“The same requirements for providing the PHI to the individual, such as the timeliness requirements, fee limitations, prohibition on imposing unreasonable measures, and form and format requirements, apply when an individual directs that the PHI be sent to another person or entity.”
“For example, just as when the individual requests a copy for herself, a covered entity cannot require that an individual make a separate in person trip to the covered entity’s physical location for the purpose of making the request to transmit the individual’s PHI to a person or entity designated by the individual. In addition, the individual can designate the form and format of the PHI and how the PHI is to be sent to the third party, and the covered entity must provide access in the requested form and format and manner if the PHI is “readily producible” in such a way. Whether PHI is “readily producible” depends on the capabilities of the covered entity and whether transmission or transfer of the PHI in the requested manner would present an unacceptable level of security risk to the PHI on the covered entity’s systems (based on the covered entity’s Security Rule risk analysis).“
“In each of these three examples, the covered entity has the capability to transfer the PHI in the requested manner and doing so would not present an unacceptable level of security risk to the PHI in the covered entity’s systems. Thus, after receiving the patient’s written request, the covered entity has 30 days (or 60 days if an extension is applicable) to send the PHI to the designated recipient as directed by the individual. However, in most cases, it is expected that the use of technology will enable the covered entity to fulfill the individual’s request in far fewer than 30 days.”
Limits or Exceptions
Are there any limits or exceptions to the individual’s right to have the individual’s PHI sent directly to a third party?
The right of an individual to have PHI sent directly to a third party is an extension of the individual’s right of access; consequently, all of the provisions that apply when an individual obtains access to her PHI apply when she directs a covered entity to send the PHI to a third party.
Personal Representatives & Third Party Access
Can an individual’s personal representative, through the HIPAA right of access, have the individual’s health care provider or health plan send the individual’s PHI to a third party?
Yes. An individual’s personal representative (generally, a person with authority under State law to make health care decisions for the individual) has the right both to receive a copy of PHI about the individual in a designated record set, and to direct the covered entity to transmit a copy of the PHI to another person or entity, upon request, consistent with the scope of such representation and the requirements of 45 CFR 164.524. See 45 CFR 164.502(g). The same requirements for fulfilling an individual’s request to send the individual’s PHI to a third party (e.g., with respect to timeliness, form and format, bases for denial, fee limitations, etc.) also apply to requests made by an individual’s personal representative.
What is the liability of a covered entity in responding to an individual’s access request to send the individual’s PHI to a third party?
Covered entities may rely on the information provided in writing by the individual about the identity of the designated person and where to send the PHI for purposes of verification of the designated third party as an authorized recipient. However, covered entities must implement reasonable safeguards in otherwise carrying out the request, such as taking reasonable steps to verify the identity of the individual making the access request and to enter the correct information into the covered entity’s system. For example, while a covered entity is not required to confirm that the individual provided the correct e-mail address of the third party, the covered entity is required to have reasonable procedures to ensure that it correctly enters the provided e-mail address into the covered entity’s system.
In addition, except in the limited circumstance described below, covered entities must safeguard the information in transit, and are responsible for breach notification and may be liable for impermissible disclosures of PHI that occur in transit. The only exception arises when an individual has requested that the PHI be sent to the third party by unencrypted e-mail or in another unsecure manner, which the individual has a right to request. As long as the individual was warned of and accepted the security risks to the PHI associated with the unsecure transmission, the covered entity is not responsible for breach notification or liable for disclosures that occur in transit.
Further, the covered entity is not liable for what happens to the PHI once the designated third party receives the information as directed by the individual in the access request.
What is a covered entity’s obligation under the Breach Notification Rule if it transmits an individual’s PHI to a third party designated by the individual in an access request, and the entity discovers the information was breached in transit?
If a covered entity discovers that the PHI was breached in transit to the designated third party, and the PHI was “unsecured PHI” as defined at 45 CFR 164.402, the covered entity generally is obligated to notify the individual and HHS of the breach and otherwise comply with the HIPAA Breach Notification Rule at 45 CFR 164, Subpart D.
However, if the individual requested that the covered entity transmit the PHI in an unsecure manner (e.g., unencrypted), and, after being warned of the security risks to the PHI associated with the unsecure transmission, maintained her preference to have the PHI sent in that manner, the covered entity is not responsible for a disclosure of PHI while in transmission to the designated third party, including any breach notification obligations that would otherwise be required. Further, a covered entity is not liable for what happens to the PHI once the designated third party receives the information as directed by the individual in the access request.
Where the PHI that was breached is “secured” as provided for in the HHS Guidance Specifying the Technologies and Methodologies that Render Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals (available here), the covered entity does not have reporting obligations under the Breach Notification Rule.
HIPAA Authorization vs. Right of Access
Why depend on the individual’s right of access to facilitate the disclosure of PHI to a third party – why not just have the individual execute a HIPAA authorization to enable the covered entity to make this disclosure?
The PHI that an individual wants to have disclosed to a third party under the HIPAA right of access also could be disclosed by a covered entity pursuant to a valid HIPAA authorization. However, there are differences between the two methods — the primary difference being that one is a required disclosure and one is a permitted disclosure — that may make the right of access a more favorable choice for most disclosures the individual is initiating on her own behalf. These differences are illustrated in the following table:
In addition, the Privacy Rule permits covered entities to disclose PHI for treatment, payment and health care operations without the need to first obtain an individual’s authorization or receive an access request by the individual to have the individual’s PHI directed to a third party for such purposes. See 45 CFR 164.506. As a result, if an individual is seeking to have her PHI shared among her treating providers, the covered entities can and should do so; the individual should not have to facilitate this transmission by submitting an access request (and potentially having to wait up to 30 days for the information to be sent and be charged a fee) or by executing a HIPAA authorization. See the Fact Sheets on Understanding Some of HIPAA’s Permitted Uses and Disclosures.
Family / Caregiver Access
Under HIPAA, when can a family member of an individual access the individual’s PHI from a health care provider or health plan?