Podcast: Shannon Hartsfield & Eddie Williams Discuss Patient Access to Medical Data
In the 12th episode of our "Florida Capital Conversations" podcast series, healthcare attorneys Shannon Hartsfield and Eddie Williams join the conversation to discuss developments impacting patient access to medical data. They provide insight on the rules and regulations surrounding records ownership and how the policy landscape has shifted. The conversation incorporates the Health Insurance Portability and Accountability Act (HIPAA) as it relates to patient privacy as well as the information blocking rule. Additionally, our attorneys outline the consequences for improper health data sharing.
This Tallahassee-based podcast series takes a look at the many different aspects of state and local government through the lens of experienced legal professionals. Hosted by attorneys Nate Adams and Mia McKown, these candid conversations offer a seat at the table to everyone who listens.
Listen to more episodes of Florida Capital Conversations here.
Nate Adams: Welcome to our Florida Capital Conversations podcast series. Today, our subject is developments impacting patient access to medical data. And our guests are Shannon Hartsfield and Eddie Williams. My name is Nate Adams, my co-host is Mia McKown. We are so pleased that you have joined us today to consider another important issue associated with government affecting the business community and our daily lives as Floridians. There is none better than Shannon and Eddie to kick off our discussion today. Mia, why don't you get us started with the first question?
Current State of Patients' Rights to Access Data
Mia McKown: Good afternoon, Nate. Glad to have Shannon and Eddie here sharing this information with us. One of the things I was wondering about, and it gets confusing because we hear so much about what the federal government has been doing to enforce patients' rights of access to data. Is there something new going on? Has there been some changes to this patient privacy information?
Shannon Hartsfield: Hey, Mia, this is Shannon Hartsfield. And since HIPAA first came about, patients have had a number of specific rights with respect to their medical records, including the right to access their own data. Additionally, in Florida, patients have for a long time had the right to access their medical records and there can't be any sort of delay for legal review or a doctor can't require patients to pay their bill for services before accessing data. So that's not what's new. One thing that is new, is that the federal Department of Health and Human Services Office for Civil Rights, which enforces HIPAA but has really to a certain extent, had a renewed focus on patient access in recent years. And I think the last time I checked, there were, I think, around 27 enforcement actions related to doctors and other healthcare entities that failed to provide patients with timely access to their records. So this is certainly something that's been on the federal government's radar screen especially recently. Eddie, you have any additional thoughts about that?
One thing that is new, is that the federal Department of Health and Human Services Office for Civil Rights, which enforces HIPAA but has really to a certain extent, had a renewed focus on patient access in recent years.
Eddie Williams: No. I think Shannon hit the nail on the head. This has been around for a while, but now there's increased enforcement efforts as it relates to patient access. And definitely OCR will take aggressive action once they receive a complaint as it relates to a denial of access for a patient to their records.
Records Ownership: What Does it Really Mean?
Nate Adams: So who owns patient records? Is that the physician? Is that the patient? And when you use the phrase timely access to them? What does that mean?
Shannon Hartsfield: Well, I'll take the first one. And Eddie, if you want to take the second part of that question, but in terms of records ownership, Florida law actually says in statute that the physician or the practitioner who examines the patient is the records owner. But when you think about ownership, that relates to what rights you have to the records. And just because you're the records owner doesn't mean you have the exclusive right to look at them, review them, because patients have that right as well. And a little bit later, Eddie, will talk about some other sort of access rights that others are going to have. There are a number of state laws that differ from Florida's, however. I know of at least one state that says the patient is the records owner. Many other states are silent on records ownership. But again, records ownership doesn't mean quite as much, I think, as ownership in other contexts, because that doesn't mean you have the exclusive right to be the only one to look at those records. Eddie, you wrote an article on this recently. What thoughts do you have?
Just because you're the records owner doesn't mean you have the exclusive right to look at them, review them, because patients have that right as well.
Eddie Williams: Yes, definitely. When it comes to the ownership of the records as it relates to a physician, an individual under Florida law, generally, that is the individual considered the medical records owner, but it could also be the employer of that physician, provided it's in a contract that designate that employer as the owner of those records. But again, as Shannon stated, that it does not preclude the medical records owner from granting access to those records as it relates to the timing for granting access, under HIPAA. HIPAA currently as written allows the provider to have 30 days to respond to a request for access to records. We suspect there is going to be some amendment to those rules to shorten that time frame because now we have additional rules that are out there and which really focus on granting quicker access to the records. So we suspect HIPAA will be revised. The regulation of the Privacy Rule bill will be revised sometime this year. We don't know when those new rules will be released, but we suspect that 30 days will be shortened, perhaps maybe to 15 days. We also have to consider state law. If the state law currently provides for a shorter time frame than a provider that will have to comply with that shorter timeframe in disclosing and granting access to those records.
When it comes to the ownership of the records as it relates to a physician, an individual under Florida law, generally, that is the individual considered the medical records owner, but it could also be the employer of that physician, provided it's in a contract that designate that employer as the owner of those records.
Differing Requirements When Providing Records
Mia McKown: Are there different requirements for electronic versus paper records, Eddie, as it relates to how long you have to provide those records to a patient upon request?
Eddie Williams: Well, for purposes of HIPAA, there is no distinction as it relates to the timing. If the records are electronic or they're paper however, there are some different requirements as it relates to providing access to electronic records, considering how you have to provide that particular access, you know, what form and format, you have to provide copies of those records to the patient. Also, if the patient requests that you send those records to a third party. There are certain requirements that you have to comply with as it relates to providing that type of access. But the new ONC information blocking rules, they deal directly with electronic health records, electronic health information. And so currently under those rules, they do require a more timely access to those records. So under the current guidance of the ONC information blocking rule, if a provider can't provide the records in a more timely fashion, then they can't just rely on the 30 day time period that HIPAA currently gives providers to provide access to those records.
Under the current guidance of the ONC information blocking rule, if a provider can't provide the records in a more timely fashion, then they can't just rely on the 30 day time period that HIPAA currently gives providers to provide access to those records.
Information Blocking Rules
Nate Adams: Tell us a little bit more about the new federal regulations encouraging data sharing.
Eddie Williams: Well, the information blocking rules, which came into effect in 2021, there was a delay due to the pandemic which forced the effective date into 2021. And basically the information blocking rules will prevent providers as well as health information exchanges or health IT developers of certified health IT from engaging in any activity that would interfere or prevent access to electronic health information. And so under those rules, those actors, which is how they're defined under the information blocking rule, must engage in conduct which basically provides free flowing of data and provides greater access rights to patients to their information, as well as providers who are requesting access to a patient's records in order to ensure that they can receive those records and information in a timely fashion.
Shannon Hartsfield: I think of the information blocking rules as kind of the opposite of HIPAA. Where HIPAA restricts how you can use and disclose information, the interoperability rules and the rules prohibiting information blocking require you to disclose information if HIPAA and state law otherwise permit it. And I think one of the main goals is to make sure that patients and other members of the healthcare sector have free access to this electronic health information. And I think that's a laudable goal. We're starting, though, to hear about the downside of that kind of access. There are reports, for example, of patients sitting at home and they now have immediate access to electronic lab results and they're finding out that they have cancer or other diseases sitting at home by themselves without a physician to sort of walk them through the results. So I think it remains to be seen how that's all going to play out. Another aspect of these information blocking rules is that if a patient downloads an app and wants the provider to send all their medical records to that app starting on October 6 of 2022, the provider is going to have to do that and is going to have to make all that information available. And these apps are subject to state privacy laws and they're subject to the Federal Trade Commission breach rules. But there's not a lot of regulation of them otherwise, and they're not subject to HIPAA most of the time. So I'm kind of concerned about how privacy is going to be maintained as we go forward with this new records access.
I think of the information blocking rules as kind of the opposite of HIPAA. Where HIPAA restricts how you can use and disclose information, the interoperability rules and the rules prohibiting information blocking require you to disclose information if HIPAA and state law otherwise permit it.
Mia McKown: And a lot of this area, just even kind of what we've talked about, Nate, sometimes there's not a lot of definitions or guidance as to what is timely, what is reasonable. And this is where I come in a lot, where I help physicians and practice groups with these type of situations. Because what will happen is we'll see a situation where a patient or a family member gets upset because they've made a request for records and they feel like they haven't gotten them fast enough or timely enough. So they will file a complaint with the Board of Medicine. And I can tell you, based upon my experience and just the way they filter complaints with the quality assurance division at the Department of Health, they have to investigate every complaint that comes in, if it falls within the guidelines or a potential statutory violation. So then that triggers a whole other series for the doctor or the practice where they receive a notice from the department that they're under investigation, they have to respond and explain everything as to what was happening. So from dealing with that, the best advice that I can give to doctors as well as practice groups and their business managers, is to make sure you have a very set policy in place to handle these requests where you docket it in, you know, you have your process in place as to what records you are obtaining, whether there are labs, notes, charts, and make sure that it's going through your process and that you can document that because that's the best way to respond to the department, to have all of that information ready and in your system to show that you are acting reasonably and complying with that patient's request. In addition, these requirements, you know, place responsibilities on you, but you also need to make sure you can document along the way each step that you've done to comply with the different state and regulatory guidelines.
Consequences for Improper Data Sharing
Nate Adams: What else can go wrong if a physician fails to properly share data?
Mia McKown: If they don't properly share the data? And like we said, and they're doing a complaint investigation, then there could be a finding of a violation of their practice act, which the board could then file a complaint against the license of the physician. And there are a host of penalties that could come into play based upon whether or not it's their first offense, their second offense. And the board has a range that they can choose from. They can either fine the doctor, issue a letter of reprimand. And in some situations, depending on how egregious the situation is, or repetitive in nature. They could actually suspend the doctor's license for not complying, not maintaining the records and providing the records in a timely manner. So it can get very serious. And that's why we have found that if you start on the front end, which I know Eddie and Shannon have assisted clients with in developing policies and protocols about how to address these issues and how to handle these requests, you will not be subjected potentially to those type of adverse actions and disciplinary measures taken by your respective board.
They could actually suspend the doctor's license for not complying, not maintaining the records and providing the records in a timely manner. So it can get very serious.
Eddie Williams: And Nate, I would just add for with respect to the information blocking rules, for a healthcare provider, there must be some intent to act in a way to block or prevent access to the electronic health information. So mere negligence and not providing timely or reasonable access is not going to be enough to constitute a violation of the information blocking rules. And there are also various exceptions under the information blocking rule, which sometimes a particular action or activity may fall under. Say, for instance, you have the preventing harm exception whereby a provider can undertake an individualized assessment and determine that, and delay the release of the records based upon their best judgment that if they do release those records, it could cause substantial harm to the individual. If, say, for instance, they don't speak to that individual in person before they release those records information to them. Also, you have the privacy exception under the information blocking rule. For example, if a HIPAA or state law requires a written consent or written authorization before the records can be released, then a provider would be considered in violation of the information blocking rule if they require that they receive that written authorization or consent prior to releasing those records. So there are various exceptions under the rule that for a particular action may fall under and therefore would not be considered a violation of the information blocking rule however, the provider would definitely have to meet all the requirements of the particular exception in order to come within that particular protection.
Closing Thoughts
Nate Adams: All right. Well, so we've learned about HIPAA, we've learned about information blocking rules, state privacy rules, anything else that we need to share with our listeners today.
Shannon Hartsfield: I think it's just going to be important for providers, all members of the healthcare sector, to take a close look at the interoperability requirements and the information blocking rules because it's, in addition to patient access to this information, there's going to be an increased push to make the information available to other third parties in the healthcare sector. And I think it remains to be seen just how far that's going to go. And we also are waiting on new changes to HIPAA that are supposed to address interoperability and give us some guidance on the HIPAA side with respect to these requirements. So I think there are more changes on the horizon.
It's just going to be important for providers, all members of the healthcare sector, to take a close look at the interoperability requirements and the information blocking rules because it's, in addition to patient access to this information, there's going to be an increased push to make the information available to other third parties in the healthcare sector.
Nate Adams: Thanks to Shannon Hartsfield, Eddie Williams, my co-host Mia McKown, for this informative and interesting segment on developments impacting patient access to medical data. Most of all, thanks to you for joining us today. Please plan to join us for our next Florida Capital Conversations podcast. Have a great day.