Since its inception, the HIPAA Privacy Rule’s ensured right of an individual to access protected health information (PHI) about him or her held by a health care provider or other organization has operated in a primarily paper-based environment. While it has been common for health care providers to create, maintain, and exchange PHI in paper form, an increasing number of providers are beginning to utilize new forms of health information technology (health IT), which often involve the transition of PHI from paper to electronic form. Many health care providers, for example, are adopting comprehensive electronic health records (EHRs) to enhance the quality and efficiency of care they deliver. Health IT also may create mechanisms by which individuals can electronically request access to their PHI and by which providers can respond by providing or denying access electronically.
An individual’s right to access his or her PHI is a critical aspect of federal and state privacy rule and regulations, the application of which naturally extends to an electronic environment. The current rule establishes, with limited exceptions, an enforceable means by which individuals have a right to review or obtain copies of their PHI, to the extent it is maintained in the provider’s health IT system(s). These rules layout specific, yet flexible, standards also address individuals’ requests for access and timely response.
The HIPAA Privacy Rule provides the first national standards for protecting the privacy of health information. The HIPAA regulates how certain entities, called covered entities, use and disclose certain individually identifiable health information, called protected health information (PHI). PHI is individually identifiable health information that is transmitted or maintained in any form or medium (e.g., electronic, paper, or oral), but excludes certain educational records and employment records. Among other provisions, the Privacy Rule: