Q. What is the intersection of the HIPAA right of access and the meaningful use "view, download, and transmit" objective?
A. Under the HIPAA Privacy Rule, patients have the right to access protected health information (PHI) in their medical record.
Under the meaningful use program, physicians can receive incentive payments under Medicare and Medicaid, and avoid payment reductions under Medicare by giving patients the ability to view online, download, and transmit their health information.
Although the meaningful use program and the HIPAA Privacy Rule are distinct, in some circumstances they can overlap. For example, a patient might exercise his or her right of access under the HIPAA Privacy Rule by requesting an electronic copy of PHI that the practice could provide through its certified electronic health record (EHR) technology, such as a patient portal. The physician could offer the patient this option for accessing the information. If the patient accepts and has access to it within the timeframe required under meaningful use, the physician can count the access toward meeting the meaningful use “view, download, and transmit” objective.
In some respects the meaningful use program contains more exacting standards than the baseline requirements of the HIPAA Privacy Rule (e.g., tighter response timeframes), while the HIPAA Privacy Rule contains more comprehensive requirements than meaningful use (e.g., the HIPAA access right applies broadly to electronic and paper records, while meaningful use applies to certain electronic records).
Below are some key distinctions between the HIPAA right of access and individual access through the meaningful use program.
What triggers access
- Meaningful use: The physician proactively makes available certain information for the patient to view, download, or transmit through electronic transmission only, such as through a personal health record or patient portal. For Stage 2 of meaningful use, physicians must provide this for more than 50 percent of patients. (In addition, at least one patient must view, download, or transmit the information to a third party.)
- HIPAA Privacy Rule: The physician is required by law to provide patients access to their medical records upon request; applies to paper and electronic records.
What records are accessible
- Meaningful use: Access is to a specific set of data (e.g., recent lab test results, current medication list and medication history, problem list) the physician maintains in certified EHR technology.
- HIPAA Privacy Rule: Access is to requested PHI the physician maintains in the electronic or paper record, or other medical information such as billing records and records used to make decisions about the patient.
Timelines
- Meaningful use: Access must be timely provided (e.g., in Stage 2, physicians must make information available to the patient within four business days).
- HIPAA Privacy Rule: Prompt access is encouraged, but physicians may take no longer than 30 days from receipt to act on a request for access (and may take another 30 days to respond if the individual is notified in writing of the reason for delay during the initial 30 days).
Administration
- Meaningful use: The Centers for Medicare & Medicaid Services administers the meaningful use program; the Office of the National Coordinator for Health IT administers the Health IT Certification Program.
- HIPAA Privacy Rule: The U.S. Department of Health and Human Services (HHS) Office for Civil Rights administers the HIPAA Privacy Rule.
For more information, see:
If you have questions about meaningful use requirements, contact TMA’s health information technology helpline at (800) 880-5750 or hit[at]texmed[dot]org. Also, check the TMA Education Center for continuing medical education course on related topics.
Published Feb. 17, 2016
TMA Practice E-Tips main page