[BreachExchange] Easing HIPAA Violation Concerns with Patient Data Access

[Audrey McNeil]

http://healthitsecurity.com/news/easing-hipaa-violation-
concerns-with-patient-data-access

While the healthcare sector continues to work toward achieving nationwide
interoperability, concerns over potential HIPAA violations with regard to
patient data access is also on the rise.

Covered entities need to allow individuals access to their own data should
they request it, but privacy and security considerations must also be a top
priority.

Reviewing the basics of the HIPAA Security Rule and Privacy Rule can assist
healthcare organizations as they increase electronic health data access.
This way, patients are able to see their own information upon request, but
both parties can rest assured that PHI will not fall into the wrong hands.

Patient data access under HIPAA rules

The HIPAA Privacy Rule has two circumstances where covered entities may
exchange private patient data.

First, organizations may exchange PHI when the HIPAA Privacy Rule
specifically permits or requires it. The second scenario that allows data
to be exchanged is when the subject of the data (the patient) specifically
authorizes the exchange.

Interoperability and permitted times of sharing PHI have recently been
addressed by the Office of the National Coordinator (ONC). In a series of
blog posts throughout 2016, ONC Chief Privacy Officer Lucia Savage, J.D.
and ONC Privacy Analyst Aja Brooks, JD maintained that interoperability is
permitted under HIPAA regulations, but there has been some confusion over
how it can be done properly.

“Some providers are not sharing PHI due to their health care organization’s
policies, procedures, or protocols, even if the sharing is permitted under
HIPAA, or because laws in the provider’s state apply in addition to HIPAA,”
Savage and Brooks wrote. “Interestingly, this lack of exchange of PHI runs
contrary to consumer perception, with research demonstrating that patients
assume their PHI is automatically shared between their treating physicians.”

It is also important to know that HIPAA allows covered entities to disclose
PHI to other covered entities or business associates without patient
consent in certain conditions. These include, but are not limited to the
following:

Conducting quality assessment and improvement activities
Developing clinical guidelines
Conducting patient safety activities as defined in applicable regulations

However, both covered entities must have a relationship with the patient
and the PHI being shared must pertain to that relationship. Only the
minimum information necessary can also be disclosed.

Providers must also account for instances during which they exchange the
information on an interoperable system for reasons not necessarily covered
under the Privacy Rule.

“If the covered entity wishes to use or disclose the PHI for something
other than treatment, payment, or health care operations, it must obtain
patient authorization to do so, unless the use or disclosure is permitted
by another provision of the HIPAA Privacy Rule,” the pair explained in
their second blog post on patient data access. “One important such rule is
when a patient requests a copy of her PHI, and asks that it be sent
somewhere else.”

Essentially, providers need to find another place under HIPAA where that
exchange was noted permissible, or they must receive authorization from the
patient when data exchange occurs outside the provisions of the HIPAA
Privacy Rule.

“Nationwide interoperable health information technology (health IT) will
help make the right electronic health information available to the right
people at the right time for patient care and health, no matter the care
setting, organization, or technology supporting the information exchange,”
said Savage and Brooks. “HIPAA’s Permitted Uses and Disclosure are rules
that run ‘in the background’ in support of this important nationwide goal.”

When PHI access can be denied

There are situations where patients can be denied access to PHI.

A covered entity may deny access if a healthcare professional believes
access could cause harm to the individual or another. The Privacy Rule also
has the following exceptions to PHI access:

Psychotherapy notes
Information compiled for legal proceedings
Laboratory results to which the Clinical Laboratory Improvement Act (CLIA)
prohibits access
Information held by certain research laboratories.

There are also reviewable grounds for denial, which include disclosures
that would cause endangerment of the individual or another person, as well
as situations where PHI refers to another. The disclosure may be likely to
cause substantial harm.

Finally, “requests made by a personal representative where disclosure is
likely to cause substantial harm” is also considered a reviewable grounds
for denial of access.

“In addition, the notice of denial must inform the individual of how
complaints may be filed with the covered entity or the Secretary of HHS,”
HHS states on its website. “If access to some of the PHI is denied, the
covered entity must, to the extent possible, give the individual access to
any other PHI requested, after excluding the PHI to which the covered
entity has a ground to deny access.”

The future of patient data access

As technology continues to evolve, and more healthcare organizations opt
for interoperability, it is likely that patient data access will also
continue to rise.

For example, a report from the American Hospital Association (AHA) last
year found that more individuals than ever before now have electronic
access to their own health information. Specifically, 92 percent of
hospitals offered the ability to view medical records online in 2015, a
large increase from the 43 percent that offered the same option in 2013.

Eighty-four percent of hospitals also allowed patients to download
information from their medical record in 2015, compared to just 30 percent
in 2013.

“A growing number of individuals also are able to perform everyday health
care tasks, such as making a medical appointment online with their
hospital-based care providers,” the report’s authors explained. “Offering
these capabilities allows patients to more easily access their providers
and engage in their care.”

Whether covered entities utilize online tools for individuals to view,
download, or transmit their own data, or even start to implement secure
messaging options, HIPAA regulations cannot be overlooked.

However, data access can and must be done when the situation is permissible
under HIPAA rules.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170103/f55ba4d0/attachment.html>