HIPAA + HITECH
Patients
As a patient, you have a Right under HIPAA (45 CFR § 164.524) to have access to your Health Information!
HIPAA gives patients the right to request and receive copies of their medical records. You can use a Personal Health Record system, like Sync.MD, to request electronic copies of your medical records and your healthcare provider is legally obligated to provide them to you in the requested format within 30 days.
According to a summary provided by the U.S. Department of Health and Human Services (HHS) website:
Individuals have the right under the Privacy Rule to obtain a copy of their Protected Health Information (PHI) in a designated record set, such as a medical or billing record, maintained by the covered entity (your provider). A Covered Entity generally must provide the individual with access to the information to which the individual is entitled within 30 days of the request. Additionally, the Covered Entity must provide the individual with access to the PHI in the form or format requested by the individual, if it is readily producible in such form or format. Thus, Covered Entities are required to provide the individual with a copy of the PHI in the electronic form requested by the individual if the form is readily producible by the Covered Entity. The Privacy Rule also permits a Covered Entity to disclose PHI about an individual to the individual (See 45 CFR § 164.502(a)(1)(i)). The individual may grant the Covered Entity authority to upload information about the individual directly into the individual’s PHR.
Personal Health Records and the HIPAA Privacy Rule; https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/understanding/special/healthit/phrs.pdf
This means that your healthcare providers must comply when you send a request from your Sync.MD app by uploading the requested documentation directly to your personal Sync.MD account.
Sync.MD is a secure, convenient, compliant tool for you to manage your health information right from your mobile device!
What if a covered entity (provider) does not fulfill my Sync.MD request for records?
You should try contacting their medical records department stating that you would like your medical records, or PHI, uploaded directly to your Sync.MD account, in accordance with your Right of Access under HIPAA. If your healthcare provider refuses to comply with your request, they could face financial and legal penalties from HHS.
If they still do not comply, contact Sync.MD and we can advocate on your behalf to educate your healthcare provider and ensure your patient rights are protected!
Providers, Healthcare Facilities, and Covered Entities
How does HIPAA apply to a mobile records app like Sync.MD?
Sync.MD is a secure, compliant Personal Health Record (PHR) platform used by individuals to electronically request, store, and share access to their health information directly from their phones. HHS affirms that a PHR is “a mechanism for individuals to engage in their own health care by being able to access and control their health information potentially at any time and from any computer (or device) at any location.” Patients using Sync.MD have created a personal Sync.MD account, typically from a smartphone or other mobile device, to aggregate and manage their PHI. Sync.MD is not a third-party collections organization requesting records independently or on behalf of a patient – all requests are coming from the patient’s personal Sync.MD account.
Personal Health Records and the HIPAA Privacy Rule: https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/understanding/special/healthit/phrs.pdf
Patients using Sync.MD as their PHR are exercising their individual Right of Access, which is a mandatory form of disclosure on the part of the Covered Entity. Refusal to acknowledge the validity of a patient’s Right of Access would violate HIPAA and 21st Century Cures Act rules against ‘information blocking’ or unreasonably interfering with patient access. (See 45 CFR 164.524(a) and Section 3022(a)(1) of the PSHA.) Therefore, it is important to acknowledge and respond to a patient’s Right of Access request coming from their Sync.MD account by fulfilling the request.
What is the difference between a Patient’s Right of Access request and a HIPAA-valid authorization?
There are very distinct differences between a Patient’s Right of Access Request and a HIPAA authorization. According to guidance provided HHS to help explain 45 CFR § 164.524, “the primary difference being that one is a required disclosure (Right of Access) and one is a permitted disclosure (HIPAA authorization)”.
Individuals’ Right under HIPAA to Access their Health Information 45 CFR § 164.524: https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html
The following table was created by HHS to educate individuals and Covered Entities about the important differences between the two methods.
| HIPAA Authorization | Right of Access |
|---|---|
| Permits, but does not require, a covered entity to disclose PHI | Requires a covered entity to disclose PHI, except where an exception applies |
| Requires a number of elements and statements, which include a description of who is authorized to make the disclosure and receive the PHI, a specific and meaningful description of the PHI, a description of the purpose of the disclosure, an expiration date or event, signature of the individual authorizing the use or disclosure of her own PHI and the date, information concerning the individual’s right to revoke the authorization, and information about the ability or inability to condition treatment, payment, enrollment or eligibility for benefits on the authorization. | Must be in writing, signed by the individual, and clearly identify the designated person and where to the send the PHI |
| No timeliness requirement for disclosing the PHI | Covered entity must act on request no later than 30 days after the request is received Reasonable safeguards apply (e.g., PHI must be sent securely) |
| Reasonable safeguards apply (e.g., PHI must be sent securely) | Reasonable safeguards apply, including a requirement to send securely; however, individual can request transmission by unsecure medium |
| No limitations on fees that may be charged to the person requesting the PHI; however, if the disclosure constitutes a sale of PHI, the authorization must disclose the fact of remuneration | Fees limited as provided in 45 CFR 164.524©(4) |
Does a Sync.MD request qualify for the HITECH rate of $6.50?
Sync.MD qualifies as a Personal Health Record (PHR) platform used by individuals to electronically request, store, and share access to their health information directly from their registered mobile device. HHS defines a PHR as “an electronic record of an individual’s health information by which the individual controls access to the information and may have the ability to manage, track, and participate in his or her own health care” 4. Any released documentation will always be delivered directly to the patient’s personal Sync.MD account, which conforms with HIPAA and HITECH.
If you or your organization has decided not to use the HITECH Flat Rate of $6.50, you will need to document the alternative HIPAA-approved cost-basis for your fees and avoid any prohibited calculations or methods!
If you’re not using HITECH’s flat rate of $6.50, you must show that your fees satisfy the Privacy Rule’s ‘reasonable cost-based’ methods using your actual or average costs. But as HHS explains, those costs only apply so long as the labor included is only for copying and the labor rates used are reasonable for such activity. You may not include the costs associated with verification; documentation; searching for and retrieving the PHI; maintaining systems; recouping capital for data access, storage, or infrastructure; or other costs not listed even if such costs are authorized by State law, such as per-page fees. As HHS Guidance For Professionals explains further:
The HIPAA Privacy Rule at 45 CFR 164.524© permits a covered entity to charge a reasonable, cost-based fee that covers only certain limited labor, supply, and postage costs that may apply in providing an individual with a copy of PHI in the form and format requested or agreed to by the individual. Thus, labor (e.g., for search and retrieval) or other costs not permitted by the Privacy Rule may not be charged to individuals even if authorized by State law.
Personal Health Records and the HIPAA Privacy Rule: https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/understanding/special/healthit/phrs.pdf
…This standard rate can be calculated and charged as a per page fee only in cases where the PHI requested is maintained in paper form and the individual requests a paper copy of the PHI or asks that the paper PHI be scanned into an electronic format. Per page fees are not permitted for paper or electronic copies of PHI **maintained electronically.
HIPAA Administrative Simplification Regulation Text: https://www.hhs.gov/sites/default/files/hipaa-simplification-201303.pdf
Finally - be careful to avoid flawed rejections of legitimate Right of Access requests by your patients.
HIPAA only allows a covered entity to reject a patient’s Right of Access according to one of the following statutorily approved reasons. A preference not to comply with electronic formats requested by patients, such as a PHR, or a requirement that patients sign an Authorization instead of using their Right of Access, are not approved grounds for denial according to HIPAA.
Reviewable grounds for denial (45 CFR 164.524(a)(3)). A licensed health care professional has determined in the exercise of professional judgment that:
- The access requested is reasonably likely to endanger the life or physical safety of the individual or another person.
- The access requested is reasonably likely to cause substantial harm to a person (other than a health care provider) referenced in the PHI.
- The provision of access to a personal representative of the individual that requests such access is reasonably likely to cause substantial harm to the individual or another person.
Unreviewable grounds for denial (45 CFR 164.524(a)(2)):
- The request is for psychotherapy notes, or information compiled in reasonable anticipation of, or for use in, a legal proceeding.
- An inmate requests a copy of their PHI held by a covered entity that is a correctional institution, and it would jeopardize the health, safety, security, custody, or rehabilitation.
- The requested PHI is in a designated record set that is part of a research study that includes treatment (e.g., clinical trial) and is still in progress, provided the individual agreed to the temporary suspension of access
- The requested PHI is in Privacy Act protected records (i.e., certain records under the control of a federal agency, which may be maintained by a federal agency or a contractor to a federal agency), if the denial of access is consistent with the requirements of the Act.
- The requested PHI was obtained by someone other than a health care provider (e.g., a family member of the individual) under a promise of confidentiality, and providing access to the information would be reasonably likely to reveal the source of the information.