Have you ever asked your healthcare provider to send you medical records by email? Most likely, you’ve received the reply: “We can’t do that. We can only fax them to you or provide you with a paper copy.” This answer is wrong.
HIPAA’s right for individuals to access their health information, 45 CFR § 164.524, provides:
The covered entity must provide the individual with access to the protected health information in the form and format requested by the individual, if it is readily producible in such form and format; or, if not, in a readable hard copy form or such other form and format as agreed to by the covered entity and the individual.
Allergy Associates of Hartford has agreed to pay $125,000 to the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) for an alleged violation of HIPAA. The incident occurred in February 2015. A patient reached out to a local TV station about a dispute with a doctor at Allergy Associates. When the reporter contacted the doctor for comment, the doctor improperly disclosed the patient’s PHI. After Allergy Associates learned that HHS was investigating this incident, no disciplinary action was taken against the doctor. According to the Resolution Agreement:
(1) Allergy Associates impermissibly disclosed the Complainant’s PHI to an unauthorized third party. See 45 C.F.R. § 164.502(a).
(2) Allergy Associates failed to apply appropriate sanctions against its Workforce Member who failed to comply with the entity’s privacy policies and procedures and the Privacy Rule. See 45 C.F.R. §164.530(e)(l).
According to the HHS press release:
“When a patient complains about a medical practice, doctors cannot respond by disclosing private patient information to the media,” said OCR Director Roger Severino. “Because egregious disclosures can lead to substantial penalties, covered entities need to pay close attention to HIPAA’s privacy rules, especially when responding to press inquiries.”
The press release can be viewed here. The Notice of Proposed Determination can be viewed here. The Resolution Agreement can be viewed here.
This HIPAA cartoon involves the notice of privacy practices (NPP) under HIPAA. HIPAA has a set of detailed requirements for the NPP. See 45 CFR 164.520 for the text of HIPAA’s requirement for NPPs.
The biggest challenge regarding privacy notices is that hardly anyone actually reads the notice, and notices are often a chore to read.
There is a Hobson’s choice when it comes to such notices, whether under HIPAA or otherwise. As I wrote in Privacy Self-Management and the Consent Dilemma, 126 Harvard Law Review 1880 (2013): “[M]aking [notices] simple and easy to understand conflicts with fully informing people about the consequences of giving up data, which are quite complex if explained in sufficient detail to be meaningful. People need a deeper understanding and background to make informed choices.” Sadly, there’s no easy way to win on this one.