HHS OCR anticipates additional guidance on patients' rights to access health data

Locked record

The Health and Human Services Department’s Office for Civil Rights anticipates providing additional guidance to covered entities and business associates on the rights of patients to access their health information, Jocelyn Samuels and Deven McGraw said Thursday at the 25th National HIPAA Summit.


Samuels (pictured right), OCR’s director, urged covered entities unsure about access rights to reach out, saying she anticipates an “iterative” process where OCR will respond to questions as it becomes aware of existing confusion.

McGraw, OCR’s deputy director for health information privacy, added that the agency is very interested in hearing about incremental questions that arise in various scenarios, rather than simply hearing “HIPAA may not let us do this.”

“It’s not helpful for all of you to have that uncertainty, and it certainly doesn’t help us help you get over that uncertainty and help us think through ‘well, how do the rules apply in this circumstance, and what is a reasonable set of steps to take in order to address those risks,’” she said. “We want to hear those questions.”

Samuels also said OCR is working on developing additional fact sheets for individuals to ensure they, too, understand how to exercise their right to data access.

“As we know from multiple analyses, when patients are involved in their healthcare and have access to their information, they become better consumers,” Samuels said. “They can monitor their medications. They can identify their treatment regimens. They can make better-informed decisions which lead to better healthcare outcomes.”

HIPAA Audit update

McGraw said OCR is right in the middle of evaluating information received as part of the desk audits of 167 covered entities, but that it’s too early to reveal any findings. Preliminary draft reports will be sent to those covered entities soon, she said, and she’s hopeful that their final reports will be sent by the end of 2016.

Additionally, McGraw said the plan is to start desk audits of business associates in October

Settlements offer lessons learned

Samuels said covered entities should look at the settlements reached by OCR in 2016 as lessons learned. For example, she said the $650,000 settlement reached with Catholic Health Care Services in June should send a message about how critical it is to have business associate agreements in place. The $2.7 million settlement reached with Oregon Health & Science University in July, meanwhile, should be a reminder to always encrypt data, she said.

Supportive leadership, she added, is critical to making sure those issues are addressed appropriately.

“Having the C-suite recognize the importance of compliance, empowering privacy and compliance officials to do their jobs and to have the clout to ensure that the organization adopts the mechanisms that are necessary, is really important in order to ensure compliance with HIPAA and prevent us from having further interactions with you,” Samuels said.

She added, referencing the $5.5 million settlement reached with Advocate Health Care Network in August, that going live with the results of an enterprise-wide risk analysis is a must.

“The best analysis on paper will not protect you if you don’t take the steps that it indicates are necessary to ensure privacy and security of PHI,” Samuels said.

What’s next

While Samuels called HIPAA a useful regulatory regimen for self-evaluation and assessments of compliance by the entities it covers, she acknowledged the net it casts is not as wide as the landscape in which health information resides.

“HIPAA is a product of its time,” she said. “But it doesn’t cover the universe of entities that handle health information these days, and I think we’re all aware of that.”

Because of that, she said, OCR is working with other federal agencies--including the National Institutes of Health and the Federal Trade Commission--to identify privacy and security standards that can “govern important new aspects of healthcare and provide protection” to encourage patient trust, particularly with regard to new programs such as the Precision Medicine Initiative.

“There is incredibly exciting potential from amassing this massive amount of data that will enable researchers to really evaluate connections between lifestyle and health treatments. But because of the need to amass massive amounts of data, there’s also a need to ensure robust privacy and security protections. That’s why we’re working with NIH and others to come up with the privacy and security standards that will govern researcher involvement in this project. Some of the researchers are going to be covered entities; some are not. And we want to make sure that the standards that apply across the board are sufficiently robust that people will be willing to share their data to enable this project to be a success.”