• Home
  • >
  • Blog
  • >
  • Is the Violation Right of Access or Information Blocking?  Part 2 of 2

March 14, 2023

Is the Violation Right of Access or Information Blocking?  Part 2 of 2

Written by: A. Michi McClure, J.D., an AIHC member and Volunteer on the CEU Education Committee   

This article follows Part 1 on the topic of understanding potential HIPAA violations when releasing information.  Is it Right of Access or Information Blocking?  Both have penalties. If you haven’t yet, read Part 1. HIPAA Privacy/Security and Compliance Officers and Health Information Management professionals need to know the difference. 

Right of Access Initiative 

An individuals’ right to access their Health Information is located at 45 CFR § 164.524 as part of the HIPAA rule. It provides individuals to exercise the right to access and obtain a copy of their protected health information (PHI) that is maintained by covered entities, such as healthcare providers and health plans. This includes electronic protected health information (ePHI).

Information Blocking

The exact regulatory definition of Information Blocking can be found in the Code of Federal Regulations in 45 CFR 171.103.  The information blocking rule, which was established under the 21st Century Cures Act, requires covered entities to make EHI available for access and exchange in a way that is secure, timely, and appropriate to the circumstances.  On October 6, 2022, the definition of electronic health information (EHI) expanded to include all of the digital components of an organization’s designated record set (DRS).

It is important to differentiate between Right of Access and Information Blocking to ensure your organization is compliant to both rules as well as any applicable State privacy regulations.  The charts below are a continuation from the information provided in Part 1, demonstrating a comparison of similarities and differences between the two.

Aspect

Right of Access

Information Blocking

What it is:

The HIPAA requirement to provide individuals with access to their own PHI contained in one or more designated record sets maintained by a covered entity.

A provision in the 21st Century Cures Act intended to minimize the interference of the ability of authorized persons to access, exchange, or use Electronic Health Information.

To whom can the information be released?

In addition to the individual, the following individuals or entities may be allowed access to PHI under certain circumstances:

  1. Personal representatives: Individuals may designate a personal representative, such as a legal guardian, healthcare proxy, or other authorized person, to act on their behalf in obtaining access to their PHI.
  2. Parents and guardians: Parents or legal guardians may access the PHI of their minor children or children for whom they are legal guardians.
  3. Healthcare providers: Other healthcare providers may be granted access to an individual's PHI for the purpose of providing treatment or coordinating care.
  4. Business associates: Business associates that provide services to covered entities, such as billing or transcription services, may be allowed access to PHI to perform their services.

EHI must be made accessible to individuals, their personal representatives, and other authorized parties, without unreasonable delay and in the manner requested by the individual, except in certain limited circumstances. Authorized parties may include:

  1. Other healthcare providers: Healthcare providers may be authorized to access an individual's EHI for the purpose of providing treatment or coordinating care.
  2. Health plans: Health plans may be authorized to access an individual's EHI for the purpose of administering benefits and coordinating care.
  3. Caregivers and family members: Caregivers and family members may be authorized to access an individual's EHI with the individual's consent or as authorized by law.
  4. Researchers: Researchers may be authorized to access de-identified EHI for research purposes, subject to certain privacy and security requirements.
  5. Public health authorities: Public health authorities may be authorized to access EHI for the purpose of monitoring and responding to public health threats.

May the request be denied?

A covered entity may deny a request for access to protected health information (PHI) under certain limited circumstances. The covered entity must provide a written denial and explanation of the denial to the individual, along with information on how to request a review of the denial. The limited circumstances under which a request for access may be denied include:

  1. Psychotherapy notes: Covered entities are not required to provide access to psychotherapy notes, which are notes recorded by a mental health professional documenting or analyzing the contents of a counseling session.
  2. Information compiled for legal proceedings: Covered entities may deny access to information that is created for the purpose of legal proceedings, such as attorney-client privileged communications.
  3. Information prohibited by law: Covered entities may deny access to PHI if providing access would be prohibited by another law.
  4. Information that may cause harm: Covered entities may deny access to PHI if they reasonably believe that providing access would endanger the life or physical safety of the individual or another person.

Under the information blocking rule, healthcare providers and other covered entities may only deny a request for access to EHI under certain limited circumstances. The exceptions under which a request for access may be denied include:

  1. Preventing harm: A healthcare provider may limit the access to EHI if they believe that providing access could reasonably result in harm to the individual or another person.
  2. Privacy: A healthcare provider may limit access to EHI if they reasonably believe that providing access would violate the privacy of another person.
  3. Security: A healthcare provider may limit access to EHI if they reasonably believe that providing access would pose a security risk to the EHI or to other systems that are part of the electronic health record ecosystem.
  4. Infeasibility: A healthcare provider may limit access to EHI if the request is not technically feasible or if providing access would require unreasonable effort or resources.

If access is denied, the healthcare provider must also provide information on how to file a complaint.

Fees allowed to be charged to the patient?

Yes, covered entities under HIPAA Privacy Rule may charge a reasonable, cost-based fee for providing individuals with access to their protected health information (PHI).

  • The fee may only include the cost of labor for copying the PHI, supplies for creating the paper or electronic copy, and postage if the individual has requested that the PHI be mailed to them.
  • The fee may not include the cost of searching for and retrieving the PHI or any other associated administrative costs.

Covered entities are required to inform individuals of the fee in advance.

  • The fee may not be a barrier to individuals accessing their PHI. Covered entities must also provide access to the PHI in the format requested by the individual if it is readily producible in that format.

It's important to note that there are some situations where fees cannot be charged, such as when an individual requests access to their PHI for the purposes of filing a complaint with the HHS or if the covered entity fails to provide the individual with access to their PHI in a timely manner. Some state laws may limit or prohibit the fees that can be charged for providing access to PHI.

No, under the information blocking rule, healthcare providers and other covered entities may not charge fees that are not reasonably necessary for accessing, exchanging, or using EHI.

  • This means that if an individual requests access to their EHI or for their EHI to be transmitted to another entity, covered entities are generally not allowed to charge fees that are higher than the cost of labor and resources required to fulfill the request.

Additionally, if a covered entity charges fees for any other services or products related to EHI, such as an EHR system, the fee must be reasonably related to the actual cost of providing the service or product. The covered entity must also provide a detailed explanation of the fees and how they were calculated and must make the fees publicly available.

It's important to note that there are some circumstances where a covered entity may be able to charge fees that are higher than the cost of labor and resources, such as when the request is complex or involves large amounts of EHI. However, these fees must be reasonable, and the covered entity must provide an itemized bill explaining the fees.

Please review Part 1 for more information. 

We also encourage consulting with your malpractice Risk Attorney.  Your insurance company WANTS your organization to seek advice BEFORE an incident or investigation from a complaint occurs.  If consulting with your malpractice company isn’t an option, it is highly advised to seek legal advice from a HIPAA privacy expert.

Copyright © 2023 American Institute of Healthcare Compliance All Rights Reserved

TAGS


follow us