Individuals have an inherent right to access their own health information. Patient data access can be a critical tool for proper care, but both providers and patients often face confusion about how HIPAA regulations impact the exchange and release of protected health information (PHI).
Patients will have greater control in their personal healthcare when they can have necessary access to their own information. Reviewing records can also help patients ensure that their provider has complete, correct, and up-to-date information about important issues, such as known allergies or medications.
Individuals can ask to view and obtain a copy of their health records, receive records as paper or electronic copies, and even have records sent to another entity for treatment, billing, or operations purposes.
But patient care is a complicated issue, and often requires multiple stakeholders to collaborate and discuss sensitive issues related to the individual. Are caregivers allowed the same rights as the patient? What if an individual poses a threat to herself or to others? Can a hospital release certain information to law enforcement to help keep all involved parties safe?
Understanding the intricacies of patient data access under HIPAA regulations will help providers and patients work together toward an improved healthcare system that maintains PHI security.
Individual access to personal health information
Patients have the right to access their own health information, a right that is often misunderstood or not even realized. Both parties can be misinformed about how to handle requests to access health information, said AHIMA Director of HIM Practice Excellence Lesley Kadlec.
In order to clarify how to proceed, AHIMA recently released a patient data access form that providers can use as a template.
“We wanted to make sure that we had an easy tool that anyone could use to allow the patient to have that access or to give that access to their designated personal representative,” said Kadlec.
“This is just a suggested model form. We know that some organizations may have their own forms, and we certainly support that. But we wanted this form to be made available to those organizations who did not have an easy plain language form for patients to use to get that access to their information.”
Individuals specifically have the right to request access to a “designated record set” which HHS defines as a “group of records maintained by or for a covered entity that is used, in whole or part, to make decisions about individuals, or that is a provider’s medical and billing records about individuals or a health plan’s enrollment, payment, claims adjudication, and case or medical management record systems.”
The AHIMA form also aligns with a 2017 ONC report that outlined how healthcare organizations need to improve their processes for patient data access measures. The agency interviewed 17 consumers about the challenges they encounter with accessing their own data. Medical record release information and forms from 50 US large health systems and hospitals representing 32 states were also analyzed.
“In the current records request process, patients and health systems are often at odds, as each struggles through an inefficient system to accomplish needed tasks with limited resources,” report authors wrote. “But ultimately, these two user groups have the same goals — and shared needs. That means that improving the records request process is a win-win.”
Patients should be able to easily request and receive their records from their patient portal, ONC recommended. Providers can also simplify the process by setting up an electronic records request system outside of the patient portal.
In the current records request process, patients and health systems are often at odds, as each struggles through an inefficient system to accomplish needed tasks with limited resources.
Language should be plain, and easy to understand, ONC added. A status bar or progress tracker will also help consumers know where they are in the records request process. Online appointment scheduling, secure messaging, and prescription refills can also help encourage patients to use patient portals and hopefully – understand how to access their own records.
When parents or caregivers need PHI access
Authorized disclosure under HIPAA regulations contend that giving information to individuals or to their personal representatives, such as authorized caregivers, parents, or guardians, is allowed.
However, the HIPAA Privacy Rule maintains that it will defer to state law with regard to when someone has the legal authority to act on behalf of another individual.
“The Privacy Rule would require that covered entities grant personal representatives with the right of access on behalf of an individual in an electronic environment, just as they do today with regard to paper-based information,” the Rule states. “Covered entities will want to make sure, however, that they have the capacity to identify, authenticate, and properly respond to requests from these individuals, whether electronically or otherwise, as the Privacy Rule requires.”
HIPAA adds that “an individual’s informal permission to disclose to the individual’s family, relatives, or friends, or to other persons whom the individual identifies, protected health information directly relevant to that person’s involvement in the individual’s care or payment for care” is permitted.
Healthcare providers can also discuss information with a patient’s family, friends, or other persons involved in the patient’s care – as long as they have the patient’s consent.
“The provider may ask the patient’s permission to share relevant information with family members or others, may tell the patient he or she plans to discuss the information and give them an opportunity to agree or object, or may infer from the circumstances, using professional judgment, that the patient does not object,” according to HHS.
Covered entities must abide by an individual’s wishes if an adult patient does not want information disclosed to friends or family members. If “the provider perceives a serious and imminent threat to the health or safety of the patient or others and the family members are in a position to lessen the threat,” then PHI could potentially be disclosed.
Maintaining HIPAA compliance following a patient’s death
HIPAA privacy rules are still applicable after an individual passes away, and covered entities are required to protect identifiable health information for 50 years following a patient’s death.
“The Rule explicitly excludes from the definition of ‘protected health information’ individually identifiable health information regarding a person who has been deceased for more than 50 years,” HHS explains. “During the 50-year period of protection, the Privacy Rule generally protects a decedent’s health information to the same extent the Rule protects the health information of living individuals but does include a number of special disclosure provisions relevant to deceased individuals.”
However, covered entities do not need to keep a decedent’s PHI accessible for the same 50-year period. There are no medical record retention requirements, but entities can adhere to any state or other applicable laws with regard to destroying medical records.
Furthermore, PHI cannot be disclosed to a decedent’s family members unless the decedent gave instructions to do so.
“In these cases, a covered health care provider may disclose relevant protected health information about the decedent to the family member, and the family member retains the right to receive a copy of the relevant information in the decedent’s medical record, without regard to the decedent’s prior objection,” HHS maintains.
...the Privacy Rule generally protects a decedent’s health information to the same extent the Rule protects the health information of living individuals but does include a number of special disclosure provisions relevant to deceased individuals.
The agency also outlines three situations where family members may receive their deceased relative’s PHI:
- A covered entity may disclose a decedent’s PHI, without authorization, to the provider treating the surviving relative.
- If the information being disclosed “is relevant to the person’s involvement in the decedent’s care or payment for care.”
- An individual acting on behalf of a decedent (i.e. executor) can receive PHI “if it is within the scope of such personal representative’s authority under other law.”
Covered entities must also “obtain a written HIPAA authorization from a personal representative of the decedent” to use or disclose a decedent’s health information in situations not permitted by the Privacy Rule.
How HIPAA impacts law enforcement investigations
Law enforcement investigations often require data access by someone other than the patient.
“Public Interest and Benefit Activities” is one of the permitted uses and disclosures aspect under the HIPAA Privacy Rule. Legal action can sometimes require PHI to be disclosed, such as when mandated by law, for judicial and administrative proceedings, and for law enforcement purposes.
The following circumstances are permitted PHI disclosure situations for law enforcement:
- As required by law (including court orders, court-ordered warrants, subpoenas) and administrative requests
- To identify or locate a suspect, fugitive, material witness, or missing person
- In response to a law enforcement official’s request for information about a victim or suspected victim of a crime
- To alert law enforcement of a person’s death, if the covered entity suspects that criminal activity caused the death
- When a covered entity believes that protected health information is evidence of a crime that occurred on its premises
- By a covered health care provider in a medical emergency not occurring on its premises, when necessary to inform law enforcement about the commission and nature of a crime, the location of the crime or crime victims, and the perpetrator of the crime
OCR also released an emergency bulletin in 2014, clarifying HIPAA rules for emergency situations. Partially released because of the 2014 Ebola outbreak, OCR explained that covered entities and business associates must know “the ways in which patient information may be shared under the HIPAA Privacy Rule in an emergency situation, and to serve as a reminder that the protections of the Privacy Rule are not set aside during an emergency.”
“In an emergency situation, covered entities must continue to implement reasonable safeguards to protect patient information against intentional or unintentional impermissible uses and disclosures,” the bulletin stated. “Further, covered entities (and their business associates) must apply the administrative, physical, and technical safeguards of the HIPAA Security Rule to electronic protected health information.”
Public health authorities and other entities responsible for ensuring public health and safety can also have access to PHI so they can continue to carry out their public health mission, according to OCR. This can include the Centers for Disease Control and Prevention (CDC) or a state or local health department.
The imminent danger aspect of HIPAA rules may also apply in emergencies or for law enforcement purposes. Providers may share patient information “with anyone as necessary to prevent or lessen a serious and imminent threat to the health and safety of a person or the public.” However, providers must still adhere to all applicable laws, including state statutes, regulations, or case law, and must also follow their own standards of ethical conduct.
Overall, individuals have a right to access their own health information, and also have the right to ensure that their information remains protected. Even so, the patient is not necessarily the only party who may have access to her PHI.
Covered entities, business associates, and patients should review federal and state regulations in terms of what types of disclosure are permissible, and when patient information can be shared with other entities.