Although the EHR Incentive Program and the HIPAA Privacy Rule are distinct, it is possible for a provider or hospital to leverage its Certified EHR Technology to fulfill its HIPAA Privacy Rule obligations with respect to individual access in circumstances where the individual either: (1) requests access to PHI that is held in the Certified EHR Technology; or (2) requests access to his PHI, the covered entity professional or hospital informs the individual that the PHI requested is available through the Certified EHR Technology, and the individual agrees to access the requested PHI through the Certified EHR Technology.
In scenario 1, the individual is aware of the EHR Incentive Program and specifically requests access to her PHI via the functionality of the Certified EHR Technology. For example, in exercising her right of access under the HIPAA Privacy Rule, an individual could request a copy of her information that constitutes the CCDS through the provider’s Certified EHR Technology portal or that it be sent from the Certified EHR Technology to the individual’s Direct address (an electronic address for securely exchanging health information using the Direct technical standard). If the provider is using Certified EHR Technology, the HIPAA Privacy Rule requires the provider to grant this request from the individual because the form and format requested is “readily producible” using the provider’s Certified EHR Technology. At the same time, the provider should be able to count this access by the individual for purposes of meeting its EHR Incentive Program objectives, as long as the access was provided within the timeframes required by the EHR Incentive Program. Because the Privacy Rule provides up to 30 days to act on an access request, meeting the more prompt deadlines of the EHR Incentive Program clearly complies with the Privacy Rule’s deadlines.
In scenario 2, the individual has requested a copy of certain of his PHI, and the provider recognizes that the PHI requested by the individual would be easily available through the Certified EHR Technology. The individual asks for the information in PDF format; the provider instead offers to set up an account for the individual so that the individual can access this information directly through the portal in the Certified EHR Technology. If the individual agrees to the portal access, the provider will be able to satisfy the individual’s HIPAA access request using the Certified EHR Technology portal, while at the same time being able to count the access for purposes of meeting EHR Incentive Program objectives (as long as the access was provided within the timeframes required by the EHR Incentive Program). If the individual declines the offer and instead maintains his request to receive a copy of his PHI in PDF format, the HIPAA Privacy Rule requires the provider to provide the individual with a copy in PDF format, if the PHI is readily producible in that format or, if not, in an alternative electronic format that is agreeable to the patient. Further, the individual at all times retains the right to access his PHI in a designated record set that is not part of or available through the Certified EHR Technology.