Access to health data is a top-of-mind issue for the Department of Health and Human Services Office for Civil Rights, and one that will be addressed via pending guidance, according to Deven McGraw, deputy director of the agency's Health Information Privacy Division.
Speaking last week at the "Safeguarding Health Information Building Assurance through HIPAA Security" conference hosted by OCR and the National Institute of Standards and Technology in the District of Columbia, McGraw pointed out that issues such as patients' rights to choose which third parties can receive their data and fees around electronic access will be covered in the guidance, which she predicted could be out by the end of October.
In particular, McGraw pondered whether "per page" is still a useful metric for determining costs for access to electronic medical records.
"As you may remember, in HITECH, Congress said that if you're getting an electronic copy, a reasonable ... fee really ought to be limited to labor costs," McGraw said. But if a record was never paginated, she said, figuring out those labor costs won't be as cut and dry.
McGraw also said the guidance will be in "frequently asked questions" format in order to be able to update it more often.
"I suspect that once we put this out, it's going to be helpful in answering some questions and it's going to generate a whole bunch of other ones," she said. To that end, the FAQ format allows the agency to be "a little bit more nimble" in providing feedback, McGraw added.
Aside from talking about guidance, McGraw clarified the OCR's policy on encryption, which she said has caused confusion for many stakeholders.
"Addressable [specification] does not mean optional," McGraw said. "Addressable does not mean, 'well, maybe if I can get around to it.' 'Addressable' means we expect you to do this. You must address encryption of data at rest and in transit."
McGraw added that the reason encryption is dubbed an addressable specification is because of the multitude of organizations involved in accessing and transporting protected health information.
"We do need flexibility in the security rule," she said. "We have such a wide swath of entities in terms of their function, what they're doing, their size, their resources; one-size-fits-all security has never been in anybody's playbook."