In many practices across the U.S., “HIPAA” is a term thrown around often. Providers and administrative staffers carefully protect patient records out of over-concern, at times cracking wise about the “HIPAA Police” coming to get them for violations.
It’s a joke, of course, but it stems from genuine caution. The HIPAA (aka the Health Insurance Portability and Accountability Act of 1996) Privacy Rule is designed to protect the privacy of American healthcare consumers by shielding their personal health information or “PHI” from unauthorized eyes. The consequences for not doing so can be devastating; headlines about HIPAA violations abound every quarter, with six-figure fines becoming ever-more commonplace. (Multimillion dollar fines, stemming from large data breaches, have also been imposed.)
The entity issuing those fines is typically the Office for Civil Rights (OCR) arm of the U.S. Health and Human Services Department (HHS), which makes it perplexing to witness OCR’ new call for greater access to patient information across the healthcare ecosystem.
It’s less perplexing with a little more background: HIPAA doesn’t only exist to protect patients health information; it also exists to make sure patients can get theirs. The HIPAA Privacy Rule has always provided individuals with the right to access and receive a copy of their health information from their doctors, hospitals and health insurance plans. (Individuals even have the right to request electronic copies of their PHI if that’s how it’s maintained by the covered entity.)
But the aforementioned caution, and fear of the “HIPAA Police,” keeps many providers from embracing that provision.
“Far too often, individuals face obstacles to access their health information, even from entities required to comply with the HIPAA Privacy Rule,” Jocelyn Samuels, director of OCR wrote in a recent blog post. “This must change.”
To help change it, Samuels’ organization issued new guidance for providers to clarify their permissions in certain situations. The full Access Guidance is available here, but here are a few important takeaways:
- If requested, patients are permitted access to their medical records; billing and payment records; insurance information; lab test results; imaging results; wellness and disease management program files; clinical case notes; and other information used to make decisions about their care.
- Patients are not permitted access to any quality assessment, practice improvement, or patient safety activity records, or to any business planning, development, and management records.
- Practices can decline access to any psychotherapy notes that a mental health provider maintains separately from the rest of the patient’s medical record, or to any information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding.
- If requested, patients must be given access to recent lab test results, a current medication list, a medication history, and a problem list maintained in certified EHR technology.
- Practices must provide access to requested PHI no later than 30 calendar days from receiving the individual’s request. Be mindful of Meaningful Use, however: Stage 2 guidelines dictate that eligible professionals must make information available within four business days of its availability, and Stage 3 requires them to make information available to patients within 48 hours of availability.
...and if you need help from a medical billing company...