HIPAA Technology and Clinical Research Guidance Library
Health Information Technology | Access Right, and HIT Generally
1. In an electronic health information exchange environment, what is a designated record set for purposes of an individual’s right of access under the HIPAA Privacy Rule?
To the extent covered entities maintain their own electronic records systems, their choice to link those systems to a network for electronic health information exchange purposes would not necessarily change the status of information maintained within their designated record sets. That is, information that meets the definition of a designated record set remains part of the designated record set even if that information is linked to a network. See 45 C.F.R. § 164.501 (definition of “designated record set”). Covered entities should be aware, however, that whatever information they import into their electronic records via a network may become an integrated part of their designated record set(s). Network participation alone, however, would not make all other information about the individual that is accessible through the network part of a covered entity’s designated record set. Thus, the ability to link to information through a network does not obligate a covered entity to provide access to the designated record set of another entity participating in the network.
2. How would a covered entity or health information organization (HIO), acting on its behalf, know if someone were a personal representative for the purpose of granting access under the HIPAA Privacy Rule?
The Privacy Rule’s verification standard requires that covered entities develop and implement reasonable policies and procedures to verify the identity and authority of such persons, if otherwise unknown to them, before granting them access to protected health information (PHI). See 45 C.F.R. § 164.514(h). Once verified, the personal representative can then be given the appropriate credentials for authentication and access through an electronic system. The Privacy Rule allows covered entities to rely on their professional judgment, as well as industry standards, in designing reasonable verification and authentication processes.
The Privacy Rule permits a covered entity to assign this function to a HIO, acting as its business associate, so long as the relevant standards are complied with. For example, a covered entity could use the HIO to assign the appropriate credentials and authenticate personal representatives, and any others, seeking access to PHI.
3. How may judgments be made electronically about denial of access under the HIPAA Privacy Rule?
The Privacy Rule differentiates between two types of denial, reviewable and unreviewable. See 45 C.F.R. § 164.524(a)(2), (3). As to the unreviewable grounds for denial, there are essentially two decisions a covered entity will need to make with respect to electronic access: 1) whether it may deny access based on one or more of the grounds identified by the Privacy Rule; and 2) how to implement such decisions categorically in the electronic environment.
A covered entity may decide, for example, to categorically deny access to certain types of information to which no access right exists, such as psychotherapy notes. The Privacy Rule would permit denial without review, and a case-by-case judgment would not be necessary. Similarly, the covered entity may make such a system-wide decision with respect to other types of protected health information where the Privacy Rule permits an unreviewable denial of access.
In contrast, reviewable grounds for denial of access require decisions be made on a case-by-case basis through the professional judgment of licensed health care providers. Professional judgment also would be required if individuals exercise their right to appeal a denial of access made on reviewable grounds. As computer logic cannot be a substitute for professional judgment in these cases, these types of activities cannot be carried out categorically or in an automated way. Neither could these decisions be delegated to a health information organization (HIO), unless a licensed health care professional at the HIO were assigned the task of making the access determinations.
The information presented in our library is for informational purposes only, they are not for implementation in operations. Please consult official HIPAA guidance documents for operational use.
This information was sourced from HIPAA FAQs for Professionals.