It's Your Health Information. Know Your Rights.

You, as a patient in the US healthcare system, have rights when it comes to your health information. As Baker Harrell, PhD discussed in his February 16th blog, The Patient Empowerment Movement: A Paradigm Shift in Healthcare, there is a growing movement driving changes in US healthcare, and in US healthcare policy and regulation.  These changes are leading to an expansion in the patient’s right to their health information. The policies and regulations together provide the guidance that healthcare providers and insurers are to follow at a federal, as well as a state level.  This blog will focus on the federal level, but it is worth noting that the federal level (through HIPAA) sets the baseline that is adopted by all states. Between states there are variances, and some states have greatly expanded upon patient’s rights. Here is a look at the two main federal-level guideposts that dovetail in support of your health information rights: 

The HIPAA Privacy Rule. 

Established by the U.S. Department of Human and Health Services (HHS), the Privacy Rule sets national standards to protect patients' healthcare records and gives patient rights over their protected health information. 

Summary of the HIPAA Privacy Rule | HHS.gov 

The Cures Act, formally known as H.R. 34 or the 21st Century Cures Act. 

The Cures Act was designed, in part, to bring about innovations and advances to healthcare infrastructure which benefit patients who want/need their health information faster and more efficiently. These innovations include electronic health information technology that serves to support the health information rights of the patient as granted to them under the Privacy Rule. The Assistant Secretary for Technology Policy/Office of the National Coordinator for Health Information Technology (ASTP) is organizationally located within HHS and is charged with coordination of nationwide efforts to implement innovations under The Cures Act.  

Patient Access to Health Records | HealthIT.gov 

Key Takeaways: Know Your Rights Under HIPAA Privacy Rule and The Cures Act  

HIPAA Privacy Rule 

• A patient has a right to request copies of their health information. That health information includes: medical records, billing and payment records, insurance information, clinical laboratory test results, medical images (such as X-rays, MRI etc.), wellness/disease management program files, and clinical case notes.  Under the Privacy Rule, the healthcare provider must provide the patient with access to the health information in the form and format requested by the patient no later than 30 days from their request. This empowers patients to review their health history, treatment plans, diagnoses, and collaborate effectively with their healthcare providers. Under the Cures Act, the patient has a right to their health information in electronic format. 

• A patient has a right to control the sharing of their health information. 

• A patient has a right to request corrections to their health information. 

• A patient has a right to receive privacy notices. 

• A patient has a right to file complaints about privacy, excessive fees, excessive delays, or other forms of information blocking (more about this below). 

• Patients have the right to determine how they are contacted. 

• Patients have the right to object to certain disclosures. 

The Cures Act  

The Cures Act directs the adoption of innovation by healthcare providers in support of the right of the patient to electronically access their health information. ASTP drives this adoption by pushing for: 

• Technology interoperability and electronic format as the norm: advancing the development and use of health IT capabilities as the expected norm within the healthcare system;  

• Creation and adherence to standards: establishing and enforcing the expectations of the healthcare system for that health information sharing; and 

• Enforcement: providing for the investigation, mediation/adjudication and imposing penalties in instances of information blocking.   

  
  

Unfortunately, some healthcare providers are not in compliance with the Cures Act and their record management processes run afoul of both the Cures Act and the Privacy Rule by creating undue delays and obstacles for patients seeking their health information.  This is known as information blocking. 

Examples of Information Blocking. 

• Requesting lab, Xray or biopsy results and being told, "Wait for your next visit so the doctor can discuss it with you." 

• Charging excessive fees for access to your medical records. Skip the paper records and CDs. They can be pricey and healthcare providers are entitled to recoup certain expenses.  Always request that your records be provided to you in electronic/digital format. Most providers should have your records in this format already, since it is the standard that The Cures Act requires of them. Additionally, in most cases, there should be no charge for electronic/digital format. HHS has opined that providers should not be charging patients for the electronic records. Providing a patient with access to their health information is a necessary component of delivering health care.  The charging of fees creates barriers to this access.   

• Delay or refusal to transfer medical records to another doctor/specialist/provider. 

  
  
  
  

What To Do If You Think Information Blocking Is Happening to You 

• Know how to log in to your healthcare portal. 

• Sign any forms required for sharing/transferring information. 

• Mention your right to information under the 21st Century Cures Act and the Privacy Rule. 

• If the blocking has been ongoing for over 30 days, file a complaint with the US Department of Health and Human Services-Office of Civil Rights, at Enforcement Process | HHS.gov. 

• If blocking has been ongoing for over 30 days, file a complaint with your state Attorney General’s office. Note, some states provide for a narrower window than 30 days. For example, in Texas, providers much respond within 15 days. 

• If the blocking has been ongoing for over 30 days, file an information blocking claim with the Office of the Inspector General at the National Coordinator for Health Information Technology (ONC)  at Information Blocking | Office of Inspector General | Government Oversight | U.S. Department of Health and Human Services. 

  
  

Avoid Information Blocking and Unnecessary Barriers and Delays. It’s Your Health Information. Know Your Rights.  Set up a Health Bank One account and take control of your health information and flex your rights.    

If you are curious about HHS’s stance on a patient’s right to their health information, check out their recent ruling against a healthcare provider engaged in information blocking: 

HHS Office for Civil Rights Imposes a $200,000 Penalty Against Oregon Health & Science University for Failure to Provide Timely Access to Patient Records | HHS.gov