Last month, the U.S. Department of Health and Human Services’ Office of Civil Rights (HHS OCR) published the first in a series of guidance materials which are meant to further clarify individuals' core right under HIPAA to access and obtain a copy of their health information. The new guidance, in the form of a Frequently Asked Questions (FAQs), addresses the scope of information covered by HIPAA's access right, the very limited exceptions to this right, the form and format in which information should be provided to individuals, the requirement to provide access to individuals in a timely manner, and the intersection of HIPAA's right of access with the requirements for patient access under the HITECH Act's Electronic Health Record (EHR) Incentive Program.
Among other things, the new guidance explains that, under the Privacy Rule, a health care provider cannot require patients to pick up their records in person if they ask for the records to be sent by mail or email. A provider cannot require an individual to use a web portal for requesting access, as not all individuals will have ready access to the Internet, or to mail an access request, as this would unreasonably delay the covered entity’s receipt of the request and thus, the individual’s access. A health care provider cannot deny a request for access to health information because a patient has failed to pay medical bills. And although a doctor or a hospital may charge a fee to cover the cost of copying, it cannot charge for the cost of searching for data and retrieving it.
The new guidance is available on HHS OCR's website at: http://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html
The HIPAA Privacy Rule has always provided individuals with the right to access and receive a copy of their health information from their doctors, hospitals and health insurance plans. The Privacy Rule is especially important in the era of EHR, which are supposed to empower consumers to easily transfer health information from provider to provider. HHS characterizes this as a right “critical to enabling individuals to take ownership of their health and well-being.” HHS OCR’s press release argues that, with “more targeted treatments discovered through the new precision medicine model of patient-powered research, it is more important than ever for individuals to have ready access to their health information.” HHS OCR’s stated reason for rolling out a series of explanatory information products concerning the Privacy Rule is its perception that providers have raised unjustified roadblocks to individuals’ access of their own health information.
The Privacy Rule has been an area of heightened enforcement activity for HHS OCR over the last few years. OCR has the power to levy penalties against providers who violate HIPAA, but it doesn’t often do so. And individuals do not have a private right to sue covered entities for violations of HIPAA.
So why should health care providers worry about complying with the Privacy Rule in particular, and HIPPA more broadly? Because individuals have found ways to circumvent the federal statute’s preclusion of private rights of action by filing actions in state courts under state law. HIPAA does not preempt state-law causes of action for the wrongful disclosure of health care information. If an individual were to be harmed by the wrongful withholding of health care information, there’s no obvious reason why a state cause of action wouldn’t lie against the responsible provider.
State courts have allowed plaintiffs to use HIPAA as a standard for measuring the duty to maintain confidentiality in negligence, privacy, and professional liability cases. Due to the broadness of state tort laws pertaining to negligence and the substantial damages awarded by some state courts in lawsuits arising out of conduct that violated HIPAA, covered providers need to make sure that their HIPAA compliance programs are well-designed and working as planned.