Recent Developments in Health Information Privacy: HIPAA Right of Access

Combating Ransomware in Healthcare: Audio Version of the Webinar
Data Privacy in 2021

Catherine Short speaks with Sheba Vine, Attorney and Senior Manager in the Global Privacy Office at Exact Sciences Corporation, on the topic of “Recent Developments in Health Information Privacy: HIPAA Right of Access.” We will review recent developments including OCR Enforcement Highlights, HIPAA Right of Access & Ciox Health Decision, NPRM, and 21st Century Cures Act Information Blocking Regulation.




Recent Developments in Health Information Privacy: HIPAA Right of Access

  • 22:44


covered entity, access, request, compliance, patient, blocking, required, information, ocr, hipaa, rule, individual, hhs, phi, practices, exceptions, records, health care providers, provider, onc


Catherine Short, Sheba Vine


Catherine Short  00:00

Welcome! and, let’s “1st Talk Compliance”. I’m Catherine Short, Partnership Marketing Manager at First Healthcare Compliance. Thanks for tuning in.

This show is brought to you by First Healthcare Compliance as part of our commitment to provide high quality complimentary educational resources.  We help create confidence among compliance professionals throughout the United States.  Please show your support by taking a moment to provide a review on Google, Facebook or iTunes.  You can also follow us on Instagram, Twitter and subscribe to our YouTube channel.


Catherine Short  00:40

On today’s episode, we are speaking with Sheba Vine, Attorney and Senior Manager in the Global Privacy Office at Exact Sciences Corporation, on the topic of “Recent Developments in Health Information Privacy.” We will review recent developments including OCR Enforcement Highlights, HIPAA Right of Access & Ciox Health Decision, NPRM, and 21st Century Cures Act Information Blocking Regulation.


Catherine Short  01:10

Before we begin, I would like to mention this episode’s First Healthcare Compliance Super Ninja Michele Miller, CMM, Practice Manager at Valentino Spine and Orthopedics. Michele says “Working in a medical office has challenges every day. The most important thing that I tell my staff (and remind myself daily) is to be honest and true to yourself and others. Also, to remember that we are in the service industry and it is our responsibility to make a difference. Sometimes it is just a smile that can brighten another’s day. Kindness and compassion go a long way.” Congratulations Michele!  Our team is honored to have the privilege of working with you.


Catherine Short  01:54

Hello, Sheba, thank you so much for joining me today on 1st Talk Compliance. We’re so happy to speak with you today.


Sheba Vine  02:03

Hi, Catherine, thank you so much for having me.


Catherine Short  02:06

It’s my pleasure. And I’m really, really excited to talk to you today about our topic. So there are a lot of settlements from OCR regarding a patient’s access to their medical records. What’s happening here and can you talk more about the right to medical information?


Sheba Vine  02:26

Yes, definitely. That is a really good question because the government is certainly focused on making sure covered entities get this area right. So the Office of Civil Rights, the Office of the Department of Health and Human Services that enforces HIPAA has received a large number of complaints alleging HIPAA violations and one of the top complaints the OCR typically receives concerns of covered entities failure to provide a patient or PHI when it is requested by either the patient or their personal representative. So in 2019, OCR announced its focus on enforcing the right of access known as a Right of Access Initiative. I’m quoting the former OCR director Roger Severino here who stated that for “too long healthcare providers have slow walk to their duty to provide patients their medical records out of a sleepy bureaucratic inertia. The OCR hopes the shift to the imposition of corrective actions and settlements under the right of access initiative will finally wake up healthcare providers to their obligations under the law.” So since 2019, we have seen 20 settlements with the most recent one announced on September 11. And again, this number is likely to increase. Interestingly, all of these settlements were initiated by a patient complaint to OCR. So if you haven’t already, as a covered entity, make sure you are proactive in this area. Review your policies, your procedures and practices regarding disclosures under a patient access request as well as HIPAA authorizations. Now to answer your second part of your question, let’s dive into what exactly is required under the Right of Access. So the Right of Access comes from the HIPAA Privacy Rule. And it generally requires covered entities to provide individuals and their personal representatives upon request, with access to Protected Health Information about them in one or more designated record sets. And individuals have the right to inspect their PHI, write to obtain a copy of their PHI, and they also have the right to direct a copy to a third party. This last right is known as a third party directive and was created by the HITECH Act in 2009.So since the Right of Access is based on the PHI included in a Designated Record Set is certainly important to understand how the rule defines this term. So a Designated Record Set is a group of records maintained by or for a Covered Entity that are used to make decisions about individuals. And this broadly refers to records that are used to make decisions about any individuals, whether or not they were used to make decisions about that particular individual that is requesting access. So some examples of this include medical records, billing and payment records, insurance information, clinical lab results, medical images, and clinical case notes. So based on this, the patient does have access to a broad array of PHI, but know that the Covered Entity is only required to provide access to the PHI that the individual requests.


Catherine Short  05:37

So that Severino statement was pretty strong about the dragging their feet. I know, years ago, probably about maybe seven or eight years ago, I went and tried to request some of my PHI from a provider. And boy, it took a really, really long time, if ever, if I got my file and information. And so my question next was, I know timelines are important here. How long? When a health provider gets a request, how long are they allowed to take before they hand over PHI?


Sheba Vine  06:11

Yeah, it certainly shouldn’t take that long. And they, you know, providers shouldn’t be dragging their feet. So the clock starts ticking as soon as a Covered Entity is in receipt of a Right of Access request. So the Privacy Rule requires a response within 30 days, and it does allow for 130 day extension, provided, this would be used in a situation where, you know, requested records are archived or off site. And to take advantage of that extension, there are certain requirements, so the individual must receive written notice of the extension within that initial 30 day timeframe, along with the reasons for the delay as well as the date that the provider will give access to the PHI requested. So with that said, this does not allow a covered entity to allow a request to just sit there and answer it on the 29th day, thinking they’re in compliance. The Department of Health and Human Services has made it very clear in guidance that the 30 day time frame is an outer limit with the expectation that the covered entity is to respond sooner. In fact, HHS states and guidance issued on its website that Covered Entities may have the capacity to provide individuals with almost instantaneous or very prompt electronic Access to ePHI, electronic protected health information, with the use of health information technology, and the use of web portals or other similar electronic means. And aside from complying with HIPAA, it’s also important to pay attention to state laws that may set shorter timeframes for patients to inspect their medical records and receive a copy. In addition to the timeliness requirement, I want to mention that health care providers should also pay special attention to their internal processes for handling these requests. And that’s to ensure that they’re not imposing any unreasonable measures that would be seen as barriers to or unreasonably delay the individual from x exercising this very important, right. And some examples of barriers include requiring the patient to physically come in and make a request in person, or requiring the use of a web portal in order to request access without presenting any other options because not all individuals have ready access to the internet. So to avoid this covered entities should definitely offer individuals with multiple options for requesting access.


Catherine Short  08:35

Okay, great. And how about fees that can be charged for receiving a copy for your medical records. What is allowed and what isn’t and what’s reasonable?


Sheba Vine  08:47

Yeah, and this is an area that has been litigated and there have been some changes we can talk about. So the Privacy Rule does permit providers to charge a reasonable cost base fee. And this is known as the patient rate. And HHS preference here is that it’d be free of charge. But if you are charging a fee as a covered entity, you can only cover a certain labor supply and postage costs that are detailed. And there are three different methods that can be used to calculate the cost, you can either have present the actual cost, the average cost can also be used or a flat fee that can exceed $6.50. Now, if fees will be imposed, the patient must be informed in advance of that approximate fee. And actually, the failure to do so to provide advance notice is likely seen as a barrier as well. Now in 2016, the Department of Health and Human Services published guidance that expanded that patient right for an individual’s request for PHI and applied it when sending records to a third party under the third party directive. So, a law firm that request records for a case involving the patient or insurance company where the patient was involved in an accident, those types of requests from third parties and others. And this meant that the reasonable cost based fee applied and state medical record copying fees could not be charged. Ciox Health and Information Management Company alleged that these changes cost them over 10 million per year, because they were restricted in the cost that they could charge these third parties. So they filed a lawsuit to challenge OCR and the Court sided with Ciox and a decision issued in January of last year. And what happened is that the 2016 guidance was vacated as unlawful, because it did not go through the required notice and comment rulemaking process before applying that patient rate to third party directors. So as a result, the patient rate only applies to the individual that requests access for themselves and state rates can be applied when individuals direct a third party to receive their records. The information blocking rules recently came into effect.


Catherine Short  11:00

Can you briefly go over what Information Blocking is again for our listeners? And then how does this impact HIPAA, if at all?


Sheba Vine  11:12

Yeah, so the Information Blocking Rules certainly adds another dimension to the HIPAA Right of Access. So as background, the Information Blocking Rule is part of the 21st Century Cures Act that was enacted in 2016. And one part of this Act is to promote health information interoperability, and give patients greater access to their health information. It’s designed to assist in the free flow of patient information across the healthcare ecosystem, which is fragmented right now. So the actor introduced the definition of Information Blocking, which is defined very broadly as a practice that is likely to interfere with access, exchange, or use of electronic health information, if conducted by an actor. Now unlike the HIPAA Right of Access, this includes requests from both patients and providers for access to PHI. So again, very broad definition that can capture a lot of different activities as Information Blocking. So the Cures Act authorized HHS to identify reasonable and necessary activities that do not constitute Information Blocking in the form of exceptions. In May of 2020, the Office of the National Coordinator for Health Information Technology, the ONC, and office of HHS, released the Final Rule with an effective date of November 2 2020. And then we had, you know, we were in the midst of COVID-19. And so because of the pandemic and Interim Final Rule, was released in October, which served to push back that effective date to April 5 of this year. So the Rule has a broad audience. It applies to three categories of actors: healthcare providers, health IT developers, and health information exchanges and networks. Now, the definition of Information Blocking deals with the access, exchange, or use of electronic health information or ePHI, and for the first 18 months, each I refers to the information contained in the data classes that are set forth in the USCDI standard. And this standard is a set of health data classes and data elements for Interoperable Health Information Exchange. So if a patient or provider request is not included as a data element on this standard, then the Rule will not apply to the request, however, know that that is short lived because starting on October 6 of next year, the definition of ePHI will track electronic protected health information within a designated record set as defined by HIPAA. So the ONC did introduce eight different exceptions to the Information Blocking definition. And these exceptions cover activities that are reasonable and necessary. The exceptions are grouped into two categories. So there are five exceptions that involve not fulfilling the request. And there are three exceptions that require fulfilling the request but involve different procedures in doing so. So if a provider receives a request for medical records from a patient or other provider, and the disclosure is not prohibited by law, or by one of those eight exceptions, then look to providing the requested access and this needs to be done on a case by case basis. Not meeting an exception is not by default considered Information Blocking and it needs to take into account the facts of the situation at hand. Now getting back to your question about the impact of HIPAA. When it comes to requests from other health care providers, the information blocking will require certain disclosures in situations where the HIPAA privacy will only permit the disclosure. So for instance, the HIPAA Privacy Rule permits covered entities to exchange ePHI for treatment purposes. Under the Information Blocking Rule, unless an exception applies or the activity or practices for required by law, a primary care provider would be required to exchange ePHI with a specialist who requested to treat an individual who is also a common patient of the provider and specialist. Now, depending on your practices may be a slight distinction but still an important one protections and controls under HIPAA are not diminished by the Information Blocking Rule, meaning that the rule does not require access exchange or use of ePHI in a manner that is not permitted under the Privacy Rule. So for here, for instance of a Covered Entity is required to obtain an individual’s HIPAA authorization before providing access, then the individual’s refusal to provide an authorization would justify the Covered Entities refusal to provide access under the Information Blocking Rule under the Privacy Exception. As another example, the HIPAA Privacy Rule permits a Covered Entity to share information with another Covered Entity for a quality improvement project if it has verified that the requesting entity has it relationship with the patient whose information is being requested. So where the Covered Entity cannot establish that relationship existed, it would not be Information Blocking for the Covered Entity to then refuse access. So switching to patient requests for PHI. If a provider meets the required timeframe under the HIPAA Privacy Rule, this does not also equate to compliance with the Information Blocking Rule. And ONC has issued guidance stating that if the provider is able to promptly fulfill requests, but chooses instead to engage in a practice that delays fulfilling those requests, that practice could constitute an interference under the Information Blocking Regulation. So a waiting until the 29th day to provide a patient access to their PHI to comply with a 30 day time frame is not going to look good under either HIPAA or the Information Blocking Rule.


Catherine Short  16:55

If you’re just tuning in, you’re listening to 1st Talk Compliance brought to you by First Healthcare Compliance as part of our commitment to provide high quality complimentary educational resources.  We help create confidence among compliance professionals throughout the United States. My guest today is Sheba Vine Attorney and Senior Manager in the Global Privacy Office at Exact Sciences Corporation, on the topic of “Recent Developments in Health Information Privacy.” We will review recent developments including OCR Enforcement Highlights, HIPAA Right of Access & Ciox Health Decision, NPRM, and 21st Century Cures Act Information Blocking Regulation. Please show your support by taking a few minutes to provide a review of First Healthcare Compliance on Google or Facebook. You can also follow us and subscribe on all forms of social media.


Catherine Short  17:54

So Sheba, since there are no penalties set out for health care providers under Information Blocking can compliance with these regulations wait?


Sheba Vine  18:05

That’s a good question. So yes, it enforcement is not clear as for healthcare providers right now, the penalties for actors other than health care providers, which are your health IT developers, health information networks and exchanges for violations of the Information Blocking Rule can be penalized up to 1 million per violation. As for health care providers, enforcement is still forthcoming. But the ONC is noted that appropriate dissenters will be established by HHS now taking the approach to weight is going to, I think take on a considerable amount of risk here because the Information Blocking Rule did go into effect April 5. So this is when compliance starts. Know that individuals can file a complaint for Information Blocking practices that they feel are in violation of the Rule. So if you get on OIG radar, and the agency that enforces Information Blocking, you get their attention, it’s not going to look good if your argument is based on waiting for enforcement guidelines. So again, I would say that that is an approach that takes on considerable amount of risk.


Catherine Short  19:18

Then is a request from a patient for medical records the same as the patient authorization that directs records to another party? Are those the same thing or are they different?


Sheba Vine  19:31

Yeah, certainly. So they are very different big distinction. For Patient Right of Access Request, those require disclosure of pH I under the Privacy Rules. So that means if you get a request from a patient or their personal representative, the Covered Entity has to respond unless there are grounds for denial they have to provide access to the PHI. On the other hand, a HIPAA authorization is a permitted disclosure and so it gives the Covered Entity permission to disclose PHI to the listed recipient on that authorization that is signed by the patient, again, not required. And so that is the distinction permitted use versus required use. The HIPAA authorization also requires very specific language that goes into the authorization but it’s not applied to patient requests. And the Department of Health and Human Services does have really good guidance on this. There’s a, I think, a document titled Right of Access, I think that is really worthwhile in reviewing because it has a lot of good information.


Catherine Short  20:35

Okay, thank you so much. Well, Sheba, I think we’re just about out of time. But do you have any other words of advice for us or anything else that you’d like to share about this topic?


Sheba Vine  20:48

I would just say that, you know, the Right of Access Initiative and the Information Blocking Rules, demonstrate that, you know, Covered Entities definitely need to pay attention, close attention to their, you know, policies, procedures, and practices, as well as maybe modifying their employee training to make sure they align with what is required under the law.


Catherine Short  21:11

That is great advice. I want to thank you so much for joining me today, and very, very much appreciate it. So thank you so much.


Sheba Vine  21:19

Thank you, Catherine. It’s been a pleasure. The pleasure has been mine.


Catherine Short  21:24

So thank you so much for joining me today on 1st Talk Compliance.


Catherine Short  21:28

On today’s episode, we spoke with Sheba Vine Attorney and Senior Manager in the Global Privacy Office at Exact Sciences Corporation, on the topic of “Recent Developments in Health Information Privacy.” We reviewed recent developments including OCR Enforcement Highlights, HIPAA Right of Access & Ciox Health Decision, NPRM, and 21st Century Cures Act Information Blocking Regulation.


Catherine Short  22:03

Thank you, Sheba! And thanks to our audience for tuning in to 1st Talk Compliance. You can learn more about the show on the programs page on

And lend your voice to the conversation on Twitter at @1sthcc or hashtag #1sttalkcompliance. You can also email me at  I’m Catherine Short of First Healthcare Compliance. Remember, compliance is key to achieving peace of mind.


Related Posts

2 Comments. Leave new

Leave a Reply

Your email address will not be published.

Fill out this field
Fill out this field
Please enter a valid email address.