HIPAA access versus authorization

Bricker Graydon LLP
Contact
LinkedIn
Facebook
X
Send
Embed

Bricker & Eckler LLP

The nuances of the HIPAA right of access rule continue to pose challenges for health systems.  Guidance previously released by The U.S. Department of Health and Human Services (HHS) included extensive information on all aspects of the rule (such as the requirement to provide patients with protected health information (PHI) in electronic format if requested). But the discussion of the differences between disclosures under the patient’s right of access (45 CFR 164.524) and disclosures pursuant to patient authorization (45 CFR 164.508) raise some of the trickiest issues for covered entities. 

Access request. When the disclosure falls under the access rule, a covered entity may require a written request, signed by the individual, that identifies the designated person and where to the send the PHI. However, HHS has stated that a covered entity may not require a patient to sign an authorization form when the access rule applies. The fee limitations and response timeframe requirements set forth in the access rule apply to all such disclosures.?

Authorization. While disclosures under the access rule are mandatory, disclosures under the authorization rule are not – thus, a covered entity could reject a request even with an authorization. Additionally, disclosures under the authorization rule are not subject to the fee limitations or response timeframe requirements of the access rule. Of course, a valid authorization form (satisfying 45 CFR 164.508(c)) is required.

Disclosure for treatment, payment and health care operations. HHS has stated that because covered entities are permitted to disclose PHI without authorization for treatment, payment and health care operations, individuals “should not have to facilitate this transmission by submitting an access request (and potentially having to wait up to 30 days for the information to be sent and be charged a fee) or by executing a HIPAA authorization.” Thus, a patient request to send PHI to his or her physician should not be processed as either an access request or under the authorization rule.

These rules pose challenges as the distinctions between the nature of the request may not always be obvious when received. Covered entities should avoid a one-size-fits-all approach to disclosures of PHI and should work to establish procedures that ensure compliance with these HIPAA rules when processing patient requests for PHI.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations. Attorney Advertising.

© Bricker Graydon LLP

Written by:

Bricker Graydon LLP
Bricker Graydon LLP
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

Bricker Graydon LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide