The age of the information-empowered patient is upon us. Not only do patients bring the results of their Internet research when they come to the office, they also want to take a record of the clinical encounter with them when they leave.
New HIPAA guidance issued in January by the Health & Human Services Department’s Office of Civil Rights (OCR) aims to help clinicians know how to respond and with what information; it also addresses when patients can be charged for the information.
In the past, physicians and other providers had to “wing it” when it came to unclear rules about patient’s data requests, said Dianne J. Bourque, a Boston health law and HIPAA compliance attorney. “Prior to this, there may not have been readily available guidance that would drill down” to address specific concerns.
When it comes to systems security, physicians and other health providers do not have to put their health IT systems at risk in an effort to meet a request for patient records. For example, Mrs. Smith requests that her protected health information (PHI) be copied onto a thumb drive that she has provided.
In most cases, a covered entity must provide data access in the manner requested by the patient. But the updated guidance states that health providers are not expected to tolerate “unacceptable levels of risk to the security of the PHI on its systems” in responding to requests.
Unlike system security, patient security does not trump patient access. If Mr. Black requests that his records by emailed to him, but a connection cannot be made secure, physicians are still required to send the data.
While OCR requires HIPAA-covered entities to implement reasonable safeguards to protect PHI while in transit, patients have a right to receive a copy of records by unencrypted email if they so wish.
To comply with the new rules, be sure to warn patients of the risks, and confirm that they still want their PHI by unencrypted email. If confirmed, you must comply with the request. This clarification relieves doctors of potential breach notification and liability if the data is intercepted in transit.
The guidance also clarifies how to deliver patients’ data. If PHI is maintained electronically, physicians and other HIPAA-covered entities must be able provide it to patients electronically.
“Because you hold it electronically, you can’t say, ‘Forget it, you have to have paper,’” Ms. Bourque said. “You lose that option when you keep [data] electronically. Maybe you have to go buy a scanner and scan [the document] and email it, but you can’t charge [patients] for the scanner.”
The new guidance also allows patients to get results directly from a clinical laboratory; however, labs are not required to interpret test results. Rather, patients are encouraged to reach out to their physician for such insights.
Overall, the access guidelines appear reasonable and hopefully will relieve hassles for patients in obtaining their health information, said Dr. Sam Slishman, an emergency physician for Sierra Vista Hospital in San Luis Obispo, Calif., and co-founder of Pre-R, a service that provides in-home visits. Dr. Slishman does not foresee the guidance having much impact on his practices.
“It’s crazy to me that patients have to struggle to retrieve their records at all,” he said in an interview. “I routinely send my patients home with at least their lab tests and copies of their radiology reports so they have something to bring to their [primary care physicians]. If they want more, I hand it to them.”
Dr. Rocky D. Bilhartz, an interventional cardiologist in private practice in College Station, Tex., said that he has concerns about the guidelines. Specifically, that doctors may charge a fee to cover the cost of copying records, but that they cannot charge for the cost of searching and retrieving data, said Dr. Bilhartz, who is founder of ECGsource, an online cardiovascular medical education resource.
“Record requests can take significant time for staff to filter through and gather,” he said in an interview. “That time should be reimbursable ... If updated provisions prohibit charging for time spent compiling records, it seems those provisions are a bit out of touch with understanding what those of us on the ground floor must do when a request is received.”
But Dr. Bilhartz acknowledged that he would be unlikely to charge patients for “reasonable” data requests.
“I’m in private practice ... and because of that, I have more market-driven accountability to all my patients,” he said. “Why would I nickel and dime people who I would want to be satisfied patients? For reasonable requests, I would just provide records for free.”