Debunking HIPAA myths in the digital age

Although 20 years have passed since HIPAA's inception, the law continues to befuddle patients and clinicians alike. Much mythology surrounds the requirements of the Health Insurance Portability and Accountability Act, said Thomson Kuhn, senior systems architect and senior associate for health policy at ACP. “The privacy component of HIPAA has been misunderstood by everybody since the beginning, and all previous attempts at clarification have failed, for the most part,” he said.

The latest clarification attempts came in January and February, when the U.S. Department of Health & Human Services Office for Civil Rights (OCR) published explanations of patients' right to access their electronic records. “Our members really do have a number of responsibilities to provide information to patients when patients want it, in the form they want it, and when they want it,” Mr. Kuhn said. “That's not well understood in all practices, so some patients may get stonewalled inappropriately.”

Indeed, many clinicians were taught that “HIPAA means no” when, in actuality, HIPAA is designed to make information flow between clinicians and patients while protecting privacy, he said. “It was supposed to free up data to flow better, not to lock it up and prevent it from being used,” Mr. Kuhn said. “But that seems to be how it's been interpreted in the past.”

Other challenges that relate to HIPAA as it was revised in 2013 include patients' right of electronic access in general, as well as the format and delivery of the data, said Christine Bechtel, who coordinates GetMyHealthData, a national campaign supported by the National Partnership for Women & Families that helps patients, or “tracers,” through the process of obtaining their health records. The campaign dubs patients as such because of their test-case nature. (The GetMyHealthData campaign offers online resources for both patients and clinicians.)

“We would like to see a shift from being guarded about sharing patient data to being open and transparent and recognizing that providing electronic data to patients is a real enabler in patient engagement in their own health and their own care,” she said. “We would not ever ask a consumer today to try to manage their finances without data, but we are asking patients to manage their health care without meaningful, usable electronic data every day.”

While OCR will continue to release updated guidance pertaining to certain gray areas of HIPAA, its recent clarifications attempt to dispel some of the most common myths.

Myth No. 1: HIPAA precludes patients from accessing their medical records electronically because of privacy concerns.

The aim of HIPAA is to promote the flow of health information to patients, the rightful owners of their data. In fact, the 2013 update to the law states that a patient has a right to an electronic copy of his or her health record. “A lot of times, the responses that tracers will receive when they ask for those e-copies is, ‘I'm sorry, we only do paper,’” Ms. Bechtel said. “You actually do, as a patient, have a right to an electronic copy.”

In addition, patients also have a right to different formats of the electronic copy—for example, instead of a read-only PDF copy, they may ask for a structured data copy. “As long as the provider can technically produce it, then they must produce it in the format that the patient is asking for, but they don't have to buy any special equipment,” Ms. Bechtel said. If a patient requests an electronic copy of paper records but the practice doesn't have a scanner, for instance, then the practice does not have to buy one just to meet the patient's request, she said.

“What OCR clarified recently is that whether or not a provider honors the patient's request is a matter of capability; it's not a matter of willingness. That's an important clarification that I think providers need to be aware of because it means they need to have a workflow around assessing, for each records request, what it is the patients are looking for,” Ms. Bechtel said. Secure patient portals have made it easier for patients to send messages, see test results, and read clinic notes, and many also include the ability for patients to download a comprehensive care summary. Practices could initially respond to requests by asking patients what information they need, Ms. Bechtel noted. “And if the patient portal doesn't cut it for them, then look at what you can extract from the electronic health record [EHR] in terms of a broader dataset,” she said.

Myth No. 2: Clinicians should never communicate with patients through e-mail or other unsecure channels because of security concerns.

If a patient requests an e-mail as the medium of distribution, then a practice must provide a brief warning of the risk that the transmitted health information could be compromised, according to OCR. If the patient accepts this risk, the practice must comply with the request. “It's the patients taking a risk, not the provider, and they're covered by that,” Mr. Kuhn said.

OCR's guidance adds that practices must adopt “reasonable safeguards” while fulfilling a records request, such as using the correct e-mail address. However, if requestors accept the risk, practices are not responsible for any compromised protected health information sent on an unsecure network.

Similarly, clinicians may be tempted by the convenience of communicating with patients through e-mail but should “know what is available within your practice that would allow you to communicate electronically in a HIPAA-secure manner,” said Ana María López, MD, MPH, FACP, chair of ACP's Ethics, Professionalism and Human Rights Committee. “Let's say a patient were to e-mail you in a nonsecure way. If you reply, make sure you reply in a secure way,” such as from a professional e-mail through an encrypted pathway, she said.

And if a patient texts a clinician, the clinician should call the patient and inform him or her that that form of communication is not appropriate and secure, said Dr. López, associate vice president for health equity and inclusion at the University of Utah Health Sciences Center in Salt Lake City. “As a clinician, you don't want to be communicating in a nonsecure fashion. ... And be very careful not to communicate through a social media mechanism around anything clinical,” she said.

Myth No. 3: Practices may charge patients by the page for the delivery of electronic medical information, including search-and-retrieval fees.

Here is where EHRs prompt substantial change. Delivering paper records to patients has been associated with “tremendous cost,” but now, practices with certified EHRs shouldn't need more than a few minutes to send the data electronically, Mr. Kuhn explained. “You're only allowed to charge for exactly what your out-of-pocket costs are to provide the data,” he said.

OCR permits imposing a “reasonable, cost-based fee,” which may include labor, supplies, and postage but not costs associated with verification, documentation, search and retrieval of the information, or maintenance of systems.

For example, if a patient requests medical information from the EHR in the form of a thumb drive or CD-ROM, a practice could feasibly charge for the storage equipment, but the labor to produce the record would only be a few minutes of somebody's time, Ms. Bechtel said. “If they've done this in an efficient way, there should be little to no cost,” she said.

Although the privacy rule permits certain limited fees, “covered entities should provide individuals who request access to their information with copies of their [protected health information] free of charge,” particularly in cases where an individual would find it difficult or impossible to afford the fee, new OCR guidance states. Despite what the law says, Ms. Bechtel said she has seen bills from tracers who were charged a searching fee of up to 75 cents per electronic page, which the new guidance clarifies is not acceptable.

Furthermore, clinicians may not withhold or deny patients access to their personal health information in the case of unpaid medical bills, according to OCR.

Myth No. 4: Patient records may only be released to the patient.

Practices may require patients to request access to their records in writing or offer them the option of using electronic means to request access, according to OCR's recent guidance. Practices are required to take “reasonable steps” to verify the identity of a requestor through oral or written means, although OCR leaves the exact type and manner of verification to their discretion. However, it does state that a practice cannot require the patient to come in person for identity verification, as this would be an unreasonable burden.

If a patient requests the release of electronic information to a third party, such as an app or information intermediary, the practice must do so, according to OCR. Third parties may include other doctors or health care entities, a family member, an app such as a personal health record, a researcher, and an authorized personal representative, according to OCR guidance, which also clarifies the difference between an individual right of access request and a HIPAA authorization for disclosure.

Although these myths are widespread, clinicians can do their part to brush up on the law and provide their patients with digital access to their records. As an added bonus, the functionality of EHRs has made complying with HIPAA easier than gathering and sending records on paper, said Mr. Kuhn. “In general, I think the situation is improving dramatically. ... It's just a case of spreading [this information] to those who don't yet understand that the situation has changed,” he said.