7. Can You Share Protected Health Information?

Patient Access To Medical Records

The HIPAA Privacy Rule has always provided individuals with the right to access and obtain copies of health information maintained in provider or health plan records. Under the existing regulations, when a patient makes such a request, the covered entity has up to 30 days to provide the requested access or a copy of the requested data; however, the provider or plan can take up to an additional 60 days if the information requested is stored off-site.

Patients can be charged a reasonable, cost-based fee for copies of their information to cover the cost of both labor and supplies. This right of access has been part of the Privacy Rule since it was first implemented; although many patients have faced obstacles when trying to obtain copies of their health information.

The Privacy Rule covers identifiable health information in both paper and digital form, so this right of patient access has always applied to all forms of PHI. However, in the HITECH Act, Congress made it clear that when a patient’s information is stored electronically, patients have the right to obtain an electronic copy and to have that copy sent, at their request, to another person or entity, such as a doctor, caregiver, their personal representative, or mobile health app.

New regulations enacted by the Omnibus Final Rule strengthen this mandate and also clarify how this right to digital data can be exercised. Patients have the right to an electronic copy “in the form or format they request” – but only if the provider or plan is capable of producing the copy in the requested format. If the data isn’t “readily producible” in the format requested by the patient, the provider – or plan – and the patient are expected to come to an agreement on an alternative acceptable, machine-readable digital format.

The new rules still allow healthcare providers and health plans to ask patients to submit written requests for copies of their health information, although this is not a requirement of the Privacy Rule. However, if the patient wants to have the electronic copy transmitted directly to a third party, the new rules require that this type of request must be in writing, be signed by the patient, and needs to clearly identify the designated recipient and where the information must be sent.

Per existing requirements of the HIPAA Privacy and Security Rules, healthcare providers or health plans sending identifiable health information, per a patient’s request, must take steps to verify the identity of the patient prior to sending the information. They must also conduct checks to ensure the correct records are sent and must implement safeguards to protect the information in transit.

Although the Security Rule requires healthcare providers and health plans to implement safeguards for transmitting identifiable health information, patients also have the right to get their copies through unencrypted channels – such as email – if they so choose. Healthcare providers and health plans are required to advise patients of the risk of receiving information through insecure channels; but if the patient opts for the insecure method, he or she has the right to receive the information in this way.

HIPAA Rules governing PHI access provide the baseline for all providers using digital records and, for some patients, will constitute the only available pathway for obtaining copies of their data.

Medical and client information can be shared with/ at the:
o Client’s doctor, or doctor’s office.
o Pharmacy when picking up the clients prescriptions.
o Your supervisor or co-workers involved with the client’s care.
o 911 or at the hospital.
o Relatives or friends who are approved to receive PHI about your client.

Ensuring policies and procedures are developed and implemented to restrict the uses and disclosures of PHI is an important element of HIPAA compliance. If health information is used for purposes not permitted by the HIPAA Privacy Rule or is deliberately disclosed to individuals unauthorized to receive the information, there are possible penalties for the covered entity or individual responsible.

HIPAA permits protected health information to be used for healthcare operations,treatment purposes, and in connection with payment for health care services. Information may be disclosed to third parties for those purposes, provided an appropriate relationship exists between the disclosing covered entity and the recipient covered entity or business associate. A covered entity can only share PHI with another covered entity if the recipient has previously or currently has a treatment relationship with the patient and the PHI relates to that relationship. In the case of a disclosure to a business associate, a business associate agreement must have been obtained. In all cases, the minimum necessary standard applies. Disclosures must be restricted to the minimum necessary information that will allow the recipient to accomplish the intended purpose of use.