- More individuals than ever before now have electronic access to their own health information, according to a recent report from the American Hospital Association (AHA). However, organizations are required to offer patient access as part of their HIPAA compliance measures.
With increased electronic access, covered entities must ensure that they are still adhering to all aspects of the HIPAA Privacy and Security Rules.
Patient access to data is necessary, but the necessary data security measures cannot be compromised in the process.
The latest AHA TrendWatch report found that 92 percent of hospitals offered the ability to view medical records online in 2015, a large increase from the 43 percent that offered the same option in 2013.
Additionally, 84 percent of hospitals allowed patients to download information from their medical record in 2015, compared to just 30 percent in 2013.
“A growing number of individuals also are able to perform everyday health care tasks, such as making a medical appointment online with their hospital-based care providers,” the report’s authors explained. “Offering these capabilities allows patients to more easily access their providers and engage in their care.”
Not only are more hospitals increasing their options when it comes to patient to provider communication, but more are also allowing patients to submit patient-generated data to their provider online, according to the report.
Specifically, 63 percent of hospitals allowed patients to message their providers online in 2015, an increase of 8 percentage points from the previous year. In 2015, 37 percent of hospitals had the ability for patients to submit patient-generated data, compared to just 14 percent in 2013.
As more hospitals are able to offer these services, individuals will have more insight into their medical data and the ability to interact with care providers at times and in ways that are convenient for the patient,” the report’s authors concluded.
While these numbers show that more covered entities continue to embrace technology, it is important to remember that HIPAA regulations require patients to have access to their own health data if they desire it.
Patient right of access is applicable to patient medical information, regardless of the form that the PHI is in at a healthcare organization. Certain provisions may apply slightly differently, such as those related to requests for access, timely action, verification, form or format of access, and denial of access, but individuals have the right to their own medical records.
Another important aspect of patient access is whether or not patients can be charged for access to copies of their PHI. The fee may include only the cost of certain labor, supplies, and postage, but the Office for Civil Rights (OCR) encourages covered entities to provide the copies for free.
“Providing individuals with access to their health information is a necessary component of delivering and paying for health care,” OCR states on its website. “We will continue to monitor whether the fees that are being charged to individuals are creating barriers to this access, will take enforcement action where necessary, and will reassess as necessary the provisions in the Privacy Rule that permit these fees to be charged.”
Increased patient access to their own medical information should not be cause for concern, but a reminder to covered entities and business associates to ensure that they have the necessary safeguards in place to continue to ensure PHI security. For example, if more patients are utilizing secure messaging options, then perhaps hospitals should review their mobile device policies and ensure they are utilizing comprehensive data encryption options.
Image Credit: AHA