Data Access Rights: Following HIPAA Correctly

By Matt Fisher, Esq
Twitter: @matt_r_fisher
Host of Healthcare de Jure#HCdeJure

How and when can data be shared in a manner that is compliant with HIPAA? The answer to those questions is a lot broader and more frequently than many might expect. However, the expectation of limited sharing is exactly the root cause for data blockage that frustrates many individuals.

Explaining the scope of permissiveness under HIPAA is an effort worth undertaking often. If lessons and explanations appear a number of times, then it may be possible to create a more informed industry and foster more nuanced dialogue instead of the common response of an action not being possible because of HIPAA even though that action more often than not can occur. A recent perspective in the Journal of Medical Internet Research dives deeply into HIPAA in an attempt to emphasize the benefit that it provides. As stated by the authors of the article:

So, on the road from the doctor’s office to the patient’s third-party app, where are HIPAA’s green lights, yellow lights, and red lights for disclosing patients’ protected health information as patients direct? We explain in detail why it’s a green light all the way, and your patients’ health and care are much the better for it because they can be engaged, informed, and shared decision-makers.

J. Med. Internet Res. 2020 vol. 22 iss. 9 e19818 p. 1

The analogy to traffic lights paints a picture of the golden ride home, namely one where no stoppages occur because it is green the whole way. When it comes to using and sharing health data for the benefit of a patient, it is an apt analogy.

Internal to the Healthcare System
Within the healthcare system, patient information can be shared all of the time without needing permission. HIPAA does not want to interfere with the regular business workflows within the healthcare industry. Supporting the steady flow of data occurs through the broad definitions of payment, treatment, and health care operations (the three are often referred to together as PTO). Three broad categories of uses and disclosures that can occur in the ordinary course and result in most data being sent around in ways that ostensibly benefit patients. A more in-depth discussion the PTO uses and disclosures, check out this post: Who’s Using My Data?: HIPAA and Allowed Uses.

Without getting into the intricacies and allowing for time to read the prior post, PTO focus on all aspects of a healthcare organizations operations from working with a patient, to being paid for the work, to assess internal operations for improvement. In all of those instances, information can be used and disclosed, subject to the privacy and security obligations imposed by HIPAA, in a free way that becomes very extensive. For the most part, those uses and disclosures also occur without barriers being thrown up, though such an all encompassing statements is certainly painting with a broad brush that covers over some pain points that arise in reality. However, the pain points that are internally facing likely are dwarfed by what happens when a patient seeks to obtain their information.

Patient Access to Health Information
HIPAA has always afford individuals a right of access to their own health data. The right is clearly baked into the privacy rule by identifying the categories of data that an individual may obtain (it is almost everything) and explaining how organizations must implement the right of access. As with most good intentions, the road to access is paved in a certain direction that usually results in extreme frustration for patients.

Does it need to be that way? No. As suggested already, the right of access under HIPAA is a concrete right that should not be hard to interpret. An individual can either come to an organization to inspect the record or request to receive a copy. In requesting to receive a copy of the record, an individual can specify how the record should be sent (broadly in paper form or electronically) and where it should be sent. Since the vast majority of health records should be in electronic form at this point in time, every patient should likely be able to request an electronic copy since an organization is obligated to offer the record electronically if stored that way.

If the assumption is made that the record is stored electronically, then the options for where and how an individual may request the records be sent become almost exponential. The options are that varied because the individual is free to specify how and where they want to receive the record. Some ways can include email, flash drive, CD (if anyone has a CD drive anymore), or even third party application. Further, an individual can request that the information be sent to a location that is not secure, though the healthcare organization will want to make sure that the individual is aware of the risks associated with an insecure location. If that is done, then the individual’s request must be honored. However, this is an area where trouble often occurs because organizations will be fearful of receiving blame if anything goes wrong. Fear should not be a factor though because fore knowledge can cast the necessary light to drive away the shadows of fear.

Why is This Important?
Aside from acting in a way that does the right thing, understanding how HIPAA facilitates the flow of data is necessary to comply both with HIPAA and soon to be in force deeper requirements around information access. The upcoming regulations driven by the 21st Century Cures Act prohibit information blocking and introduce even more explicit direction around enabling third party applications to collect and receive information on behalf of individuals.

Leaving aside regulatory compliance considerations, getting information access right will also foster better relationships with individuals. Individuals increasingly expect information to be available at their fingertips and with a large degree of ease. Considering everyday applications across all other industries, the barriers that exist in healthcare largely don’t appear. From financial account information to purchasing history and almost anything else, it can all be found through a mobile app or website. Why should healthcare be so different? That is the issue being pushed.

The difficult balance against the drive for better access is the necessity of protecting privacy and security too. Even if individuals want access to their own information, there is also a corollary expectation that the information will not become available for public consumption. There are real dangers in that regard from an expect proliferation of third party applications. Not all will have an individual’s best interests in mind since data are currency. How such applications will be vetted and sorted to remove the malicious ones will become that much more important. Who will take up that challenge?

Where Do We Go?
The future can never be foretold with certainty. With that caveat, it is clear that individuals will increasingly expect information to be available and may begin choosing with their feet when that access is denied. To proceed in a collaborative manner, hopefully all sides will come together and set clear guardrails around processing and providing information that helps to preserve the interests of all.

This article was originally published on Mirick O’Connell’s Health Law Blog and is republished here with permission.