With all of the cyber-security breaches and fines levied on organizations for lost PHI, it’s easy to forget that HIPAA also defines what information must be provided to the patient and transferred to other providers for care and when they change providers.
HIPAA has three basic components:
- Portability – allow for the transfer of patient information to other providers that may provide care to the patient or to the patient themselves.
- Allow the patient to access their patient information defined by the “Designated Record Set”.
- Privacy – protect the privacy of the patient and their health care.
- Security – protect (secure) the protected health information (PHI, patient data). As PHI moves into EMRs/EHRs/Patient Management Systems this becomes very important.
If you don’t know what a designated record set is you might want to learn soon, since the OCR is beginning to enforce this option for patients.
- Medical and billing records.
- Insurance records, including enrollment, payment and claims.
- Any data (records) used to make a decision about a patient.
The OCR makes it clear that each provider must provide this information within 30 days upon the patient’s request. The patient has this right under law. The patient can request a copy of their PHI in electronic or paper format. Alternatives may be mutually agreed to and an extra 30 days may be allowed.
There are also some limits on what must be provided, such as psychotherapy notes, for a full list refer to the Individual’s Rights link below. In general if you have a question about patient access and if it has to be provided to the patient, the law and OCR lean towards, yes it must be provided to the patient.
Jocelyn Samuels, Director, Office for Civil Rights, wrote a blog at the beginning of the year about this.
We will continue to develop additional guidance and other tools as necessary to ensure that individuals understand and can exercise their right to access their health information. In addition, the Office for Civil Rights will work with the White House Social and Behavioral Sciences Team and the Department of Health and Human Services Office of the National Coordinator for Health Information Technology (ONC) to produce consumer-friendly resources, including sample communications tools to encourage patients to access their digital health information.
The first set of materials may be found on OCR’s website at Individuals’ Right under HIPAA to Access their Health Information 45 CFR § 164.524.
To close, think of PHI as the patient’s data, that you create, maintain, protect and utilize for the patient. It’s worth understanding what the government says about the patients rights, check the OCR’s page at http://www.hhs.gov/hipaa/for-individuals/guidance-materials-for-consumers/index.html.
I wrote a blog, PHI, Who Owns It?, a few months ago, you can read it at http://thirdrock.com/blog/2016/10/04/phi-who-really-owns-it/.