Daily struggles to protect personal data from hacking, phishing, theft and loss make it easy to forget that HIPAA is not just about privacy and security. It also requires covered entities (CEs) to make an individual’s protected health information (PHI) accessible to the individual in all but a few, very limited circumstances. Recent guidance published by the Department of Health and Human Services (HHS Guidance) emphasizes the need for covered entities to be able to respond to an individual who says “I want my PHI” in a way that complies with HIPAA and state law access requirements, even when these requirements seem confusing and contradictory.
HIPAA authorizations are, perhaps, one of the most commonly misunderstood and misused forms. The HHS Guidance helpfully reminds CEs that authorizations are not needed for a CE to share PHI for treatment, payment and health care operations, and, of course, a CE can share PHI with a business associate under a HIPAA-compliant business associate agreement. But when an individual requests PHI, whether directly or through a third party, it’s critical that the CE understand whether it is an access request or a request for disclosure pursuant to a HIPAA-compliant authorization.
My law partner and fellow HIPAA enthusiast Beth Larkin comments on some of the difficulties a CE faces when responding to an individual’s access request, highlighting the need to distinguish between an access request and disclosure pursuant to an authorization:
The HHS guidance wants CEs to provide individuals “easy access” to their health information. CEs still, however, have to deal with other HIPAA requirements, including verification of the identity of the requestor, securing the PHI from unauthorized access and determining breach if there is unauthorized access. Also, it is not always clear whether a patient is exercising an access right or requesting PHI pursuant to an authorization. The patient may not know the difference and just indicates he or she wants copies of records and may present either an access request or an authorization form.
The HHS Guidance explains that while a CE can require an individual to submit a written access request, it can’t do so in a manner that creates a barrier or would delay the individual’s access:
For example, a doctor may not require an individual: … [t]o use a web portal for requesting access, as not all individuals will have ready access to the portal …
If a CE uses a written form for individuals to request access to records (and ensures the form is readily accessible in multiple ways), the CE should give individuals as much information as possible about each form.
For example, as illustrated in the chart included in the HHS Guidance, a HIPAA authorization permits, but does not require, a CE to disclose the PHI. An access request requires the disclosure (and requires the CE to act on the request within 30 days). In addition, HHS explains that fees charged by the CE are limited when the individual requests access, and not when PHI is requested pursuant to an authorization (though certain charges might be prohibited under HIPAA regulations proscribing the receipt of remuneration for the disclosure of PHI). Finally, HHS notes that PHI sent pursuant to an authorization must be sent securely, while an individual can request that PHI sent pursuant an access request can be sent through an unsecure medium (though the risks of such a choice should be communicated to the individual if feasible). If the CE makes all of this information clear and encourages the individual to ask questions as to which form should be used, it seems reasonable for a CE to then be able to rely on the individual’s choice of form.
When a third party requests an individual’s PHI, though, it can be especially difficult for a CE to figure out whether an authorization form has been sent when an access request would have been appropriate. Here, HHS suggests the CE reach out to the individual:
Where it is unclear to a covered entity, based on the form of request sent by a third party, whether the request is an access request initiated by the individual or merely a HIPAA authorization by the individual to disclose PHI to a third party, the entity may clarify with the individual whether the request was a direction from the individual or a request from the third party.
In short, if a HIPAA authorization is really an individual’s misguided attempt to say “I want my PHI!”, the CE will need to make sure it follows the individual access right requirements in responding.