Earlier this month, the Office for Civil Rights (OCR) issued guidance on an individual’s right to access the individual’s health information. That an individual has a broad right to access has been recognized in the HIPAA privacy regulations since they became effective in 2003. OCR has found, however, that individuals are facing obstacles to accessing their health information, and believes this needs to change. To help covered providers, plans and business associates better understand the right to access, the agency issued a comprehensive set of frequently asked questions (FAQ). These FAQs address a number of access issues, but they also provide practical insight on some key points, one of which is summarized below.
In general, the FAQs address the scope of information covered by HIPAA’s access right, the very limited exceptions to this right, the form and format in which information is provided to individuals, the requirement to provide timely access to individuals, and the intersection of HIPAA’s right of access with the requirements for patient access under the HITECH Act’s Electronic Health Record (EHR) Incentive Program. In some cases, the guidance in the FAQs goes beyond just accessing health information. Consider the following FAQ:
What is a covered entity’s obligation under the Breach Notification Rule if it transmits an individual’s PHI to a third party designated by the individual in an access request, and the entity discovers the information was breached in transit?
If a covered entity discovers that the PHI was breached in transit to the designated third party, and the PHI was “unsecured PHI” as defined at 45 CFR 164.402, the covered entity generally is obligated to notify the individual and HHS of the breach and otherwise comply with the HIPAA Breach Notification Rule at 45 CFR 164, Subpart D. However, if the individual requested that the covered entity transmit the PHI in an unsecure manner (e.g., unencrypted), and, after being warned of the security risks to the PHI associated with the unsecure transmission, maintained her preference to have the PHI sent in that manner, the covered entity is not responsible for a disclosure of PHI while in transmission to the designated third party, including any breach notification obligations that would otherwise be required. Further, a covered entity is not liable for what happens to the PHI once the designated third party receives the information as directed by the individual in the access request.
A couple of interesting points are made and clarified with this FAQ. One is that if an individual is warned about the risks of unsecured transmissions of PHI, but decides to proceed with the communication despite the warning, the covered entity is not responsible if there is a breach of the information while it is in transit. That is, no breach of unsecured PHI (but the covered entity still would have to consider state law). Second, after the covered entity fulfills the request of the individual and provides the PHI to a third party, the covered entity is no longer responsible.
So, as covered entities and business associates read though the new access guidance, they should be on the lookout for points like this which can reduce costs and better manage risk.