Patients' right of access to their health information was emphasized by multiple speakers at the annual NIST/ OCR HIPAA Security Conference in Washington D.C. in September 2017. Just like we at 24By7Security say about Cybersecurity, “Don’t Risk it, Secure it”, OCR (Office for Civil Rights) says of patients’ health information, “Get it, Check it, Use it”.
OCR Director Roger Severino highlighted the need for patients to be empowered to take control of their own health information. Patients have a right to access their own health information, and this is an important part of the information equation for HIPAA compliance. Security is just one part, patients’ right of access is another.
The HIPAA Privacy Rule gives patients the right to inspect, review and receive a copy of their medical records and billing records held by health plans and providers. Patients have a right to access both paper and electronic medical records. They may need to pay a fee to access this information, but they have a right to receive the information in a readable format, to request corrections in their information and to have the information provided to someone else they may designate. Patients also have a right to be notified as to how their health information is being used and shared. According to HIPAA, providers have 30 days to provide patients with the requested information. There have been cases when patients have filed complaints with HHS when a provider has denied them access to their medical records. According to Iliana Peters of OCR, this is the third most frequently seen complaint received by OCR.
Regulators have emphasized that individuals should be empowered to take control over their health decisions in a patient-centric health system. Providing patients with access to their health information enables patients to effectively review their records, monitor their health conditions on an ongoing basis and track their progress.
