HIPAA access versus authorization
The nuances of the HIPAA right of access rule continue to pose challenges for health systems. Guidance previously released by The U.S. Department of Health and Human Services (HHS) included extensive information on all aspects of the rule (such as the requirement to provide patients with protected health information (PHI) in electronic format if requested). But the discussion of the differences between disclosures under the patient’s right of access (45 CFR 164.524) and disclosures pursuant to patient authorization (45 CFR 164.508) raise some of the trickiest issues for covered entities.
Access request. When the disclosure falls under the access rule, a covered entity may require a written request, signed by the individual, that identifies the designated person and where to the send the PHI. However, HHS has stated that a covered entity may not require a patient to sign an authorization form when the access rule applies. The fee limitations and response timeframe requirements set forth in the access rule apply to all such disclosures.?
Authorization. While disclosures under the access rule are mandatory, disclosures under the authorization rule are not – thus, a covered entity could reject a request even with an authorization. Additionally, disclosures under the authorization rule are not subject to the fee limitations or response timeframe requirements of the access rule. Of course, a valid authorization form (satisfying 45 CFR 164.508(c)) is required.
Disclosure for treatment, payment and health care operations. HHS has stated that because covered entities are permitted to disclose PHI without authorization for treatment, payment and health care operations, individuals “should not have to facilitate this transmission by submitting an access request (and potentially having to wait up to 30 days for the information to be sent and be charged a fee) or by executing a HIPAA authorization.” Thus, a patient request to send PHI to his or her physician should not be processed as either an access request or under the authorization rule.
These rules pose challenges as the distinctions between the nature of the request may not always be obvious when received. Covered entities should avoid a one-size-fits-all approach to disclosures of PHI and should work to establish procedures that ensure compliance with these HIPAA rules when processing patient requests for PHI.