News Stay informed about the latest enterprise technology news and product updates.

OCR issues reminder about patient health information access under HIPAA

The U.S Department of Health and Human Services is trying to change the perception of what HIPAA does for patients. HIPAA is commonly thought of as a rule that requires health organizations to secure patients’ protected health information (PHI). While that remains true, HHS wants more people to be aware that HIPAA also affords them the right to freely access their own patient health information.

Jocelyn Samuels, director of the HHS Office for Civil Rights (OCR), authored a blog post that accompanied a frequently asked questions (FAQ) section and fact sheet detailing the information which patients must be allowed to receive. Patients are entitled to a “designated record set”, a collection of the patient’s PHI, which contains the following:

  •  Medical and billing records maintained by a covered healthcare provider
  • Enrollment, payment and claims adjudication records
  • Any other records used by providers to make a decision about an individual patient

In her blog, Samuels promised OCR and HHS “will continue to develop additional guidance and other tools as necessary to ensure that individuals understand and can exercise their right to access their health information.”

Patients can ask for a copy of their PHI, either in an electronic or paper format. If the record is not “readily producible” in the patient’s preferred format, the covered entity and individual must agree on an alternative format. A patient must be given access to their information within 30 days of their request, unless there is a delay in processing. If that occurs, the HIPAA covered entity has an additional 30 days to grant the patient’s request.

There are still limits to the information that patients can obtain, however. The HHS fact sheet specified psychotherapy notes, information to be used in a criminal or civil legal proceeding, and patient safety activity records as examples of information that is excluded from designated record sets, meaning that this information doesn’t have to be offered up to patients.

In the FAQ portion of its update, HHS addressed whether an individual’s ability to access old patient health information ever expires, if patients can be denied certain health information and whether PHI held by a covered entity’s business associate must also be disclosed to inquiring individuals. The answers to all of the questions are tilted in favor of patient access.

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

This is probably the best article I've ever read on real-world implementation of the philosophy of DevOps - And what a DevOps team would look like.

I've worked for companies and organizations that have sequestered their people, and organizations that implemented DevOps, not in name, but as a paradigm - Basically assembling all core competencies into a team who's goal is sustainment and further development. The odd part is - Even in the organizations who stove-piped disciplines, the most effective people informally formed natural teams as described. Even though the team is not officially recognized, the results are quite obvious, and fantastically positive.

While I wouldn't expect a DBA to suddenly have a burning desire to churn out code, or a Java dev to look forward to being chained to a server and a beeper, the cross-pollination is so much more subtle. By simply working and talking with each other, Java programmers will learn that DBAs like pushing data retrieval to SQL where it can be tuned in many ways without a recode. Sysadmins will be more receptive to how the various data connections need to be maintained. DBAs learn the various locking methods their developers may be using and tune/design towards them. They will all learn the nuances of their parts of the enterprise integration.

I think this article seems so unique because the author is clearly focused on improving quality and results. The lion's share of DevOps articles I have read have been focused on driving down labor costs while rationalizing that things will be fine. THIS is the right approach!

I'm glad you liked the article, and you are right about it being a philsophy. So often in any IT organization we get so focused on "doing more with less" that we forget that sometimes we have to be willing to shift our mode of thinking away from just the bottom line to the people. Let them be themselves, be creative and unleash their potential and you will see the bottom line improve just because people are doing the RIGHT thing!

The organizations that "get it" are the ones who don't have to attend DevOps conferences and read whitepapers about how to do it, they are already doing it -- and for every organization that might be a different way.

Refreshing to see a post like this that speaks outside of the box. Really impressive analogy and some good insight. Thanks!