[Please label comments about this section with the subject: “Access for inspection or copying”]
In § 164.514, we are proposing that, with very limited exceptions, individuals have a right to inspect and copy protected health information about them maintained by a covered health plan or health care provider in a designated record set. Individuals would also have a right of access to protected health information in a designated record set that is maintained by a business partner of a covered plan or provider when such information is not a duplicate of the information held by the plan or provider, including when the business partner is the only holder of the information or when the business partner has materially altered the protected health information that has been provided to it.
This right of access means that an individual would be able to either inspect or obtain copies of his or her health information maintained in a designated record set by covered plans and providers and, in limited circumstances, by their business partners. Inspection and copying is a fundamental aspect of protecting privacy; this right empowers individuals by helping them to understand the nature of the health information about them that is held by their providers and plans and to correct errors. In order to facilitate an open and cooperative relationship with providers and allow the individual a fair opportunity to know what information is held by an entity, inspection and copying should be permitted in almost every case
While the right to have access to one’s information may appear somewhat different from the right to keep information private, these two policy goals have always been closely tied. For example, individuals are given an almost absolute right of access to information in federal health record systems under the Privacy Act of 1974 (5 U.S.C. 552a(d)). The Privacy Protection Study Commission recommended that this right be available. (Personal Privacy in an Information Society 299 (1977)). The right of access was a key component of the President’s Advisory Commission on Consumer Protection and Quality in the Health Care Industry recommendations in the Consumer Bill of Rights and Responsibilities. The Commission’s report stated that consumers should “have the right to review and copy their own medical records and request amendments to their records.” (Consumer Bill of Rights and Responsibilities, Chapter Six: Confidentiality of Health Information, November 1997). Most recently, the Health Privacy Project issued a statement of “Best Principles for Health Privacy” that included the same recommendation. Health Privacy Project, Institute for Health Policy Solutions, Georgetown University (June 1999) (http://www.healthprivacy.org).
Open access to health information can benefit both the individuals and the covered entities. It allows individuals to better understand their own diagnosis and treatment, and to become more active participants in their health care. It can increase communication, thereby enhancing individuals’ trust in their health care providers and increasing compliance with the providers’ instructions. If individuals have access to and understand their health information, changing providers may not disrupt health care or create risks based on lack of information (e.g., drug allergies or unnecessary duplication of tests).
In § 164.514(a), we are proposing to give the individual a right of access to information that is maintained in a designated record set. We intend to provide a means for individuals to have access to any protected health information that is used to affect their rights and interests. This would include, for example, information that would be used to make health care decisions or information that would be used in determining whether an insurance claim would be paid. Covered plans or providers often incorporate the same protected health information that is used to make these types of decisions into a variety of different data systems. Not all of those data systems will be utilized to make determinations about specific individuals. For example, information systems that are used for quality control analyses are not usually used to make determinations about a specific patient. We would not require access to these other systems.
In order to ensure that individuals have access to the protected health information that is used, we are introducing the concept of a “designated record set.” In using the term “designated record set,” we are drawing on the concept of a “system of records” that is used in the Privacy Act. Under the Privacy Act, federal agencies must provide an individual with access to "information pertaining to him which is contained in [a system of records]." 5 U.S.C. 552a(d)(1). A “system of records” is defined as "a group of any records under the control of any agency from which information is retrieved by the name of the individual or by some identifying number, symbol, or other identifying particular assigned to the individual." 5 U.S.C. 552a(a)(5). Under this rule, a “designated record set” would be "a group of any records under the control of any covered entity from which information is retrieved by the name of the individual or by some identifying number, symbol, or other identifying particular assigned to the individual." See discussion in section II.B.
Files used to backup a primary data system or the sequential files created to transmit a batch of claims to a clearinghouse are clear examples of data files which do not fall under this definition. We rejected requiring individual access to all records in which she or he was identifiable because of the extreme burden it would place on covered plans or providers without providing additional information or protection for the individual. We also rejected using the subset of such records which were accessed directly by individual identifiers because of the redundancy of information involved and the increasing use of database management systems to replace legacy systems that do sequential processing. These would be accessed by individual identifier but would contain redundant data and be used for routine processing that did not directly affect the individual. We concluded that access to only such record sets that were actually accessed by individual identifier and that were used to make substantive decisions that affect individuals would provide the desired information with a minimum of burden for the covered plans or providers.
We note that the standard would apply to records that are “retrieved” by an identifier and not records that are only “retrievable” by an identifier. In many cases, technology will permit sorting and retrieving by a variety of fields and therefore the “retrievable” standard would be relatively meaningless. We intend to limit access to those sets of records actually used to affect the interests of the individual.
We believe that by providing access to protected health information maintained in a designated record set, we would be ensuring that individuals will be able to inspect or copy relevant and appropriate information without placing too significant of a burden on covered plans or providers. We are soliciting comment on whether limiting access to information maintained in a designated record set is an appropriate standard when applied to covered plans and providers and their business partners.
In § 164.506(e), we are proposing that covered plans and providers include specific terms in their contract with each business partner. One of the required terms would be that the business partner must provide for inspection and copying of protected health information as provided in this section. Because our authority is limited by HIPAA to the covered entities, we must rely upon covered plans and providers to ensure that all of the necessary protected health information provided by the individual to the plan or provider is available for inspection and copying. We would require covered plans and providers to provide access to information held in the custody of a business partner when it is different from information maintained by the covered plan or provider. We identified two instances where this seemed appropriate: when the protected health information is only in the custody of a business partner and not in the custody of the covered plan or provider; and when protected health information has been materially altered by a business partner. We are soliciting comment on whether there are other instances where access should be provided to protected health information in the custody of a business partner.
Other than in their capacity as business partners, we are not proposing to require clearinghouses to provide access for inspection and copying. As explained above in section II.C.5, clearinghouses would usually be business partners under this proposed rule and therefore they would be bound by the contract with the covered plan or provider. See proposed §164.506(e). We carefully considered whether to require clearinghouses to provide access for inspection and copying above and beyond their obligations as a business partner, but determined that the typical clearinghouse activities of translating record formats and batching transmissions do not involve setting up designated record sets on individuals. Although the data maintained by the clearinghouse is protected health information, it is normally not accessed by individual identifier and an individual’s records could not be found except at great expense. In addition, although clearinghouses process protected health information and discover errors, they do not create the data and make no changes in the original data. They, instead, refer the errors back to the source for correction. Thus, individual access to clearinghouse records provides no new information to the individual but could impose a significant burden on the industry.
As technology improves it is likely that clearinghouses will find ways to take advantage of databases of protected health information that aggregate records on the basis of the individual subject of the information. This technology would allow more cost- effective access to clearinghouse records on individuals and therefore access for inspection and copying could be appropriate and reasonable.
We are proposing that covered plans and providers be required to provide access for as long as the entity maintains the protected health information. We considered requiring covered plans and providers to provide access for a specific period or defining a specific retention period. We rejected that approach because many laws and professional standards already designate specific retention periods and we did not want to create unnecessary confusion. In addition, we concluded that individuals should be permitted to have access for as long as the information is maintained by the covered plan or provider. We are soliciting comments on whether we should include a specific duration requirement in this proposed rule.
Proposed § 164.514 would permit denial of inspection and copying under very limited circumstances. The categories of denials would not be mandatory; the entity could always elect to provide all of the requested health information to the individual. For each request by an individual, the entity could provide all of the information requested or it could evaluate the requested information, consider the circumstances surrounding the individual’s request, and make a determination as to whether that request should be granted or denied. We intend to create narrow exceptions to the stated rule of open access and we would expect covered plans and providers to employ these exceptions rarely, if at all.
In proposing these categories of permissible denials, we are not intending to create a legal duty for the entity to review all of the health information before releasing it. Rather, we are proposing them as a means of preserving the flexibility and judgment of covered plans or providers under appropriate circumstances.
Entities subject to the Privacy Act would not be able to deny a request for inspection and copying under all of the circumstances permitted by this proposed rule. They would continue to be governed by the denials permitted by the Privacy Act and applicable regulations. See section II.I.4.a for further discussion.
In § 164.514(b)(1)(i), we propose that covered plans and providers be permitted to deny a request for inspection or copying if a licensed health care professional has determined that, in the exercise of reasonable professional judgment, the inspection and copying requested is reasonably likely to endanger the life or physical safety of the individual or another person. Denial based on this provision, as with all of the provisions in this section, would be discretionary. While it is important to protect the individual and others from physical harm, we are also concerned about the subjectivity of the standard and are soliciting comments on how to incorporate a more objective standard into this provision.
We are proposing that covered plans and providers should only consider denying a request for inspection and copying under this provision in situations where a licensed health care professional (such as a physician, physician’s assistant or nurse) makes the determination that access for inspection and copying would be reasonably likely to endanger life or physical safety. We are proposing to require a licensed health care professional to make the determination because it would rely entirely on the existing standards and ethics in the medical profession. In some instances, the covered plan or provider would be a licensed health care professional and therefore, he or she could make the determination independently. However, when the request is made to a health plan, the entity would need to consult with a health care professional in order to deny access under this provision.
We are soliciting comments as to whether the determination under this provision should be limited to health care professionals who have an existing relationship with the individual. While such a limitation would significantly restrict the scope of this provision and could reduce the number of denials of requests for inspection and copying, it could also ensure that the determination of potential harm is as accurate as possible.
By proposing to allow covered plans and providers to deny a request for inspection and copying based on potential endangerment, we are not suggesting that entities should deny a request on that basis. This provision is not intended to be used liberally as a means of denial of individual inspection and copying rights for all mental health records or other “sensitive” health information. Each request for access would have to be assessed on its own merits. We would expect the medical community to rely on its current professional standards for determining what constitutes a threat to life or physical safety.
As explained above, we are not proposing to create a new “duty” whereby entities can be held liable for failure to deny inspection and copying. We simply are acknowledging that some providers, based on reasonable professional judgment, may already assume a duty to protect an individual from some aspect of their health information because of the potential for physical harm. The most commonly cited example is when an individual exhibits suicidal or homicidal tendencies. If a health care professional determines that an individual exhibits such tendencies and that permitting inspection or copying of some of their health information could reasonably result in the individual committing suicide, murder or other physical violence, then the individual could be denied access to that information.
We considered whether covered plans and providers should be permitted to deny access on the basis of sensitivity of the health information or the potential for causing emotional or psychological harm. Many States allow denial of access on similar grounds. In balancing the desire to provide individual access against the need to protect the individual, we concluded that the individual access should prevail because in the current age of health care , it is critical that the individual is aware of his or her health information.
Therefore, if a health care professional determines that inspection and copying of the requested information may cause emotional or psychological harm, but is not reasonably likely to endanger the life or physical safety of the individual or another person, then the covered plan or provider would not be permitted to deny the individual’s request. If the entity is concerned about the potential for emotional or psychological harm, we would encourage it to offer special procedures for explaining the information or counseling the individual. For example, an entity could offer to have a nurse or other employee review the information or the format with the individual or provide supplemental written materials explaining a diagnosis. If the entity elects to offer such special procedures, the entity would not be permitted to condition inspection and copying upon compliance with the procedures. We are not proposing to require covered plans or providers to establish any informational or counseling procedures and we are not proposing that individuals be required to comply with any procedures in order to obtain access to their protected health information. We invite comment on whether a standard such as emotional distress or psychological harm should be included as a reason for which a covered plan or provider could deny a request for inspection or copying.
We propose that covered plans and providers be permitted to deny a request for inspection or copying if the information requested is about another person (other than a health care provider) and a licensed health care professional has determined that inspection or copying is reasonably likely to cause substantial harm to that other person. We believe that it is rare that information about one person would be maintained within the health records of another without one or both of their knowledge. On some occasions when health information about one person is relevant to the care of another, a physician may incorporate it into the latter's record, such as information from group therapy sessions and illnesses with a genetic component. In some instances the information could be shared without harm, or may already be known to the individual. There may, however, be situations where disclosure could harm the other person, such as by implicitly revealing facts about past sexual behavior, nonpaternity, or similarly sensitive information. This provision would permit withholding of information in such cases.
We believe that this determination should be based on the existing standards and ethics in the medical profession. We are soliciting comments on whether the determination under this provision should be limited to health care professionals who have an existing relationship with the person who is expected to be harmed as a result of the inspection or copying.
Information about a third party may appear in an individual's records unbeknownst to the individual. In such cases if the individual chooses to exercise her right to inspect her protected health information, the covered plan or provider providing her access would be making an unauthorized disclosure unless the third party has provided a written authorization. We considered requiring that access to such information be denied because the third party had not provided an authorization. We considered proposing that the covered plan or provider would be required to deny an individual’s request for access to any information about another person, unless there was a potential for harm to the individual who would be denied. This would have been the only instance where we would require that access be denied as a general rule. We recognized that such requirements would ultimately require covered plans and providers to review every piece of protected health information before permitting inspection and copying to determine if information about another person was included and whether the requester would be harmed without such information. We concluded that this would impose a significant burden on covered plans and providers. We seek comment on whether and how often individual health records contain identifiable information about other persons, and current practice relating to the handling of such information in response to individual requests for access.
We propose that covered plans or providers be permitted to deny a request for inspection and copying if the entity determines that the requested information was obtained under a promise of confidentiality from someone other than a health care provider and such access would be likely to reveal the source of the information. This provision is intended to preserve an entity’s ability to maintain an implicit or explicit promise of confidentiality.
Covered plans and providers would not be permitted to deny access when the information has been obtained from another health care provider. An individual is entitled to have access to all information about him or her generated by the health care system (apart from the other exceptions we propose here), and confidentiality promises by health care providers to other providers should not interfere with that access.
While a clinical trial is research, it is also health care as defined in § 160.103, and the information generated in the course of the trial would be protected health information. In § 164.514(b)(iv), we are proposing that a researcher/provider could deny a request for inspection and copying of the clinical trial record if the trial is still in progress, and the subject-patient had agreed to the denial of access in conjunction with the subject’s consent to participate in the trial. The IRB or privacy board would determine whether such waiver of access to information is appropriate, as part of its review of the research protocol. In the rare instances in which individuals are enrolled in trials without consent (such as those permitted under FDA regulations, at 21 CFR 50.23), the covered entity could deny access to information during the course of the trial even without advance subject consent.
Clinical trials are often masked – the subjects do not know the identity of the medication they are taking, or of other elements of their record while the trial is in progress. The research design precludes their seeing their own records and continuing in the trial. Thus it is appropriate for the patient to waive the right to see the record while the trial is in progress. This understanding would be an element of the patient's consent to participate in the trial; if the consent signed by the patient did not include this fact, the patient would have the normal right to see the record. In all cases, the subject would have the right to see the record after the trial is completed.
As with all grounds for denial of access, denial would not be required under these circumstances. We would expect all researchers to maintain a high level of ethical consideration for the welfare of trial participants and provide access where appropriate. For example, if a participant has a severe adverse reaction, disclosure of information during the course of the trial may be necessary to give the participant adequate information for proper treatment decisions.
In § 164.514(b)(1)(v), we are proposing that covered plans and providers be permitted to deny a request for inspection and copying if the information is compiled in reasonable anticipation of, or for use in, a legal proceeding. This provision would permit the entity to deny access to any information that relates specifically to legal preparations but not to the individual’s underlying health information. For example, when a procedure results in an adverse outcome, a hospital's attorney may obtain statements or other evidence from staff about the procedure, or ask consultants to review the facts of the situation for potential liability. Any documents containing protected health information that are produced as a result of the attorney’s inquiries could be kept from the individual requesting access. This provision is intended to incorporate the attorney work-product privilege. Similar language is contained in the Privacy Act and has been interpreted to extend beyond attorneys to information prepared by "lay investigators."
We considered limiting this provision to “civil” legal proceedings but determined that such a distinction could create difficulties in implementation. In many situations, information is gathered as a means of determining whether a civil or criminal violation has occurred. For example, if several patients were potentially mistreated by a member of a provider’s staff, the provider may choose to get copies of the patients’ records and interview other staff members. The provider may not know at the time they are compiling all of this information whether any investigation, civil or criminal, will take place. We are concerned that if we were to require the entity to provide the individual with access to this information, we might unreasonably interfere with this type of internal monitoring.
In proposed § 164.514(b)(2), we would require a covered plan or provider that elects to deny a request for inspection or copying as provided above to make any other protected health information requested available to the individual to the extent possible consistent with the denial. The plan or provider could redact or otherwise exclude only the information that falls within one or more of the denial criteria described above and would be required to permit inspection and copying of all remaining information. This provision is key to the right to inspect and copy one’s health information. We intend to create narrow exceptions to the stated rule of open access for inspection and copying and we would expect covered plans or providers to employ these exceptions rarely, if at all. In the event that a covered plan or provider would find it necessary to deny access, then the denial would need to be as limited in scope as possible.
In § 164.514(c) and (d), we are proposing that covered plans and providers be required to have procedures that enable individuals to exercise their rights to inspect and obtain a copy of protected health information as explained above.
We considered whether this proposed rule should include detailed procedures governing a individual’s request for inspection and copying. Because this proposed rule will affect such a wide range of entities, we concluded that it should only provide general guidelines and that each entity should have the discretion to develop procedures consistent with its own size, systems, and operations.
In § 164.514(d)(2), we are proposing that the covered plans and providers would take action upon the request as soon as possible but not later than 30 days following receipt of the request. We considered the possibility of not including a time limitation but rather imposing a “reasonableness” requirement on the covered plans or providers. We concluded that the individual is entitled to know when to expect a response. This is particularly important in the context of health information, where an individual may need access to his or her information in order to make decisions about care. Therefore, in order to determine what would be “reasonable,” we examined the time limitations provided in the Privacy Act, the Freedom of Information Act (FOIA), and several State laws.
If the entity had fulfilled all of its duties under this proposed rule within the required time period, then the entity should not be penalized for any delay by the individual. For example, if, within the 30 days, a provider approves a request for inspection and copying, makes copies of the requested information, and notifies the individual that this information is available to be picked up and paid for at the provider’s office, then the provider’s duty would be discharged under the rule. The individual might not be able to pick up the information for another two weeks, but this extra time should not be counted against the provider.
The Privacy Act requires that upon receipt of a request for amendment (not access), the agency would send an acknowledgment to the individual within 10 working days. (5 U.S.C. 552a (d)(2)). We considered several options that included such an acknowledgment requirement. An acknowledgment would be valuable because it would assure the individual that their request was received. Despite the potential value of requiring an acknowledgment, we concluded that it could impose a significant administrative burden on some of the covered plans and providers. This proposed rule will cover a wide range of entities with varying capacities and therefore, we are reluctant to create requirements that would overwhelm smaller entities or interfere too much with procedures already in place. We would encourage plans and providers to have an acknowledgment procedure in place, but would not require it at this point. We are soliciting comment on whether this proposed rule should require such an acknowledgment.
We also considered whether to include specific procedures governing “urgent” or “emergency” requests. Such procedures would require covered plans and providers to respond in a shorter time frame. We recognize that circumstances may arise where an individual will request inspection and copying on an expedited basis and we encourage covered plans or providers to have procedures in place for handling such requests. We are not proposing additional regulatory time limitations to govern in those circumstances. The 30-day time limitation is intended to be an outside deadline, rather than an expectation. Rather, we would expect a plan or provider to always be attentive to the circumstances surrounding each request and respond in an appropriate time frame, not to exceed 30 days.
Finally, we considered including a section governing when and how an entity could have an extension for responding to a request for inspection and copying. For example, the FOIA provides that an agency may request additional time to respond to a request if the agency needs to search for and collect the requested records from facilities that are separate from the office processing the request; to search for, collect, and appropriately examine a voluminous amount of separate and distinct records; and to consult with another entity or component having a substantial interest in the determination of the request. We determined that the criteria established in the FOIA are tailored to government information systems and therefore may not be appropriate for plans and providers covered by this proposed rule. Furthermore, we determined that the 30-day time period would be sufficient for responding to requests for inspection and copying and that extensions should not be necessary. We are soliciting comments on whether a structured extension procedure should be included in this proposed rule.
In § 164.514(d)(3), we are proposing that covered plans or providers be required to notify the individual of the decision to provide access and of any steps necessary to fulfill the request. In addition we propose that the entity provide the information requested in the form or format requested if it is readily producible in such form or format. Finally, if the covered plan or provider accepts an individual’s request, it would be required to facilitate the process of inspection and copying.
For example, if the plan or provider will be making copies and sending them directly to the individual with an invoice for copying costs, then it would need to ensure that the individual is aware of this procedure in advance and then send the information within the 30-day time period. If the plan or provider has procedures that require the individual to inspect the health information on site, then in addition to notifying the individual of the procedure, the entity would need to ensure that there are representatives available during reasonable business hours at the usual business address who can assist with inspection and copying. If the plan or provider maintains health information electronically and the individual requests an electronic copy, the plan or provider would need to accommodate such request if possible.
In proposed § 164.514(d)(3)(iv), we would permit a covered plan or provider to charge a reasonable, cost-based fee for copying health information provided pursuant to this section. We considered whether we should follow the practice in the FOIA and include a structured fee schedule. We concluded that the FOIA was developed to reflect the relatively uniform government costs and that this proposed rule would apply to a broader range of entities. Depending on the size of the entity, copying costs could vary significantly. Therefore, we propose that the entity simply charge a reasonable, cost-based fee.
The inclusion of a fee for copying is not intended to impede the ability of individuals to copy their records. Rather, it is intended to reduce the burden on covered plans and providers. When establishing a fee for copying, we encourage covered plans and providers to consider the impact on individuals of such a cost. If the cost is excessively high, some individuals would not be able to obtain a copy. We would encourage covered plans or providers to make efforts to keep the fee for copying within reach of all individuals.
In § 164.514(d)(4), we propose that a covered plan or provider that denies an individual’s request for inspection and copying in whole or in part be required to provide the individual with a written statement in plain language explaining the reason for the denial. The statement could include a direct reference to the section of the regulation relied upon for the denial, but the regulatory citation alone would not sufficiently explain the reason for the denial. The statement would need to include the name and number of the contact person or office within the entity who is responsible for receiving complaints. In addition, the statement would need to include information regarding the submission of a complaint with the Department pursuant to § 164.522(b).
We considered proposing that covered plans and providers provide a mechanism for appealing a denial of inspection and copying. We believe, however, that the requirement proposed in § 164.518(d) that covered plans and providers have complaint procedures to address patient and enrollee privacy issues generally would allow the individual to raise the issue of a denial with the covered plan or provider. We would expect the complaint procedures to be scalable; for example, a large plan might develop a standard complaint process in each location where it operates whereas, a small practice might simply refer the original request and denial to the clinician in charge for review. We would encourage covered plans and providers to institute a system of appeals, but would not require it by regulation. In addition, the individual would be permitted to file a complaint with the Department pursuant to § 164.522(b).