My Most Interesting Passages from the Office of Civil Rights new HIPAA Privacy Rule Guidance

I was at the unveiling of The Nationwide Privacy and Security Framework for Electronic Exchange of Individually Identifiable Health Information and have since taken the time to read the documents posted on the HHS Website. This is not a point by point review of the documents, just the passages that were of interest to me as someone interested in patient empowerment.

I realize that there is ongoing discussion about this work, which I will link to here. I am still struck by Leavitt’s statement, which I tweeted here, which to me signaled the intent to overall to provide an environment where privacy is respected and patients have access to information that helps them be healthy.

So here goes.

1. The Nationwide Privacy and Security Framework for Electronic Exchange of Individually Identifiable Health Information

The goal of this effort is to establish a policy framework for electronic health information exchange that can help guide the Nation’s adoption of health information technologies and help improve the availability of health information and health care quality.

(again, thinking about Leavitt’s statement above)

INDIVIDUAL ACCESS – Individuals should be provided with a simple and timely means to access and obtain their individually identifiable health information in a readable form and format.

(more on this in another document)

2. Privacy and Security Framework: Introduction

This guidance is limited to addressing common questions relating to electronic health information exchange in a networked environment, and, thus, is not intended to address electronic exchanges of health information occurring within an organization.

(some patients get care from federated medical groups as part of integrated care systems that securely share information between providers when there is a need to provide care)

3. Safeguards Principle and FAQs

Does the HIPAA Privacy Rule permit health care providers to use e-mail to discuss health issues and treatment with their patients?

(this whole section is interesting, but just clipping the following part)

Patients may initiate communications with a provider using e-mail. If this situation occurs, the health care provider can assume (unless the patient has explicitly stated otherwise) that e-mail communications are acceptable to the individual. If the provider feels the patient may not be aware of the possible risks of using unencrypted e-mail, or has concerns about potential liability, the provider can alert the patient of those risks, and let the patient decide whether to continue e-mail communications.

4. The HIPAA Privacy Rule’s Right of Access and Health Information Technology

IMPLEMENTATION OF DENIAL The Privacy Rule further requires that denials of access be timely, written, provided to individuals in plain language, with a description of the basis for denial, and if applicable, contain statements of the individual’s rights to have the decision reviewed and how to request such a review. In addition, the notice of denial must inform the individual of how complaints may be filed with the covered entity or the Secretary of HHS. If access to some of the PHI is denied, the covered entity must, to the extent possible, give the individual access to any other PHI requested, after excluding the PHI to which the covered entity has a ground to deny access. See 45 C.F.R. § 164.524(d)(1).

However, where the covered entity provides individuals with electronic access to some or all of their health information, through a PHR or similar means, and the access is available to the individual at any time and without a request, it becomes more difficult to determine whether a denial of access has occurred and when notice to the individual is required. For example, the requirements in the Privacy Rule are flexible enough to permit a covered entity to notify the individual in advance of the types of PHI to which it intends to deny access and for which the Privacy Rule does not provide a right of review. See 45 C.F.R. § 164.524(a)(2).

(These appear to me to frame personal health records which show parts of a person’s medical record as implementing a form of denial of access which an organization should explain proactively, as opposed to “provision of limited access” which I think is what many organizations do today, without proactive explanation why some things are shown and some not)

There is a lot more in the documents that are relevant to someone like me and many people reading this post. I just wanted to highlight the ones that I noticed, again, with the intent I felt I heard in that conference room in Washington, DC. See what you think.


Ted Eytan, MD