If you are reading this, you are probably aware that patients have the right, under the HIPAA Privacy rule, to obtain a paper copy of their Medical Record/Protected Health Information (PHI). You may not be aware, though, that healthcare providers must also produce an electronic copy of a patient’s PHI on demand. According to HHS and the Office of Civil Rights, “… individuals also have a right under the Privacy Rule to obtain a copy of their PHI in a designated record set, such as a medical or billing record, maintained by the covered entity. A covered entity generally must provide the individual with access to the information to which the individual is entitled within 30 days of the request.
In addition, the covered entity must provide the individual with access to the PHI in the form or format requested by the individual, if it is readily producible in such form or format.
See 45 C.F.R. § 164.524. Thus, covered entities are required to provide the individual with a copy of the PHI in the electronic form requested by the individual if such form is readily producible by the covered entity.”
The regulation goes on to mention Personal Health Record (PHR) apps:
“... a covered entity may provide the PHI directly to the individual for the individual to enter into the PHR or, if the functionality exists, and where the individual has granted the covered entity authority to upload information directly to the PHR, the covered entity can comply with the access request by entering the information directly into the PHR rather than giving the individual a separate paper or electronic copy.”
Maybe you’ve never had a patient request PHI in electronic format. Perhaps your patients seem content accessing PHI from a portal. We recommend being proactive, though, and establishing pre-defined integration with a PHR so that, if a patient requests their records through a PHR, you can direct them to your preferred app that:
Has been vetted for reliability, accuracy, and HIPAA compliance; and
Is integrated with your EHR
For more resources on some SMART apps, click here. Our Dynamic FHIR API is integrated with Apple Health, MyLinks® and others.
Note that for some patients, such as children or the elderly, an Authorized Representative may be the one requesting access. With HHS pushing patient-centered care, the PHR has tremendous potential, as you can see below:
Benefits of PHR Integration
HIPAA regulations may be the stick, but there’s a carrot, too. There are benefits and incentives available for providers (hospitals and physician practices) to proactively offer a PHR solution for both IOS and Android:
Save cost and waste from generating paper copies.
Increase patient satisfaction and improved health outcomes through better educated/informed healthcare consumers.
Vet PHR technology to protect patients from potential unprotected or unscrupulous use of PHI by PHR providers.
Boost MIPS Promoting Interoperability (PI) score under the “Provide Patients Electronic Access to Their Health Information”. Check out the Patient Engagement apps available here.
Remember: Without a solution in place, patients and A/Rs are likely to present with a PHR and request their data. If a solution is already in place, you can direct them to your preferred PHR.
HIPAA Fast Facts
“If the individual's app for ePHI was not provided by or on behalf of the covered entity (and, thus, does not create, receive, transmit, or maintain ePHI on its behalf), the covered entity is not liable under the HIPAA Rules for any subsequent use or disclosure of the requested ePHI received by the app,”
So, you are not required to have a BAA with these PHRs and,
No BAA = no HIPAA liability