What You May Not Know About HIPAA’s Right of Access
October 18, 2022
Many state and local public health departments are covered entities under the Health Insurance Portability and Accountability Act (HIPAA) and must provide individuals with access to their protected health information. However, covered entities that are unfamiliar with a key provision of the Health Information Technology for Economic and Clinical Health (HITECH) Act, and its implications for the use of written authorizations to release protected health information to a third party, may be in jeopardy of violating the right of access.
Many state and local public health departments are covered entities under the Health Insurance Portability and Accountability Act (HIPAA) and must provide individuals with access to their protected health information. The right of access is set out in the Privacy Rule and enshrines the right of individuals to inspect and obtain a copy of their protected health information.
On September 20, 2022, the Office of Civil Rights (OCR)—the federal agency charged with enforcing HIPAA—announced three additional settlements against covered entities for potential violations of the right of access. These latest settlements bring the total number of enforcement actions in OCR’s Right of Access Initiative to forty-one and are intended to “drive compliance on right of access under the law.” However, covered entities that are unfamiliar with a key provision of the Health Information Technology for Economic and Clinical Health (HITECH) Act, and its implications for the use of written authorizations to release protected health information to a third party, may be in jeopardy of violating the right of access.
The HIPAA Privacy Rule permits covered entities to disclose protected health information to a third party if it has a signed written authorization from the individual to do so. As a result, covered entities often seek authorizations from the individual as a matter of routine. However, in 2009, HITECH created something called the “third party directive.” This added a certain nuance to authorized releases of protected health information, dispensing with the need, in some instances, for a valid written authorization at all.
Referring specifically to 45 C.F.R. § 164.524—the section of the Privacy Rule that lays out the right of access—HITECH states:
in the case that a covered entity uses or maintains an electronic health record with respect to protected health information of an individual […] the individual shall have a right to obtain from such covered entity a copy of such information in an electronic format and, if the individual chooses, to direct the covered entity to transmit such copy directly to an entity or person designated by the individual, provided that any such choice is clear, conspicuous, and specific. (Emphasis added).42 U.S.C.A. § 17935(e)(1)
Thus, section 17935(e)(1), on its face, focuses squarely on protected health information maintained in an electronic health record (EHR) and indicates that, as long as an individual’s request to transmit such electronic protected health information in an EHR is “clear, conspicuous and specific,” it need not be accompanied by an authorization.
The third-party directive, according to the Department of Health and Human Services (HHS), “strengthens the Privacy Rule’s right to access with respect to covered entities that use or maintain an [EHR] on an individual” (78 Fed. Reg. 5566, 5631 (Jan. 25, 2013)). It unburdens the individual seeking access to their protected health information in an EHR from the need to present a valid authorization, which must contain certain core elements and requirements, and not include any of five enumerated potential defects. Instead, the Privacy Rule, at 45 C.F.R. § 164.524(c)(3)(ii), states the request for access directing the covered entity to transmit protected heath information to a designated third party must be “in writing, signed by the individual, and clearly identify the designated person and where to send the copy of protected health information.” A health department that is a covered entity may still disclose protected health information pursuant to a valid authorization, as set out at 45 C.F.R. § 164.502(a)(1)(iv).
The Ciox v. Azar Decision
It would be remiss of a blog post discussing the third party directive to not make at least a passing reference to the Ciox Health, LLC v. Azar decision from the U.S. District Court for the District of Columbia in 2020. Seven years before the decision, HHS published the 2013 Omnibus Rule, which, amongst other things, took the unusual step of expanding the third-party directive beyond protected health information maintained in an electronic health record to protected health information maintained in any format. The Ciox court held that HHS’s expansion of the third-party directive went beyond the limited reach of the third-party directive that Congress outlined in HITECH and was therefore unlawful. OCR has acknowledged the Ciox decision and has indicated that its guidance around the right to access “remains in effect only to the extent that it is consistent with” that decision. As a result, the “third-party directive” is once again limited to protected health information maintained in an EHR.
Public health departments that are covered entities should be aware that individuals have a right, created by HITECH, to direct the covered entity to transmit their protected health information maintained in an EHR to a third party. This “third party directive” does not require a valid authorization, and covered entities that insist an individual present a valid authorization in such instances may present an unnecessary barrier to the exercise of the right to access. Consistent with 45 C.F.R. § 164.502(a)(1)(iv), a covered entity may disclose protected health information maintained in a format other than an EHR with a valid authorization.
This post was written by Stephen Murphy, J.D., Senior Attorney, Network for Public Health Law— Mid-States Region Office.
The Network for Public Health Law provides information and technical assistance on issues related to public health. The legal information and assistance provided in this document do not constitute legal advice or legal representation. For legal advice, readers should consult a lawyer in their state.
Support for the Network is provided by the Robert Wood Johnson Foundation (RWJF). The views expressed in this post do not represent the views of (and should not be attributed to) RWJF.