Recently, I spoke at a seminar attended by many healthcare professionals. Although I addressed various HIPAA-related issues, many of the questions posed by the audience focused on how HIPAA applies in an electronic environment. In many instances, HIPAA operates in the same manner in an electronic environment as it does in a paper one. However, there are certain HIPAA-related provisions that apply somewhat differently, including the following:
- Access – HIPAA permits covered entities to require that individuals requesting access to their medical records make such requests in writing. Because HIPAA has always treated electronic documents as written ones, HIPAA allows covered entities to offer individuals the right to use electronic means, such as email or a web portal, to make requests for access to their medical records.
- Response to Access Requests – HIPAA requires covered entities to respond to requests for access within 30 days after receiving any such request. But covered entities may respond sooner - something that would seem feasible when a covered entity permits individuals to make such requests via electronic means as noted above; and by responding to such requests well before the 30-day deadline for doing so may be one way in which covered entities distinguish themselves from others within the healthcare marketplace.
- Personal Representatives – HIPAA permits legally authorized personal representatives to have the same right of access to an individual’s protected health information (“PHI”) as that individual himself/herself when such individual is unable to act on his/her own behalf—and this is true in an electronic environment, too. But covered entities must be able to verify the identity of anyone who requests access to PHI on behalf of another. In this regard, HIPAA permits covered entities to use their own professional judgment in order to establish reasonable policies and procedures to verify the identity and authority of any person who requests PHI on behalf of another. Such verification may be obtained through various means, including electronically, provided (i) appropriate steps are taken to verify the identity of anyone claiming to be acting in the capacity of a personal representative and his/her authority to do so; and (ii) the necessary documents, statements, or representations are obtained as required by particular HIPAA-related provisions. Accordingly, covered entities that receive or respond to electronic requests for access to PHI should ensure their verification and documentation policies and procedures are reasonable in light of the electronic environment in which they operate.
- Designated Record Set (“DRS”) - An individual has a right of access to his or her PHI that exists within a covered entity’s DRS that includes (i) a provider’s medical and billing records; (ii) information regarding health plan enrollment, payment, claims adjudication and case or medical management record systems; and (iii) other information used by the covered entity to make healthcare decisions about such individual. To the extent covered entities maintain their own electronic record systems, their choice to link those systems to a network for electronic health information exchange purposes, does not necessarily change the status of the information within their DRS. In other words, information that meets the definition of a DRS remains part of such DRS even if such information is linked to a network. But whatever information a covered entity imports into its electronic records via a network may become integrated as part of that entity’s DRS. However, network participation by itself doesn’t make all other information about an individual that is accessible through the network part of the covered entity’s designated record set. Stated differently, the ability to link health information through a network doesn’t obligate the covered entity to provide access to the designated record set of another covered entity that participates in the network. Also, covered entities that use electronic records, such as electronic health records, should be aware that an individual’s right of access applies regardless of the format of such individual’s PHI. Therefore, a DRS is not limited to information contained in an electronic record, but also includes any non-duplicative electronic or paper-based information that qualifies as part of such DRS. While some overlap may exist initially as covered entities transition from paper to electronic record sets, covered entities will likely find their access-related obligations to be less time consuming and less labor intensive the more they convert to electronic health records.
- Form of Access - If individuals request their PHI be provided in electronic form, use of electronic records by covered entities shall probably increase the amount of PHI they are able to produce electronically - a benefit to the person making the request and the covered entity. Specifically, electronic access may provide individuals with more timely access to more PHI and in a more convenient manner. For example, electronic copies of PHI may be downloaded to CDs, thereby providing individuals with more convenient means of transporting and maintaining their PHI. Also, electronic health records may enable covered entities to offer individuals immediate and ongoing access into the covered entity’s DRS, such as through a personal health record, while reducing the time, expense, and labor involved in providing such access. But if individuals request access to their PHI in hard copy format, HIPAA requires the covered entity to provide such access even if the PHI in question is stored in an electronic record.