Three ways providers get HIPAA right of access wrong

The HIPAA Privateness Rule Ideal of Particular person Entry ensures that individuals can get copies, bodily or digital, of their health care data from their providers. Very simple as that.

But then all over again, it’s not as uncomplicated as it might 1st seem. Quite a few company corporations misinterpret this place of HIPAA regulation. A single error can guide a healthcare facility, well being system or team follow into noncompliance with HIPAA – the effects of which can incorporate considerable fines.

The place a ideal goes incorrect

Deven McGraw, main regulatory officer at Ciitizen, a company that can help shoppers get digital copies of their health-related data, is really familiar with the spots in which company corporations get the HIPAA Privateness Rule Ideal of Particular person Entry incorrect.

HIMSS20 Digital

Master on-demand from customers, get paid credit score, uncover merchandise and options. Get Started out >>

In her recent HIMSS20 Digital instructional session on the issue, Client Entry to Health care Records: The Rocky Highway to APIs, McGraw – who also served as main privacy officer at the Office of the Countrywide Coordinator for Health IT – presented some detailed insights into how providers must be wondering about this regulation, in particular in light of new client-entry rules from ONC and CMS.

“A lined entity could demand that a request is in composing, and most do,” she discussed. “And this request can be approved electronically, and that is generally the most straightforward way for individuals in this day and age to get a request into the lined entity. Entities are essential to choose reasonable measures to validate the identity of the client. But you cannot set up those identity verification necessities in a way that finishes up producing an impediment to or barrier to entry, or unreasonable hold off.”

McGraw claimed there are a few strategies that health care company corporations usually uncover on their own in noncompliance with the ideal of specific entry, and that corporations must do almost everything they can not to slide into these traps.

“Some entities – and these are not just small entities, these are entities that have privacy officers and compliance employees – say they will only choose in requests by mail, or just by fax,” she observed. The regulation and the guidance say that lined entities must acknowledge requests bodily and digitally.

Indicator on the digital line

On one more front, some entities also struggle with digital signature, she claimed.

“How do I know the client has really signed this request form when it is done digitally?” McGraw asked. “That I assume is an open concern that can be hard to resolve. But nonetheless, you have to have a way for people today to be ready to remotely request their info, since you cannot demand an in-person go to. The guidance can make this really obvious.”

And lastly, some lined entities continue to demand individuals to occur in person to make a data request, she claimed. “Even nevertheless guidance can make obvious that an entity are unable to demand an specific to make a different journey to the business to request entry,” she claimed.

McGraw, together with co-presenter Jodi G. Daniel, partner at Crowell & Moring and previous policy director at ONC, does a deep dive into the issue of individuals accessing their data and the software programming interfaces that are creating the digital sharing of data much easier. To attend the digital session, click on in this article.

Twitter: @SiwickiHealthIT
Email the writer: [email protected]
Health care IT Information is a HIMSS Media publication.