HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Guidance on Patient Rights Under HIPAA Due this Month

This December, OCR expects to issue a new document clarifying patient rights under HIPAA to access their own healthcare data, as part of the White House Precision Medicine Initiative.

Clarification Due on Patient Rights Under HIPAA to Access their Own PHI

The Health Insurance Portability and Accountability Act’s Privacy Rule introduced a number of new rules aimed at protecting the privacy of healthcare patients and health insurance subscribers. The Privacy Rule dictates when HIPAA-covered entities are permitted to disclose Protected Health Information (PHI) to third parties, and also makes provision for patients to access their own medical data.

While most covered entities have now got to grips with the intricacies of the HIPAA Privacy Rule, not all appear to be certain about when medical records can be supplied to patients, and the extent of data that must be disclosed upon request. Consumers are similarly unsure about their data access rights under HIPAA.

Office for Civil Rights (OCR) intends to clarify the situation, and will be issuing new guidance on patient rights under HIPAA. According to an announcement made by Deven McGraw, the OCR’s deputy director for health information privacy, new guidance is expected to be issued later this month.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

Confusion about Patient Rights Under HIPAA will be Addressed

The new guidance is intended to clear up any confusion about when patients are permitted to access their own medical records, the rules that must be followed by healthcare providers, and the applicable charges for obtaining copies of PHI.

According to McGraw, OCR often receives queries from patients about whether they are permitted to access their medical data, in addition to complaints from U.S. consumers about being denied access to their own medical records. Data must be provided to patient on request, but there are exceptions. For example, when a patient is involved in a clinical trial.

Healthcare providers are permitted to charge patients for providing a copy of medical records; however, complaints have also been sent to the OCR about the amount healthcare providers are charging patients. Patients are sometimes charged high fees in order to access their own medical records.

Under HIPAA Rules, healthcare providers are only permitted to charge “reasonable, cost-based fees.” They are not permitted, for example, to charge for the time it takes to retrieve a patient’s information.

The new guidance will explain patient rights under HIPAA in an easy to read, and easy to understand format, and should cut down the number of medical record access complaints that OCR has to deal with.

The guidance will take the form of a set of questions and answers, and will be published on the OCR website. The Q&A document will provide answers to the most common questions asked of OCR, such as what a ‘designated record set’ includes, the right of have a digital copy of health records, the fees that healthcare providers are permitted to charge, and the rules regarding the provision of medical records to a third party acting on behalf of a patient.

According to McGraw, healthcare providers are similarly confused about the extent of data that must be provided. Should a set of medical records include notes made by a physician, or just test results and clinical data? These issues will be tackled in the new OCR guidance, which are being released as part of the government’s Precision Medicine Initiative.

McGraw expects the guidance to be made available before the year is out.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.