In § 164.514, we are proposing that, with very limited exceptions, individuals have a right to inspect and copy protected health information about them maintained by a covered health plan or health care provider in a designated record set. Individuals would also have a right of access to protected health information in a designated record set that is maintained by a business partner of a covered plan or provider when such information is not a duplicate of the information held by the plan or provider, including when the business partner is the only holder of the information or when the business partner has materially altered the protected health information that has been provided to it.
This right of access means that an individual would be able to either inspect or obtain copies of his or her health information maintained in a designated record set by covered plans and providers and, in limited circumstances, by their business partners. Inspection and copying is a fundamental aspect of protecting privacy; this right empowers individuals by helping them to understand the nature of the health information about them that is held by their providers and plans and to correct errors. In order to facilitate an open and cooperative relationship with providers and allow the individual a fair opportunity to know what information is held by an entity, inspection and copying should be permitted in almost every case
While the right to have access to one’s information may appear somewhat different from the right to keep information private, these two policy goals have always been closely tied. For example, individuals are given an almost absolute right of access to information in federal health record systems under the Privacy Act of 1974 (5 U.S.C. 552a(d)). The Privacy Protection Study Commission recommended that this right be available. (Personal Privacy in an Information Society 299 (1977)). The right of access was a key component of the President’s Advisory Commission on Consumer Protection and Quality in the Health Care Industry recommendations in the Consumer Bill of Rights and Responsibilities. The Commission’s report stated that consumers should “have the right to review and copy their own medical records and request amendments to their records.” (Consumer Bill of Rights and Responsibilities, Chapter Six: Confidentiality of Health Information, November 1997). Most recently, the Health Privacy Project issued a statement of “Best Principles for Health Privacy” that included the same recommendation. Health Privacy Project, Institute for Health Policy Solutions, Georgetown University (June 1999) (http://www.healthprivacy.org).
Open access to health information can benefit both the individuals and the covered entities. It allows individuals to better understand their own diagnosis and treatment, and to become more active participants in their health care. It can increase communication, thereby enhancing individuals’ trust in their health care providers and increasing compliance with the providers’ instructions. If individuals have access to and understand their health information, changing providers may not disrupt health care or create risks based on lack of information (e.g., drug allergies or unnecessary duplication of tests).
i. Information available for inspection and copying.
In § 164.514(a), we are proposing to give the individual a right of access to information that is maintained in a designated record set. We intend to provide a means for individuals to have access to any protected health information that is used to affect their rights and interests. This would include, for example, information that would be used to make health care decisions or information that would be used in determining whether an insurance claim would be paid. Covered plans or providers often incorporate the same protected health information that is used to make these types of decisions into a variety of different data systems. Not all of those data systems will be utilized to make determinations about specific individuals. For example, information systems that are used for quality control analyses are not usually used to make determinations about a specific patient. We would not require access to these other systems.
In order to ensure that individuals have access to the protected health information that is used, we are introducing the concept of a “designated record set.” In using the term “designated record set,” we are drawing on the concept of a “system of records” that is used in the Privacy Act. Under the Privacy Act, federal agencies must provide an individual with access to "information pertaining to him which is contained in [a system of records]." 5 U.S.C. 552a(d)(1). A “system of records” is defined as "a group of any records under the control of any agency from which information is retrieved by the name of the individual or by some identifying number, symbol, or other identifying particular assigned to the individual." 5 U.S.C. 552a(a)(5). Under this rule, a “designated record set” would be "a group of any records under the control of any covered entity from which information is retrieved by the name of the individual or by some identifying number, symbol, or other identifying particular assigned to the individual." See discussion in section II.B.
Files used to backup a primary data system or the sequential files created to transmit a batch of claims to a clearinghouse are clear examples of data files which do not fall under this definition. We rejected requiring individual access to all records in which she or he was identifiable because of the extreme burden it would place on covered plans or providers without providing additional information or protection for the individual. We also rejected using the subset of such records which were accessed directly by individual identifiers because of the redundancy of information involved and the increasing use of database management systems to replace legacy systems that do sequential processing. These would be accessed by individual identifier but would contain redundant data and be used for routine processing that did not directly affect the individual. We concluded that access to only such record sets that were actually accessed by individual identifier and that were used to make substantive decisions that affect individuals would provide the desired information with a minimum of burden for the covered plans or providers.
We note that the standard would apply to records that are “retrieved” by an identifier and not records that are only “retrievable” by an identifier. In many cases, technology will permit sorting and retrieving by a variety of fields and therefore the “retrievable” standard would be relatively meaningless. We intend to limit access to those sets of records actually used to affect the interests of the individual.
We believe that by providing access to protected health information maintained in a designated record set, we would be ensuring that individuals will be able to inspect or copy relevant and appropriate information without placing too significant of a burden on covered plans or providers. We are soliciting comment on whether limiting access to information maintained in a designated record set is an appropriate standard when applied to covered plans and providers and their business partners.
ii. Right of access to information maintained by business partners.
In § 164.506(e), we are proposing that covered plans and providers include specific terms in their contract with each business partner. One of the required terms would be that the business partner must provide for inspection and copying of protected health information as provided in this section. Because our authority is limited by HIPAA to the covered entities, we must rely upon covered plans and providers to ensure that all of the necessary protected health information provided by the individual to the plan or provider is available for inspection and copying. We would require covered plans and providers to provide access to information held in the custody of a business partner when it is different from information maintained by the covered plan or provider. We identified two instances where this seemed appropriate: when the protected health information is only in the custody of a business partner and not in the custody of the covered plan or provider; and when protected health information has been materially altered by a business partner. We are soliciting comment on whether there are other instances where access should be provided to protected health information in the custody of a business partner.
Other than in their capacity as business partners, we are not proposing to require clearinghouses to provide access for inspection and copying. As explained above in section II.C.5, clearinghouses would usually be business partners under this proposed rule and therefore they would be bound by the contract with the covered plan or provider. See proposed §164.506(e). We carefully considered whether to require clearinghouses to provide access for inspection and copying above and beyond their obligations as a business partner, but determined that the typical clearinghouse activities of translating record formats and batching transmissions do not involve setting up designated record sets on individuals. Although the data maintained by the clearinghouse is protected health information, it is normally not accessed by individual identifier and an individual’s records could not be found except at great expense. In addition, although clearinghouses process protected health information and discover errors, they do not create the data and make no changes in the original data. They, instead, refer the errors back to the source for correction. Thus, individual access to clearinghouse records provides no new information to the individual but could impose a significant burden on the industry.
As technology improves it is likely that clearinghouses will find ways to take advantage of databases of protected health information that aggregate records on the basis of the individual subject of the information. This technology would allow more cost- effective access to clearinghouse records on individuals and therefore access for inspection and copying could be appropriate and reasonable.
iii. Duration of the right of access.
We are proposing that covered plans and providers be required to provide access for as long as the entity maintains the protected health information. We considered requiring covered plans and providers to provide access for a specific period or defining a specific retention period. We rejected that approach because many laws and professional standards already designate specific retention periods and we did not want to create unnecessary confusion. In addition, we concluded that individuals should be permitted to have access for as long as the information is maintained by the covered plan or provider. We are soliciting comments on whether we should include a specific duration requirement in this proposed rule.