This guidance remains in effect only to the extent that it is consistent with the court’s order in Ciox Health, LLC v. Azar, No. 18-cv-0040 (D.D.C. January 23, 2020), which may be found at https://ecf.dcd.uscourts.gov/cgi-bin/show_public_doc?2018cv0040-51. More information about the order is available at https://www.hhs.gov/hipaa/court-order-right-of-access/index.html. Any provision within this guidance that has been vacated by the Ciox Health decision is rescinded.
Under the HIPAA Privacy Rule, an individual has the right to access PHI maintained about the individual by a covered entity in a designated record set. This may contain electronic or non-electronic PHI. See 45 CFR 164.524(a)(1). Under the HITECH Act’s Electronic Health Record (EHR) Incentive Program, eligible professionals, eligible hospitals, and critical access hospitals (CAHs) may receive incentive payments under Medicare and Medicaid and avoid payment reductions under Medicare for successfully demonstrating meaningful use of Certified EHR Technology, which includes providing patients the ability to view online, download, and transmit their health information. It is important to note that in some respects the EHR Incentive Program contains more exacting standards than the baseline requirements of the HIPAA Privacy Rule, while the HIPAA Privacy Rule contains more comprehensive requirements than the EHR Incentive Program (e.g., the HIPAA Privacy Rule access right applies to electronic and paper records, while the EHR Incentive Program applies to certain electronic records).
Below are some key distinctions between the HIPAA right of access and the individual access opportunities that may be offered through the EHR Incentive Program:
|EHR Incentive Program||HIPAA Privacy Rule|
|Professional or hospital proactively makes available certain information for the patient to view, download, or transmit (more than 50% of patients are provided timely access in Stage 2; more than 80% in Stage 3)||Covered entity required by law to provide individuals with access upon request|
|Access is to a specific set of data (e.g., recent lab test results, current medication list and medication history, problem list)* maintained in Certified EHR Technology (for Stage 3, the specific set of data is known as the Common Clinical Data Set (CCDS), as defined in the 2015 Edition Health IT Certification Rule**)
*See the EHR Incentive Program Final Rule at 80 FR 62812,https://www.federalregister.gov/articles/2015/10/16/2015-25595/medicare-and-medicaid-programs-electronic-health-record-incentive-program-stage-3-and-modifications
**See 80 FR 62602,https://www.federalregister.gov/articles/2015/10/16/2015-25597/2015-edition-health-information-technology-health-it-certification-criteria-2015-edition-base
|Access is to requested PHI that is in a designated record set which is PHI that is either maintained electronically (e.g., in the EHR) or other medical information that is not stored in the EHR (e.g., PHI that is stored on paper, billing records, and other records used to make decisions about individuals)|
|Access must be timely provided (e.g., in Stage 2, professionals must make information available within 4 business days of its availability to the professional, and hospitals must make information about hospital stays available within 36 hours of discharge; for Stage 3, information must be available to the patient within 48 hours of its availability to a professional and 36 hours of its availability to a hospital)||Prompt access is encouraged but covered entities may take no longer than 30 days from receipt to act on a request for access (and may take another 30 days to respond if the individual is notified in writing of the reason for delay during the initial 30 day period)|
|Administered by the Centers for Medicare & Medicaid Services (with respect to the EHR Incentive Program) and the Office of the National Coordinator for Health IT (with respect to the Health IT Certification Program)||Administered by the HHS Office for Civil Rights|
Although the EHR Incentive Program and the HIPAA Privacy Rule are distinct, it is possible for a provider or hospital to leverage its Certified EHR Technology to fulfill its HIPAA Privacy Rule obligations with respect to individual access in circumstances where the individual either: (1) requests access to PHI that is held in the Certified EHR Technology; or (2) requests access to his PHI, the covered entity professional or hospital informs the individual that the PHI requested is available through the Certified EHR Technology, and the individual agrees to access the requested PHI through the Certified EHR Technology.
In scenario 1, the individual is aware of the EHR Incentive Program and specifically requests access to her PHI via the functionality of the Certified EHR Technology. For example, in exercising her right of access under the HIPAA Privacy Rule, an individual could request a copy of her information that constitutes the CCDS through the provider’s Certified EHR Technology portal or that it be sent from the Certified EHR Technology to the individual’s Direct address (an electronic address for securely exchanging health information using the Direct technical standard). If the provider is using Certified EHR Technology, the HIPAA Privacy Rule requires the provider to grant this request from the individual because the form and format requested is “readily producible” using the provider’s Certified EHR Technology. At the same time, the provider should be able to count this access by the individual for purposes of meeting its EHR Incentive Program objectives, as long as the access was provided within the timeframes required by the EHR Incentive Program. Because the Privacy Rule provides up to 30 days to act on an access request, meeting the more prompt deadlines of the EHR Incentive Program clearly complies with the Privacy Rule’s deadlines.
In scenario 2, the individual has requested a copy of certain of his PHI, and the provider recognizes that the PHI requested by the individual would be easily available through the Certified EHR Technology. The individual asks for the information in PDF format; the provider instead offers to set up an account for the individual so that the individual can access this information directly through the portal in the Certified EHR Technology. If the individual agrees to the portal access, the provider will be able to satisfy the individual’s HIPAA access request using the Certified EHR Technology portal, while at the same time being able to count the access for purposes of meeting EHR Incentive Program objectives (as long as the access was provided within the timeframes required by the EHR Incentive Program). If the individual declines the offer and instead maintains his request to receive a copy of his PHI in PDF format, the HIPAA Privacy Rule requires the provider to provide the individual with a copy in PDF format, if the PHI is readily producible in that format or, if not, in an alternative electronic format that is agreeable to the patient. Further, the individual at all times retains the right to access his PHI in a designated record set that is not part of or available through the Certified EHR Technology.