Right to Access Health Information Strengthened by the OCR Access Initiative and Cures Act
Providing timely access to health information has never been more important than now. Health care providers, business associates, health information exchanges, health information networks, and health IT developers of certified platforms should be taking steps to ensure compliance with both the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and the requirements of the final rules promulgated under the 21st Century Cures Act (the “Cures Act”).
OCR Access Initiative & Enforcement Actions
The Office for Civil Rights (“OCR”) has settled 18 cases as part of its ongoing right of access initiative (“Access Initiative”). The Access Initiative focuses on providing timely access to individuals requesting access to their health records within the fee limitations specified by HIPAA and the OCR. Providers should continue to ensure that they are in compliance with the guidance issued by the OCR and properly differentiate when they are permitted to charge rates set by Florida law for copies of records versus rates mandated by HIPAA.
Of note, while a reasonable, cost-based fee in accordance with the HIPAA guidance is permitted in certain circumstances, the guidance specifically provides that “Covered Entities should provide individuals who request access to their information with copies of their PHI free of charge.” Another operational hurdle for providers is that patient access requests are treated differently from patient authorizations to release information to other parties. The HIPAA access guidance also describes the OCR’s expectations related to the timing of providing access, how requests for access may be received, and the formats for providing access. Providers must proceed carefully in this area.
Florida has been a particularly active area for these OCR access investigations and the enforcement actions that follow. As a result, it is important that Florida providers ensure that they are providing access to patient records within the time and fee structure specified in the OCR’s guidance, regardless of the fee amounts specified as acceptable at a state level. Since HIPAA enforcement is at a federal level, Florida providers need to ensure that their access policies, procedures, and processes are aligned with the OCR’s access requirements and not just applicable state law and licensure rules.
Cures Act Information Blocking Provisions – Now in Effect
Additional obligations from the Cures Act information blocking provisions are now in effect to promote patients’ access to electronic health records. As a result, providers, business associates, health IT developers of certified platforms, health information exchanges, and health information networks need to ensure that their policies and practices align not only with HIPAA but also with the Cures Act information blocking prohibitions and exceptions. Failure to comply can result in enforcement action. The Office of the National Coordinator for Health Information Technology (“ONC”) has already published a complaint portal for individuals to report potential violations of the Cures Act information blocking provisions. As a result, ensuring that access to electronic health information is provided within the parameters of HIPAA and the Cures Act is critical to avoid additional enforcement activities.
What You Should Be Doing
Providers that have not already reviewed existing HIPAA policies to ensure compliance with the OCR Access Initiative should do so now, and thereafter, re-train workforce members to ensure that all workforce members understand the requirements to provide access to individuals requesting access to their records within the time and fee limitations outlined by the OCR’s access guidance. Prior to denying timely access, a close review of the request should be performed by someone familiar with these requirements. Taking reasonable measures to verify the identity and authority of individuals requesting access to protected health information (“PHI”) is still appropriate.
Existing privacy policies and practices should also be reviewed and updated as needed to comply with the Cures Act. Practices should be reviewed for both HIPAA and Cures Act purposes to confirm that individuals can be provided with access to their electronic health information as required. HIPAA policies should be updated to reflect recognition of the Cures Act prohibitions related to information blocking. Additional requirements vary by the type of Actor subject to the Cures Act. So, an overall compliance review specific to the type of entity should be performed to determine which requirements under the Cures Act apply to the specific entity and to identify areas that need updating. Ensuring that access to electronic health information can be provided as specified by the Cures Act and HIPAA should be a priority for providers.
Our health care team regularly assists clients with establishing and updating privacy and security programs, policies, and trainings. We also assist with incident response, breach management, and state and federal investigations related to data privacy and security compliance. We have successfully represented clients being investigated by the OCR related to the requirements of the Access Initiative, and regularly assist clients with taking necessary steps to proactively come into compliance. If you need assistance in these areas, we can help.