OCR issues new guidance on individuals’ access to PHI: Is your access policy compliant?

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.jdsupra.com/legalnews/ocr-issues-new-guidance-on-individuals-85417/

On Jan. 7, 2016, the Office of Civil Rights (OCR) issued new guidance
(Guidance) on the right of individuals under the HIPAA Privacy Rule to
access their protected health information (PHI). In the Guidance, the OCR
indicated that based on its enforcement experience, many individuals are
having difficulties obtaining such access even as technology evolves, and
new treatments make it important for individuals to have ready access to
their PHI.

The Guidance was issued in an effort to provide clarifications on various
aspects of the right to access PHI. The clarifications provided by the OCR
address the permissible charges for providing medical records to patients,
submission of requests to access PHI, the manner for providing access to
PHI, whether PHI may be sent to individuals via unencrypted e-mail and
various other questions regarding this right.

With respect to charges for medical records, the Guidance reminded covered
entities that it is permissible to charge a reasonable, cost-based fee if
the individual requests a copy of the medical records provided such fee
includes only the cost of:

1. labor for copying the requested PHI;
2. supplies for creating the paper copy or electronic media (e.g., CD), if
the individual requested that the electronic copy be provided on portable
media;
3. postage, if the individual requested that the records be mailed; and
4. preparation of an explanation or summary of the PHI, if agreed to by the
individual.

The Guidance noted that charges for the records may not include costs
associated with verification, documentation, searching or retrieving the
PHI, maintaining systems, recouping capital for data access, storage or
infrastructure or other costs not permitted under the Privacy Rule even if
such costs are allowed under state law. The Guidance also emphasized that a
covered entity may not deny an individual access to PHI because the
individual has not paid the bill for the services provided by the covered
entity.

Given the importance of the individual’s ability to have ready access to
PHI, the Guidance emphasized that although the Privacy Rule allows covered
entities to require that individuals submit requests to access PHI in
writing and mandates verification of the identity of the requestor, a
covered entity cannot impose unreasonable measures on requesting PHI access
that become barriers to access.

For example, a physician practice cannot require an individual who asked
that a copy of her medical record be mailed to her house to physically come
to the physician’s office to request access and provide proof of identity
in person. Similarly, covered entities cannot require use of a web portal
for requesting access because not everyone has an easy access to the
portal. The OCR also noted that a covered entity may not require an
individual to mail an access request because this would unreasonably delay
the provider’s receipt of the request and the individual’s access to PHI.

The Guidance also noted that access to PHI must be provided in the manner
requested by the individual and that an individual may request to receive
the PHI via mail or e-mail. With respect to e-mail, the OCR clarified that
individuals may receive a copy of their PHI by unencrypted e-mail and that
it is expected that all covered entities have the capability to transmit
PHI by e-mail, except in limited cases where e-mail cannot accommodate the
file size of the requested documents.

The OCR noted that if an individual requests that PHI be sent to the
individual via unencrypted e-mail, the covered entity needs to provide a
warning to the individual that there is risk that the PHI could be accessed
by a third party while in transit and confirm that the individual still
wants to receive her PHI by unencrypted e-mail. If after receiving such
warning the individual still requests PHI to be sent via unencrypted
e-mail, the covered entity must comply with the request. While an
individual can choose to receive copies of her PHI by unsecure methods, a
covered entity cannot require an individual to accept unsecure e-mail in
order to receive access to PHI.

The Guidance also clarified that while covered entities must adopt
reasonable safeguards in implementing the individual’s request (e.g., using
correct e-mail address), covered entities are not responsible for a
disclosure of PHI while in transmission to the individual based on the
individual’s request to receive the PHI in an unsecure manner after being
warned of and accepting the risks associated with the unsecure transmission.

The right to access PHI is an important right granted to individuals under
HIPAA and is a common cause of privacy complaints to the OCR. Covered
entities would be well-served by carefully reviewing the Guidance and
confirming that their access to PHI policy and procedures are consistent
with the clarifications outlined in the Guidance.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Need access to data breach details or alerts when new breaches happen? Risk Based Security's Cyber Risk Analytics 
portal, fueled by the RBS breach research team, provides detailed information on how data breaches occur and which 
vendors to trust. Contact us today for a demo.