Feds Raising Awareness of Patient Rights on Accessing Health Data

Improving Patient Access and Engagement Ongoing Federal Effort

by Helen Pfister and Susan Ingargiola, Manatt Health Solutions

Increasing patient engagement is a critical element of the ongoing efforts to improve the quality and reduce the cost of health care in the U.S. However, many patients remain unaware of their rights to access their health information, let alone of their opportunities to use that information to improve the care they receive.

Recognizing this, the federal government recently has taken a number of steps to make patients more aware of their rights to access their health information and to enable them to engage more actively in their care.

HIPAA’s ‘Right to Access’ — a Foundation for Patient Engagement

The HIPAA Privacy Rule gives patients certain rights to review and obtain copies of their medical records.

Specifically, patients have the right to obtain copies of protected health information, or PHI, that is held by a “covered entity” — a health plan or a health care provider that is subject to the Privacy Rule. PHI is information that identifies (or could reasonably be believed to identify) the individual and relates to any of the following:

  • The individual’s past, present or future physical or mental health condition;
  • The provision of health care to the individual; or
  • The past, present or future payment for the provision of health care to the individual.

PHI includes demographic data such as name, address, birth date and Social Security number.

There are certain exceptions to the right of access granted by the Privacy Rule. For example, patients do not have a right to access psychotherapy notes, information compiled for legal proceedings, laboratory results to which the Clinical Laboratory Improvement Amendments limit access or information held by certain research laboratories.

In addition, covered entities may deny an individual access to his or her PHI in certain specified situations, such as when a health care professional believes access could cause harm to the individual or someone else, although in these situations, the individual has the right to have the denial reviewed by a licensed health care professional for a second opinion.

[Related Article: NIST Draft Publication Provides Guidance for HIPAA Breach Response Plans]

In most cases, covered entities must provide a copy of the patient’s medical record within 30 days of the request.

The Privacy Rule also allows patients to request changes if information in a covered entity’s medical records is wrong or to add information if the covered entity’s medical records are incomplete.

For example, if a patient and a covered entity agree that the covered entity’s file has the wrong result for a test, the covered entity must change it. Even if the covered entity believes the test result is correct, the patient still has the right to have his or her disagreement noted in the record.

HITECH’s New Right to Electronic Access

The Privacy Rule gives patients the right to access and obtain a copy of their medical records “in the form or format requested,” provided that the medical records are readily producible in such form or format. Historically, covered entities have provided patients with paper copies of their PHI.

However, in light of the increased use of electronic health record systems and the increased ability of patients to use emerging technologies like digital health applications to electronically aggregate their health information and better manage their health, the Health Information Technology for Economic and Clinical Health Act of 2009 amended the Privacy Rule’s right of access so that covered entities using EHR systems must, upon request, provide patients with an electronic copy of their records.

Covered entities also must transmit an electronic copy of the records directly to another person or entity of the patient’s choosing upon the patient’s request. Any fee charged for the medical record cannot be greater than the covered entity’s labor costs in responding to the request.

Federal Efforts To Increase Awareness of Patients’ Rights, Encourage Patient Engagement

The federal government has taken a number of steps to help increase awareness of patients’ rights to access their medical records and to leverage health IT to enable greater patient engagement in health care. Some highlights are provided below.

HHS Releases “Right to Access Memo”

On May 31, HHS’ Office for Civil Rights released a memo that educates patients about their rights to access their medical records under the Privacy Rule.

The memo is designed to help patients assert their rights by directing them to OCR-developed videos, pamphlets, answers to questions and other guidance outlining patients’ rights under the Privacy Rule.

In the memo, OCR encourages patients to use their health information — including EHRs and personal health records — to more effectively manage their health and wellness.

[Related Article: OCR Establishes Requirements for HIPAA Performance Audits]

ONC and CMS Encourage Patient Engagement Through Meaningful Use of EHRs

Among the requirements for health care providers to demonstrate meaningful use of EHRs under the Medicare and Medicaid EHR Incentive Programs, the Office of the National Coordinator for Health IT and CMS included a number of measures that require health care providers to engage patients more directly in their care.

Under Stage 1 of the meaningful use program, for example, eligible professionals and hospitals must provide patients with electronic copies of their health information upon request within three business days.

Further, hospitals must provide electronic copies of discharge instructions to patients upon request, and eligible professionals must provide clinical summaries of each office visit to patients upon request (though these do not have to be in electronic format).

The proposed rule for Stage 2 of the meaningful use program goes even further. For example, patients no longer would need to request an electronic copy of their health information. Instead, eligible professionals and hospitals would need to provide them with a mechanism to electronically view — and securely download on demand — relevant portions of their medical records. Specifically, CMS and ONC are proposing that eligible professionals would need to:

  • Provide patients with the ability to view online, download and transmit their health information within four business days of the information being available to the eligible professional;
  • Provide patients with clinical summaries for each office visit; and
  • Use secure electronic messaging to communicate with patients on relevant health information.

Hospitals would need to provide patients with the ability to view online, download and transmit information about a hospital admission.

In addition, both eligible professionals and hospitals would need to use EHRs to identify patient-specific educational resources and provide those resources to the patient.

The proposed rule was subject to a 60-day public comment period that now is closed. A final rule is due this summer.

[Related Article: More Stage 3 planning taking place on Patient Engagement]

ONC Strengthens Consumer eHealth Initiatives

In May, ONC announced the creation of a new Office of Consumer eHealth, which will build on the consumer engagement work of ONC’s Office of Policy and Planning.

Among other areas, the new Office of Consumer eHealth will oversee ONC’s “pledge” program. The pledge program is a nationwide campaign to encourage health care providers to pledge to make it easier for individuals and their caregivers to have secure, timely, electronic access to their health information and to further encourage individuals to use this information to improve their health and their care.

Health care providers who make the pledge agree to make personal health information available to individuals and their caregivers in a secure, timely and usable manner through one or both of the following methods:

  • Enabling patients to download personal health information from a secure portal; or
  • Sending information to a PHR.

The federal government also is working to stimulate development of consumer tools that enable individuals to act on their health information once they’ve accessed it from their health care providers.

In partnership with the Institute of Medicine, HHS recently held the Health Data Initiative Forum III, also known as the most recent Health Datapalooza, a public-private collaboration that encourages innovators to use health data to develop apps that enable patients to better manage their health.

More than 1,600 people attended the Health Dataplooza, which spotlighted hundreds of apps, including apps that leverage the federal government’s Blue Button initiative, which allows patients in federal health care programs to download copies of their health information.

Benefits of Patient Access to Health Data and Outlook for the Future

According to a study by the California HealthCare Foundation, patients who have electronic access to their health information report that they know more about their health, ask more questions and take better care of themselves than they did when their health information was less accessible to them in paper medical records. CHCF publishes iHealthBeat.

A new study in the Annals of Family Medicine yielded similar results. In a clinical trial at eight primary care practices, researchers found that patients who accessed portions of their medical records online were more likely to be up-to-date on recommended preventive care, including screening tests for breast, colon and cervical cancers, and immunizations like the yearly flu shot.

While only a small percentage of patients actually access their medical records electronically today, a shift is underway.

According to a recent survey by the Markle Foundation, about 70% of patients and about 65% of doctors believe that patients should be able to view and download their personal health information online.

With the federal government’s ongoing emphasis on patient engagement, this shift is likely to continue and to have a profound effect on the quality of health care in the U.S.

About the authors of this article:

Helen Pfister is a partner in the healthcare practice group of Manatt, Phelps & Phillips, LLP.  Her practice focuses on advising healthcare providers and nonprofit organizations on legislative, regulatory and transactional matters.  Ms. Pfister’s clients include hospitals, community health centers, mental health facilities, substance abuse providers, nursing homes, home care agencies, health information exchange organizations and social service agencies.  She has particular expertise representing federally qualified health centers and other organizations that serve medically underserved communities.

Susan Ingargiola is a director of Manatt Health Solutions (MHS), an interdisciplinary policy and business advisory practice of Manatt, Phelps & Phillips, LLP.  She provides legislative, regulatory and policy advice to healthcare providers and nonprofit organizations, including hospitals, community health centers, health information exchange organizations and pharmaceutical and biotechnology companies.

This article first appeared on iHealthBeat.org on August 9, 2012. It is used here with permission from the authors and publisher.