The HIPAA Privacy Rule was enacted to both safeguard patients’ protected health information (PHI) from improper use and disclosure and establish the patient right to access that information so that they can be fully engaged in their care and are empowered to make informed health care decisions.
When it comes to disclosing PHI to people other than patients or those involved in their healthcare treatment, the HIPAA Privacy Rule generally mandates that covered entities obtain an authorization signed by a patient that contains specific core elements and required statements before copies of that patient’s medical records can be shared. These specific core elements and required statements provide patients with notice of their rights to access their medical information under HIPAA.
However, since the publication of the United States Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) FAQs on Patient Access, on February 25, 2016, third parties have been taking advantage of the OCR’s interpretation of the patient right to access under HIPAA and are actively discouraging patients from signing authorizations and instead encouraging them to sign requests that direct covered entities to send copies of the patients’ medical records to these third parties. In doing so, they are jeopardizing patient privacy.
Patient requests vs. third party requests
The patient right to access under HIPAA generally requires covered entities to provide patients and their personal representatives, as defined under 45 CFR 164.502(g), upon request, access to copies of the patient’s health information in one or more designated record sets maintained by or for a covered entity in the format of the patient’s choosing for a “reasonable, cost-based fee” within 30 days of receiving his or her request.
Patients and their personal representatives can request access to inspect or obtain copies of their medical records. They can also request that copies of their PHI be sent to a designated third party using a patient-directed request. A patient-directed request is a request that is initiated by the patient or their personal representative to send copies of the patient’s medical records to a designated third party recipient. HIPAA’s patient right to access does not require that these patient requests are accompanied by an authorization.
In contrast to a patient request, a third party request is exactly what is implied i.e., a request for copies of a patient’s medical records made by a third party. The HIPAA Privacy Rule generally mandates that covered entities obtain an authorization, signed by a patient, that contains specific core elements and required statements before copies of that patient’s PHI can be disclosed to a third party.
The main distinction between a patient request and a third party request is that a patient request must be fulfilled in accordance with the HIPAA’s patient right to access and a third party request does not.
The privacy risks associated with not using HIPAA-compliant authorizations
Most states have laws in place that are more protective of patient privacy than HIPAA and require covered entities to obtain a specific authorization signed by the patient that explicitly permits the disclosure of sensitive information such as treatments and tests for mental health, substance abuse, HIV and sexually transmitted diseases before any disclosure is made to a third party.
Per the guidance of the FAQs, requiring patients to comply with the state laws may be considered a violation of HIPAA because these laws potentially conflict with HIPAA’s patient right to access. Under the FAQs, a patient-directed request does not need to comply with applicable state laws that give heightened protection to sensitive information. Therefore, if a patient signs a patient-directed request as opposed to an authorization, they typically will not have the opportunity to exclude such sensitive information from what is being disclosed to the third party.
Additionally, by not signing authorizations, patients are not provided with information regarding their rights under HIPAA. For example, authorizations must contain a statement that a third party is not bound by HIPAA and may re-disclose the patient's health information without his or her permission. This valuable disclaimer could be sufficient for a patient to reconsider disclosing to the third party. However, when a patient does not sign an authorization, this possibility of re-disclosure will not be explained.
In addition, authorizations are also required to have an expiration date or event upon which the authorization is no longer valid. Patient-directed requests, however, are not required to have an expiration date, enabling a third party who is provided with a patient-directed request to copy it and use it indefinitely, thereby jeopardizing patient privacy for years to come.
The complex disclosure management process
Processing requests for copies of medical records is a very labor-intensive and time-consuming process. The process has become even more challenging with electronic health records (EHRs) because many EHRs are not interoperable. Obtaining a record from an EHR is not as easy as pushing a button, which many people believe. Each EHR has its own password protocol and each is designed differently. Many healthcare systems and providers utilize multiple EHR platforms. Simply locating a proper patient file in an EHR can require searching through multiple EHRs. Therefore, in order to fulfill requests for copies of medical records, healthcare providers need to hire and train staff to become experts in navigating multiple EHRs in order to ensure they are fulfilling these requests properly.
Patient-directed requests have made a significant impact on the PHI disclosure management process for all types of healthcare providers. Third parties not involved in patient care such as law firms, copy services, data analytics companies and life insurance companies use patient-directed requests for their own benefit. Traditionally, state law regulates the fees that can be assessed for copies of medical records requested by parties not involved in the patient’s healthcare. Providing third parties with copies of medical records at the state-established regulatory rates gave healthcare providers the ability to recoup their production costs, and in turn provide copies of medical records to patients at well below cost. However, as a result of the FAQs, it is estimated that over $1 billion annually will be shifted onto the backs of healthcare providers across the country.
Caught between a rock and a hard place
The FAQs on Patient Access conflict with the provisions of the HIPAA Privacy Rule that safeguard patient privacy by requiring covered entities to obtain an authorization signed by a patient before disclosing copies of his or her medical records. With more and more third parties utilizing patient-directed requests, healthcare provider staff need to be trained to identify the characteristics of patient-directed requests and to distinguish them from third party requests. However, the FAQs do not provide clear guidance on how to make these distinctions. As a result, it is difficult to enforce uniform policies and procedures to help ensure that HIPAA’s patient right to access is being followed and that no disclosures are being made pursuant to non-HIPAA compliant third party requests that may look like patient-directed requests.
Unless the FAQs on Patient Access are revised or revoked, there is not much that can be done to prevent the erosion of patient privacy and security, and the shifting of unduly burdensome costs onto the healthcare system. So long as the FAQs on Patient Access is the OCR’s current interpretation of the HIPAA Privacy Rule, healthcare providers must comply with the guidance, even when it deviates from the underlying regulations – otherwise, they will be at risk of being investigated by the OCR for non-compliance with HIPAA’s patient right to access.
Providing patients with access to their medical record is a priority, but so is patient privacy. Balancing access and privacy is difficult enough and it has only been made more difficult by the OCR guidance of February 25, 2016 which provided third parties with yet another way to obtain a patient's medical record for minimal cost by utilizing a patient-directed request. With all of the confusion surrounding the FAQs on Patient Access and the record-breaking number of enforcement actions taken by the OCR against covered entities for non-compliance with HIPAA, more and more healthcare organizations are partnering with knowledgeable Release of Information (ROI) vendors to help them with their PHI disclosure management needs. Working with an experienced ROI outsourcing organization can provide hospitals and health systems with the requisite expertise they need as they navigate the intricacies and risks of managing patient-directed record requests.
The views, opinions and positions expressed within these guest posts are those of the author alone and do not represent those of Becker's Hospital Review/Becker's Healthcare. The accuracy, completeness and validity of any statements made within this article are not guaranteed. We accept no liability for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with them.