P6
Related Practice Areas
- The Markle Common Framework: Overview and Principles
- P1: The Architecture for Privacy in a Networked Health Environment
- P2: Model Privacy Policies and Procedures for Health Information Exchange
- P5: Authentication of System Users
- P9: A Common Framework for Networked Personal Health Information
- CT2: Authentication of Consumers
Additional Resources
- Policies in Practice: Individual Access
- Policies in Practice: The Download Capability
- Policies in Practice: Key Laws and Regulations
- Frequently Asked Questions
- Acknowledgements
Download P6: Patients' Access to Their Own Health Information
The HIPAA Privacy Rule and Electronic Access to Medical Records
The Administrative Simplification section of HIPAA, under which the Privacy Rule is mandated, was aimed at fostering the electronic exchange of health information. In that section, Congress called for the development of a “health information system through the establishment of standards and requirements for the electronic transmission of certain health information.”41 The Privacy Rule and the related Security Rule42 were devised to establish a baseline of policies and practices to safeguard health information to ensure that technology would improve care without jeopardizing confidentiality.
As the health care industry adopts more technologically sophisticated methods of record maintenance and patient communication, patients’ access to their own personal health information could potentially become easier and more cost-efficient. By guaranteeing patients access to their own health information, the Privacy Rule set in place an important incentive for consumers to actively engage in health information technologies, such as electronic medical record (EMR) systems and personal health records (PHRs).43 In fact, the Privacy Rule requires that covered entities provide information in the requested format if it is “readily producible.”44 At the same time, covered entities can exercise their ability to impose reasonable fees associated with providing access to personal health information. As such, the preamble of the Privacy Rule points out that if, in the course of providing access to a patient, electronic copies are made to a computer disk, any fees could include, for instance, the cost of the computer disk.45 It is important to note that where covered entities receive the services of vendors, or “business associates,” in the course of developing an EMR system, for instance, the contract must stipulate that the business associate will make protected health information available for access, amendment, and accounting of disclosures.46
However, since the Privacy Rule only applies to “covered entities,” some entities that have access to protected health information are not covered by the federal law. For instance, some private companies offering consumers PHR services are not covered by the law and therefore the federal right to an accounting of disclosures would not apply. This is problematic and serves as a critical reminder that strong laws and standards must be implemented to protect and extend established rights of patients.
As long as covered entities are collecting, using, and storing protected health information, the Privacy Rule and its access requirements apply to that entity—whether the information is stored electronically or not. The opportunity exists to build in patient access to records, even if not directly required by HIPAA. State laws related to patient access may also surpass HIPAA’s requirements in this area.