Written by Anna Spencer and Milton Gregory

On April 4, 2018, the US Department of Health and Human Services’ (“HHS”) Office of the National Coordinator for Health Information Technology (“ONC”) released a new web-based resource – the ONC Guide to Getting and Using your Health Records – that promotes individual access to medical records by educating patients on their rights of access and amendment under HIPAA and provides detailed instructions on how patients should request their records. As ONC acknowledges, access to health information can empower patients and enable them to take control of their own health, well-being, and safety.  Although the guidance does not have the force of law, it offers valuable insight into how the Trump administration seeks to further patient rights under HIPAA.

The web-based guide is meant to help individuals, patients, and caregivers better understand how to access, review, and use their electronic (and paper) health information by providing instructions as well as tips, links and quizzes to test the individual user’s knowledge. Among other steps, individuals are told to collect the full names, physical addresses, phone numbers, and fax number or secure email (through any patient portal) for all of the doctors whom an individual wants to send and receive his or her medical record. The resource goes on to state that individuals may be required to complete forms when they request their records. The resource describes a potential form that contains at least twenty three data points.  Clearly, collecting this much information and completing a form for every health care provider will prove too burdensome to many patients.

The resource also suggests that individuals that follow through with accessing their health information utilize mobile apps to manage the data. It encourages individuals to select secure apps and provides a link to an FTC webpage with instructions on how to protect personal information, but it does not explain the privacy and security issues inherent in mobile health apps.  Individuals should understand that mobile health apps typically are not afforded the protections provided by HIPAA, unless the app is offered by a HIPAA covered entity or business associate.

The 21st Century Cures Act (“Cures Act”) amended federal law to permit business associates, (i.e., vendors of covered health care providers that process Protected Health Information (“PHI”) on behalf of health care providers) to provide access to PHI that they maintain in certain records.  However, ONC’s new resource does not include any guidance on what a business associate’s role is in the expansion of patients’ rights under the Cures Act.  Some business associates, such as health care clearinghouses, have PHI from multiple health care providers and health plans.  As such, they could serve as convenient supplemental sources of health records for individuals in addition to health care providers.

Covered entities and business associates should monitor the implementation of these provisions by the Office for Civil Rights. Covered entities will potentially need to revise their Business Associate Agreements to avoid interfering with business associate obligations and business associates will want to ensure that they comply with regulatory requirements.