Say “YES” to Access and “NO” to Obstacles.
If you are using one of these forms you could be creating a barrier for patients:
- Authorization to Release
- Consent to Release of Information
- HIPAA Release Form
Authorizations (sometimes called a “Consent” or “Release”) are detailed forms, required when protected health information (PHI) is disclosed to a third party, like a lawyer, but a patient asking for their own information should not have to jump through hoops. If you charge more than a minimum cost, or don’t respond promptly, or send patients to multiple locations you may be violating HIPAA. If they just want to view the records in an office, or access them electronically, there should be no charge.
It’s not enough to have HIPAA policies in place. You must implement the policies correctly. Last month, the Director of OCR, Roger Severino, said there has been “a significant amount of ignorance and flouting of regulations” related to providing patients with access to their health information. As a result, OCR is pursuing these cases “vigorously this year”. More here.
Individual Right of Access vs. Third Party Authorization
OCR warned in 2016 that requiring someone to execute an authorization in order to exercise the right of access may create an impermissible obstacle. OCR explained the significant differences between a disclosure of PHI to an individual under the right of access which is required by the Privacy Rule and a disclosure by valid HIPAA authorization which is permitted by the Privacy Rule.
Electronic Transmission of PHI
Patients may choose the form and format of information they request. The explosion of health care apps recently has made access to information easier and faster for patients but raises questions for covered entities about their liability for non-secure transmission. Last month OCR published five new FAQs on the topic to help guide decisions about sharing PHI with patients through apps while following HIPAA.
Stay tuned for future changes in the electronic exchange of information. HHS is spearheading an effort to streamline sharing health information across networks nationwide through a “Trusted Exchange Framework and Common Agreement” (TEFCA).
Whatever the information sharing framework looks like in the end, basic HIPAA requirements are unlikely to change. Stay on top of HIPAA with the right policies and the right implementation steps. If you have questions about how to comply with HIPAA, we have answers.
The chart below illustrates the differences between “right of access” and “authorization”.