to make sure that their HIPAA compliance programs are well-designed and working as planned.
3 Comments

    RSS Feed

    Categories

    All
    ADA
    Ancillary Providers
    Contract Law
    Disabilities Rights
    Employment Rights
    Fair Labor Standards Act
    False Claims Act
    Federal Law
    Health Care Whistleblowers
    HIPAA
    Hospital Recruitment Agreements
    Labor Rights
    Letters Of Intent
    Maryland Law
    Negotiating Employment Contracts
    Non Competes
    Non-Competes
    Nurse Practitioners
    Nurses
    Payments
    Physician Assistants
    Physician Compensation
    Privacy
    Retaliation
    Small Medical Practice
    Solo Medical Practice
    Stark Law
    Unions
    Workplace Safety

The Law Office of David M. Briglia serves doctors, physician assistants, nurse practitioners and other employees of the healthcare industry in Washington, D.C., and Maryland, including Silver Spring, Olney, Takoma Park, Bethesda, Rockville, Chevy Chase, Gaithersburg, Germantown, Cheverly, Laurel, Columbia, Baltimore, Annapolis and Frederick, and throughout Montgomery County, Prince George's County, Howard County, Anne Arundel County and Baltimore County.
Disclaimer: The contents of this site are for informational purposes only. None of the information posted on this site is intended as, nor can it be relied upon, as legal advice. Use of this site does not create an attorney-client relationship between the user and the firm. 
Copyright © 2022 David M. Briglia

Proudly powered by Weebly
  • Home
  • About
  • Contact
  • Blog
  • Contract Review Fees