In our last blog on medical privacy, we noted that HHS’s Office for Civil Rights (OCR) promised that a number of HIPAA guidances were forthcoming in the next several months. It appears that (at least so far) OCR is keeping its promise, issuing its long-awaited guidance addressing Individuals’ Right under HIPAA to Access their Health Information (IR Guidance). Although this IR Guidance comes several months after OCR suggested it would (October 2015), it does reflect the agency’s continuing efforts to add clarity to the HIPAA Privacy, Security, and Breach Notification Rules and get the guidance train rolling. This suggests that we may soon see additional guidances promised by OCR, including, perhaps among others:
- guidance on the breach standard of “low probability of compromise;”
- guidance on the “minimum necessary” standard; and
- guidance on “cloud computing.”
Please stay tuned and check our blog for regular updates – including on publication of additional OCR guidance.
The IR Guidance provides OCR’s current thinking on an individual’s right to access his or her health information under the HIPAA Privacy Rule (45 C.F.R. § 164.524). It addresses the types of information included, form and timing of access, and grounds for denial. Significantly, among other things, the guidance provides insights on the interaction and relationship between Covered Entities and their Business Associates (BA) in providing individuals the required access.
Although the rule on individuals’ right to access does not specifically mention BAs, as with nearly all of the Privacy Rule, it applies with equal force to BAs pursuant to the HITECH Act. Further, all Business Associate Agreements (BAA) are required to state that the BA will “[m]ake available protected health information [(“PHI”)] in accordance with § 164.524.” 45 C.F.R. § 164.504(e)(2)(i)(E). OCR clarifies that, with limited exceptions (e.g., psychotherapy notes or information compiled in reasonable anticipation of, or for use in, a legal action), the Privacy Rule provides individuals with an enforceable right to see and receive copies of the information included in a designated record set maintained by their Covered Entity health care providers and health plans, as well as those entities’ BAs. See definition of “Designated Record Set” at 45 C.F.R. § 164.501.
The IR Guidance further underscores BAs’ responsibilities for assisting Covered Entities in responding to individual requests:
- “[I]f an individual submits a request for access to PHI, the covered entity is responsible for providing the individual with access not only to the PHI it holds but also to the PHI held by one or more of its business associates. However, if the same PHI that is the subject of an access request is maintained in both the designated record set of the covered entity and the designated record set of the business associate, the PHI need only be produced once in response to the request for access. See 45 C.F.R. § 164.524(c)(1).” Guidance, sixth unnumbered Question and Answer (“Q&A”).
- “[T]he business associate agreement between the covered entity and the business associate will govern whether the business associate will provide access directly to the individual…. However… a request for access still must be acted upon within 30 calendar days (or 60 calendar days if an extension is applicable) of receipt of the request by either the covered entity, or by a business associate if the request was made directly to the business associate because the covered entity instructed individuals through its notice of privacy practices (or otherwise) to submit access requests directly to the business associate.” “These timelines are outer limits, and it is expected that many covered entities should be able to respond to requests for access well before these outer limits are reached.” Id., ninth unnumbered Q&A (emphasis in original omitted).
The IR Guidance also provides insight on transmission of unsecured PHI, and not just in the context of a right to access request:
- “While covered entities [and their BAs, as applicable] are responsible for adopting reasonable safeguards in implementing the individual’s request (g., correctly entering the e-mail address), covered entities are not responsible for a disclosure of PHI while in transmission to the individual based on the individual’s access request to receive the PHI in an unsecure manner (assuming the individual was warned of and accepted the risks associated with the unsecure transmission). This includes breach notification obligations and liability for disclosures that occur in transit. Further, covered entities are not responsible for safeguarding the information once delivered to the individual. Covered entities are responsible for breach notification for unsecured transmissions and may be liable for impermissible disclosures of PHI that occur in all contexts except when fulfilling an individual’s right of access under 45 C.F.R. § 164.524 to receive his or her PHI or direct the PHI to a third party in an unsecure manner.” Id., twentieth unnumbered Q&A.
We expect to be back to you soon with more from OCR.