The one-year anniversary of the Omnibus Rule deadline is this week, yet providers are still seeking guidance on some of its harder to navigate specifications, such as how to provision an individual’s right to access his/her protected health information. Individuals have always had the right to request copies of their health records, but the Omnibus Rule expanded that right considerably.
Under the law, covered entities must provide an individual with a copy of his/her designated record set that is maintained as electronic protected health information (ePHI) in the electronic form and format requested by the individual. If the requested format is not readily producible, the covered entity must offer to produce the ePHI in at least one readable electronic format that is agreed upon by the covered entity and individual. Individuals may also direct the covered entity to transmit a copy of the designated record set to the individual’s designee.
Additionally, HIPAA requires that the covered entity act upon the request within 30 days, unless it provides the individual with a written statement of delay and commits to a delivery date.
New requirements, new risks
So how will covered entities satisfy these new requirements? And what are the new risks created in the process?
One debate is whether to allow individuals to bring in their own portable devices (e.g. flash drive) to transfer the record. Such an allowance brings security risks to the system, as HIPAA doesn’t allow covered entities to require that individuals buy a certain type of media to receive the requested information. Another highlighted issue with portable devices is that the “quick turnaround” of loading records on such a device opens the covered entity up to manmade errors, such as a workforce member mistakenly downloading another individual’s designated record set to the device.
Email delivery is another sensitive discussion. The Omnibus Rule also does not prohibit the covered entity from sending unencrypted emails with the requested information to the individual. It simply requires that covered entities advise the individuals of the risks of sending and receiving unencrypted emails. So what’s the response when an individual requests records be emailed?
Regardless of how the information gets transferred to the patient’s hands, what happens if the individual loses it? Can the covered entity prove it was the individual who lost the record and not a breach caused by the organization?
Four Tips for Managing Risks of Patient Access
Despite the complexities of complying with patient requests for copies of PHI, there are steps you can take to mitigate your risk in this area.
Here are 4 tips to get you started:
- Have a documented policy and procedure that specifically addresses an individual’s right to his/her electronic designated record set. This should provide details to your staff on how to comply with such requests, including proper safeguards.
- If using portable device (e.g. Flash drive, CD…) have an individual sign a release form stating that once the individual takes control over the media containing the PHI, it is no longer the property of your organization.
- To reduce security risks, provide individuals with portable devices, rather than allowing them to bring in their own.
- If an individual insists on emailing their PHI, ensure that your organization has advised him/her on the risks of sending and receiving unencrypted emails.