While the healthcare sector continues to work toward achieving nationwide interoperability, concerns over potential HIPAA violations with regard to patient data access is also on the rise.
Covered entities need to allow individuals access to their own data should they request it, but privacy and security considerations must also be a top priority.
Reviewing the basics of the HIPAA Security Rule and Privacy Rule can assist healthcare organizations as they increase electronic health data access. This way, patients are able to see their own information upon request, but both parties can rest assured that PHI will not fall into the wrong hands.
Patient data access under HIPAA rules
The HIPAA Privacy Rule has two circumstances where covered entities may exchange private patient data.
First, organizations may exchange PHI when the HIPAA Privacy Rule specifically permits or requires it. The second scenario that allows data to be exchanged is when the subject of the data (the patient) specifically authorizes the exchange.
Interoperability and permitted times of sharing PHI have recently been addressed by the Office of the National Coordinator (ONC). In a series of blog posts throughout 2016, ONC Chief Privacy Officer Lucia Savage, J.D. and ONC Privacy Analyst Aja Brooks, JD maintained that interoperability is permitted under HIPAA regulations, but there has been some confusion over how it can be done properly.
“Some providers are not sharing PHI due to their health care organization’s policies, procedures, or protocols, even if the sharing is permitted under HIPAA, or because laws in the provider’s state apply in addition to HIPAA,” Savage and Brooks wrote. “Interestingly, this lack of exchange of PHI runs contrary to consumer perception, with research demonstrating that patients assume their PHI is automatically shared between their treating physicians.”
It is also important to know that HIPAA allows covered entities to disclose PHI to other covered entities or business associates without patient consent in certain conditions. These include, but are not limited to the following:
- Conducting quality assessment and improvement activities
- Developing clinical guidelines
- Conducting patient safety activities as defined in applicable regulations
However, both covered entities must have a relationship with the patient and the PHI being shared must pertain to that relationship. Only the minimum information necessary can also be disclosed.
Providers must also account for instances during which they exchange the information on an interoperable system for reasons not necessarily covered under the Privacy Rule.
“If the covered entity wishes to use or disclose the PHI for something other than treatment, payment, or health care operations, it must obtain patient authorization to do so, unless the use or disclosure is permitted by another provision of the HIPAA Privacy Rule,” the pair explained in their second blog post on patient data access. “One important such rule is when a patient requests a copy of her PHI, and asks that it be sent somewhere else.”
Essentially, providers need to find another place under HIPAA where that exchange was noted permissible, or they must receive authorization from the patient when data exchange occurs outside the provisions of the HIPAA Privacy Rule.
“Nationwide interoperable health information technology (health IT) will help make the right electronic health information available to the right people at the right time for patient care and health, no matter the care setting, organization, or technology supporting the information exchange,” said Savage and Brooks. “HIPAA’s Permitted Uses and Disclosure are rules that run ‘in the background’ in support of this important nationwide goal.”
When PHI access can be denied
There are situations where patients can be denied access to PHI.
A covered entity may deny access if a healthcare professional believes access could cause harm to the individual or another. The Privacy Rule also has the following exceptions to PHI access:
- Psychotherapy notes
- Information compiled for legal proceedings
- Laboratory results to which the Clinical Laboratory Improvement Act (CLIA) prohibits access
- Information held by certain research laboratories.
There are also reviewable grounds for denial, which include disclosures that would cause endangerment of the individual or another person, as well as situations where PHI refers to another. The disclosure may be likely to cause substantial harm.
Finally, “requests made by a personal representative where disclosure is likely to cause substantial harm” is also considered a reviewable grounds for denial of access.
“In addition, the notice of denial must inform the individual of how complaints may be filed with the covered entity or the Secretary of HHS,” HHS states on its website. “If access to some of the PHI is denied, the covered entity must, to the extent possible, give the individual access to any other PHI requested, after excluding the PHI to which the covered entity has a ground to deny access.”
The future of patient data access
As technology continues to evolve, and more healthcare organizations opt for interoperability, it is likely that patient data access will also continue to rise.
For example, a report from the American Hospital Association (AHA) last year found that more individuals than ever before now have electronic access to their own health information. Specifically, 92 percent of hospitals offered the ability to view medical records online in 2015, a large increase from the 43 percent that offered the same option in 2013.
Eighty-four percent of hospitals also allowed patients to download information from their medical record in 2015, compared to just 30 percent in 2013.
“A growing number of individuals also are able to perform everyday health care tasks, such as making a medical appointment online with their hospital-based care providers,” the report’s authors explained. “Offering these capabilities allows patients to more easily access their providers and engage in their care.”
Whether covered entities utilize online tools for individuals to view, download, or transmit their own data, or even start to implement secure messaging options, HIPAA regulations cannot be overlooked.
However, data access can and must be done when the situation is permissible under HIPAA rules.