New Guidance on Patient Data Access Issued by OCR

The Department of Health and Human Services’ Office for Civil Rights has started 2016 with the launch of a brand new website interface, and has now followed up on previous assurance by issuing new guidance on HIPAA.

This is the first in what is expected to be a regular series of new guidance, which tackles the issue of patient data access rights under HIPAA. The guidance is targeted not at healthcare providers and health insurers, but patients.

OCR Director, Jocelyn Samuels said “Far too often individuals face obstacles to accessing their health information, even from entities required to comply with the HIPAA Privacy Rule…This must change.”

The guidance issued, which takes the form of a Q&A, clarifies what data can be obtained by patients, including information about fincancial charges that can be applied by HIPAA-covered bodies for providing copies of medical data.

Patients are permitted to view the information that has been recorded by HIPAA-covered entities, and the HIPAA Privacy Rule allows the release of health information to patients or their nominated representative in “designated record sets.” Patients are also allowed to obtain a copy of that information.

Patients can ask for that their healthcare provider transmit their PHI to another person or body, such as a nominated representative or another healthcare provider. It does not matter whether the data has been recorded electronically or is on paper or images (x-rays, for example). Copies must be provided when asked for. Covered bodies are permitted to charge patients for providing that information, but only an amount to cover the actual costs of providing the data, not including the duration of time it has taken to prepare copies.

Patient advocates have heralded the new OCR guidance. Get My Health Data campaign coordinator, Christine Bechtel, stated “When all patients can get and use their health data electronically, they will be able to more fully engage in their health and care.” Lynne Thomas Gordon, CEO of the American Health Information Management Association, hopes that the new guidance will be of advantage to patients in other ways, and will “encourage providers to offer the first copy of health information to the patient at minimal or no charge.”

Under current rules and regulations, healthcare providers are required to provide access to PHI (or copies) on request, but have up to 30 days in order to make the information accessible. Since most healthcare providers now store PHI in electronic format, it therefore should be possible for obtain to data to be provided quickly. It is hoped that healthcare providers will make reasonable efforts to provide data access quickly, and will not use the 30-day maximum time limit and unnecessarily delay the provision of PHI to people.

This new guidance can be found on the following website: