This comes to us from the law firm Bond, Schoeneck and King.
HHS Office for Civil Rights issues new FAQs and Clarifications – Understanding Individuals’ Right under HIPAA to Access their Health Information
On January 7, 2016, Jocelyn Samuels, Director of the Office of Civil Rights, posted a new set of clarifications under the HIPAA Privacy Rule, to quote:
“Unfortunately, based on recent studies and our own enforcement experience, far too often individuals face obstacles to accessing their health information, even from entities required to comply with the HIPAA Privacy Rule. This must change. Today, we took an important step toward ensuring that individuals can take advantage of their HIPAA right of access. We released a fact sheet and the first in a series of topical Frequently Asked Questions (FAQs) to further clarify individuals’ core right under HIPAA to access and obtain a copy of their health information. This set of FAQs addresses the scope of information covered by HIPAA’s access right, the very limited exceptions to this right, the form and format in which information is provided to individuals, the requirement to provide access to individuals in a timely manner, and the intersection of HIPAA’s right of access with the requirements for patient access under the HITECH Act’s Electronic Health Record (EHR) Incentive Program.” http://www.hhs.gov/blog/2016/01/07/understanding-individuals-right-under-hipaa-access-their.html
The clarifications are not “rules” but OCR wants everyone to know they are concerned with compliance regarding access to records. In one area, OCR comments:
“Unreasonable Measures
While the Privacy Rule allows covered entities to require that individuals request access in writing and requires verification of the identity of the person requesting access, a covered entity may not impose unreasonable measures on an individual requesting access that serve as barriers to or unreasonably delay the individual from obtaining access. For example, a doctor may not require an individual:
- Who wants a copy of her medical record mailed to her home address to physically come to the doctor’s office to request access and provide proof of identity in person.
- To use a web portal for requesting access, as not all individuals will have ready access to the portal.
- To mail an access request, as this would unreasonably delay the covered entity’s receipt of the request and thus, the individual’s access.
While a covered entity may not require individuals to request access in these manners, a covered entity may permit an individual to do so, and covered entities are encouraged to offer individuals multiple options for requesting access.”
Read the full clarification here: http://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html