Written by: A. Michi McClure, J.D., an AIHC member and Volunteer on the CEU Education Committee
This article follows Part 1 on the topic of understanding potential HIPAA violations when releasing information. Is it Right of Access or Information Blocking? Both have penalties. If you haven’t yet, read Part 1. HIPAA Privacy/Security and Compliance Officers and Health Information Management professionals need to know the difference.
Right of Access Initiative
An individuals’ right to access their Health Information is located at 45 CFR § 164.524 as part of the HIPAA rule. It provides individuals to exercise the right to access and obtain a copy of their protected health information (PHI) that is maintained by covered entities, such as healthcare providers and health plans. This includes electronic protected health information (ePHI).
The exact regulatory definition of Information Blocking can be found in the Code of Federal Regulations in 45 CFR 171.103. The information blocking rule, which was established under the 21st Century Cures Act, requires covered entities to make EHI available for access and exchange in a way that is secure, timely, and appropriate to the circumstances. On October 6, 2022, the definition of electronic health information (EHI) expanded to include all of the digital components of an organization’s designated record set (DRS).
It is important to differentiate between Right of Access and Information Blocking to ensure your organization is compliant to both rules as well as any applicable State privacy regulations. The charts below are a continuation from the information provided in Part 1, demonstrating a comparison of similarities and differences between the two.
Right of Access
What it is:
The HIPAA requirement to provide individuals with access to their own PHI contained in one or more designated record sets maintained by a covered entity.
A provision in the 21st Century Cures Act intended to minimize the interference of the ability of authorized persons to access, exchange, or use Electronic Health Information.
To whom can the information be released?
In addition to the individual, the following individuals or entities may be allowed access to PHI under certain circumstances:
EHI must be made accessible to individuals, their personal representatives, and other authorized parties, without unreasonable delay and in the manner requested by the individual, except in certain limited circumstances. Authorized parties may include:
May the request be denied?
A covered entity may deny a request for access to protected health information (PHI) under certain limited circumstances. The covered entity must provide a written denial and explanation of the denial to the individual, along with information on how to request a review of the denial. The limited circumstances under which a request for access may be denied include:
Under the information blocking rule, healthcare providers and other covered entities may only deny a request for access to EHI under certain limited circumstances. The exceptions under which a request for access may be denied include:
If access is denied, the healthcare provider must also provide information on how to file a complaint.
Fees allowed to be charged to the patient?
Yes, covered entities under HIPAA Privacy Rule may charge a reasonable, cost-based fee for providing individuals with access to their protected health information (PHI).
Covered entities are required to inform individuals of the fee in advance.
It's important to note that there are some situations where fees cannot be charged, such as when an individual requests access to their PHI for the purposes of filing a complaint with the HHS or if the covered entity fails to provide the individual with access to their PHI in a timely manner. Some state laws may limit or prohibit the fees that can be charged for providing access to PHI.
No, under the information blocking rule, healthcare providers and other covered entities may not charge fees that are not reasonably necessary for accessing, exchanging, or using EHI.
Additionally, if a covered entity charges fees for any other services or products related to EHI, such as an EHR system, the fee must be reasonably related to the actual cost of providing the service or product. The covered entity must also provide a detailed explanation of the fees and how they were calculated and must make the fees publicly available.
It's important to note that there are some circumstances where a covered entity may be able to charge fees that are higher than the cost of labor and resources, such as when the request is complex or involves large amounts of EHI. However, these fees must be reasonable, and the covered entity must provide an itemized bill explaining the fees.
Please review Part 1 for more information.
We also encourage consulting with your malpractice Risk Attorney. Your insurance company WANTS your organization to seek advice BEFORE an incident or investigation from a complaint occurs. If consulting with your malpractice company isn’t an option, it is highly advised to seek legal advice from a HIPAA privacy expert.
Copyright © 2023 American Institute of Healthcare Compliance All Rights Reserved