Patient Access Playbook: Legal requirements

Federal and state laws provide patients the right to obtain access to much of their health information.

In particular, the federal medical privacy law, the Health Insurance Portability and Accountability Act commonly known as HIPAA, provides a patient the right to obtain an electronic copy of their medical record in the patient’s preferred form and format, as long as your practice is technically able to do so.  

Historically, the legal requirements around patient access have been a source of significant confusion among patients, providers and third parties. Navigating the laws to understand a provider’s responsibilities in this area is a challenge for a seasoned privacy attorney, let alone a medical practice focused first and foremost on delivering patient care.

The laws with which physicians must comply form a puzzle, and it is important to understand how each piece fits together. The puzzle includes HIPAA, state laws, the Promoting Interoperability programs (aka “PI” and formerly known as “Meaningful Use”) and the federal law governing substance use disorder treatment records (commonly known as “Part 2”). There are also federal regulations prohibiting what’s known as “information blocking.”

It is best to think of HIPAA as a floor, with other laws providing greater rights. Among other things, HIPAA provides patients a right to access most of their health information, limits how much the patient can be charged for access and provides deadlines for providing access.

On top of HIPAA are state laws. If your state law provides patients with a greater right of access than HIPAA does, then you must comply with both HIPAA and the state law’s additional obligations. If your state law makes it harder for a patient to obtain access to health information, then the portion of state law making access more difficult will not apply. When considering HIPAA and state law, always put yourself in the patient’s shoes and determine which gives the patient more access to their information. You must comply with whichever law gives the patient more access.

Next up are the Promoting Interoperability (PI) programs, which arose from the EHR incentive payment programs that required “meaningful use” of EHR technology. These programs impact your Medicare and Medicaid reimbursement levels. The PI programs include patient engagement requirements that are very different from HIPAA. You need to comply with both the PI program’s requirements and HIPAA if you wish to maximize your Medicare and Medicaid payment.

There is a federal rule, commonly known as "Part 2," governing certain programs that hold themselves out as providing treatment, diagnosis or referral for treatment for substance use disorders. It is important to know whether this rule applies to your practice. This rule requires a special consent form if a patient directs that a copy of substance use disorder information go to a third party, such as a caregiver or attorney. Unlike under HIPAA, a patient must also sign a consent form to share substance use disorder information for treatment and payment purposes.

Federal regulation prohibits medical providers and EHR vendors from standing in the way of patients receiving their own health information, a process known as “information blocking.” In particular, patients have the right to request access to their records using a smartphone app of their choosing. Your EHR will have what’s called an application programming interface (API) that allows a patient’s app to connect to the EHR and download their health information. As a general rule, you must facilitate a patient’s desire to connect their app to your EHR.

The Patient Access Playbook (PDF) focuses on dispelling HIPAA myths and helping physicians understand their obligations to provide patients with access to their health information.