Owning a copy of your personal data does not change property law, medical record requirements, or hinder the advancement of science. But it does build health equity by giving everyone equal access to their lifetime medical data.
Personal Health Records, Data, Ownership, and You
Download Zip: https://imgfil.com/2tLcUL
Why shouldn't individuals own their medical records? After all, these medical records contain their personal health information and were created for them. Lab work is literally a part of the patient -- why should other people own that?
For example, the patient has a right to view and get copies of her health information, as well as request changes to the information. Patients also have a right to get their health records in the format they choose -- some patients may want electronic copies of medical records, others might want to download them from a web portal and still others may use standard interfaces to access their information in EHRs. This is really important because it allows individuals to retain a copy of their health records in their custody and this has profound implications for how consumers finally become active participants in their health and wellness. Regardless of who owns their medical records, when patients have a copy of their health records that are readily accessible on their phones, for instance, they become more aware and engaged. What's more, engaged patients are healthier patients.
Imagine a time when users will be able to easily review their health data, share it with third parties like hospitals and doctors or sell it to pharmaceutical and research companies that are conducting clinical trials. Access to these records has never been easier -- more than 80% of patients said that their online medical records were easy to understand and useful for monitoring their health.
Your physical health records belong to your health care provider, but the information in it belongs to you. Having ownership and control over that information helps you ensure that your personal medical records are correct and complete. It makes you more engaged and healthier! It enables you to understand how your data is being shared. Last but not least, it allows you to treat your health care data as a digital asset that you can donate for research or sell for a monetary benefit. After all, it is your body and your data.
Providing individuals with easy access to their health information empowers them to be more in control of decisions regarding their health and well-being. For example, individuals with access to their health information are better able to monitor chronic conditions, adhere to treatment plans, find and fix errors in their health records, track progress in wellness or disease management programs, and directly contribute their information to research. With the increasing use of and continued advances in health information technology, individuals have ever expanding and innovative opportunities to access their health information electronically, more quickly and easily, in real time and on demand. Putting individuals \"in the driver's seat\" with respect to their health also is a key component of health reform and the movement to a more patient-centered health care system.
An individual does not have a right to access PHI that is not part of a designated record set because the information is not used to make decisions about individuals. This may include certain quality assessment or improvement records, patient safety activity records, or business planning, development, and management records that are used for business decisions more generally rather than to make decisions about individuals. For example, a hospital's peer review files or practitioner or provider performance evaluations, or a health plan's quality control records that are used to improve customer service or formulary development records, may be generated from and include an individual's PHI but might not be in the covered entity's designated record set and subject to access by the individual.
An individual's personal representative (generally, a person with authority under State law to make health care decisions for the individual) also has the right to access PHI about the individual in a designated record set (as well as to direct the covered entity to transmit a copy of the PHI to a designated person or entity of the individual's choice), upon request, consistent with the scope of such representation and the requirements discussed below. See 45 CFR 164.502(g) and for more information about the rights that can be exercised by personal representatives.
In providing access to the individual, a covered entity must provide access to the PHI requested, in whole, or in part (if certain access may be denied as explained below), no later than 30 calendar days from receiving the individual's request. See 45 CFR 164.524(b)(2). The 30 calendar days is an outer limit and covered entities are encouraged to respond as soon as possible. Indeed, a covered entity may have the capacity to provide individuals with almost instantaneous or very prompt electronic access to the PHI requested through personal health records, web portals, or similar electronic means. Further, individuals may reasonably expect a covered entity to be able to respond in a much faster timeframe when the covered entity is using health information technology in its day to day operations.
Yes. An individual's personal representative (generally, a person with authority under State law to make health care decisions for the individual) has the right both to receive a copy of PHI about the individual in a designated record set, and to direct the covered entity to transmit a copy of the PHI to another person or entity, upon request, consistent with the scope of such representation and the requirements of 45 CFR 164.524. See 45 CFR 164.502(g). The same requirements for fulfilling an individual's request to send the individual's PHI to a third party (e.g., with respect to timeliness, form and format, bases for denial, fee limitations, etc.) also apply to requests made by an individual's personal representative.
With limited exceptions, the HIPAA Privacy Rule gives individuals the right to access, upon request, the medical and health information (protected health information or PHI) about them in one or more designated record sets maintained by or for the individuals' health care providers and health plans (HIPAA covered entities). See 45 CFR 164.524. Designated record sets include medical records, billing records, payment and claims records, health plan enrollment records, case management records, as well as other records used, in whole or in part, by or for a covered entity to make decisions about individuals. See 45 CFR 164.501. Thus, individuals have a right to access a broad array of health information about themselves, whether maintained by a covered entity or by a business associate on the covered entity's behalf, including medical records, billing and payment records, insurance information, clinical laboratory test reports, X-rays, wellness and disease management program information, and notes (such as clinical case notes or \"SOAP\" notes (a method of making notes in a patient's chart) but not including psychotherapy notes as explained below), among other information generated from treating the individual or paying for the individual's care or otherwise used to make decisions about individuals. In responding to a request for access, a covered entity is not, however, required to create new information, such as explanatory materials or analyses, that does not already exist in the designated record set. Further, while individuals have a right to a broad array of PHI about themselves in a designated record set, a covered entity is only required to provide access to the PHI to which the individual requests access.
Under the HIPAA Privacy Rule, an individual has the right to access PHI maintained about the individual by a covered entity in a designated record set. This may contain electronic or non-electronic PHI. See 45 CFR 164.524(a)(1). Under the HITECH Act's Electronic Health Record (EHR) Incentive Program, eligible professionals, eligible hospitals, and critical access hospitals (CAHs) may receive incentive payments under Medicare and Medicaid and avoid payment reductions under Medicare for successfully demonstrating meaningful use of Certified EHR Technology, which includes providing patients the ability to view online, download, and transmit their health information. It is important to note that in some respects the EHR Incentive Program contains more exacting standards than the baseline requirements of the HIPAA Privacy Rule, while the HIPAA Privacy Rule contains more comprehensive requirements than the EHR Incentive Program (e.g., the HIPAA Privacy Rule access right applies to electronic and paper records, while the EHR Incentive Program applies to certain electronic records).
The HIPAA Privacy Rule provides individuals with the right to access their medical and other health records from their health care providers and health plans, upon request. The Privacy Rule generally also gives the right to access the individual's health records to a personal representative of the individual. Under the Rule, an individual's personal representative is someone authorized under State or other applicable law to act on behalf of the individual in making health care related decisions. With respect to deceased individuals, the individual's personal representative is an executor, administrator, or other person who has authority under State or other law to act on behalf of the deceased individual or the individual's estate. Thus, whether a family member or other person is a personal representative of the individual, and therefore has a right to access the individual's PHI under the Privacy Rule, generally depends on whether that person has authority under Sta