Dominique Entzminger, a physician assistant of family medicine, wears a stethoscope during an examination at the Codman Square Health Center April 5, 2006, in Dorchester, Mass. (Photo by Joe Raedle/Getty Images)

Last year, a damning report from the Office of Civil Rights found 89% of audited providers were failing to comply with the right of access rules outlined in the Health Insurance Portability and Accountability Act. In light of ongoing threats and health app privacy matters, it may appear that prioritizing patient access rights would fall far down the list of OCR and provider concerns.

However, the Department of Health and Human Services has made patient access rights, interoperability, and info blocking key enforcement priorities for HIPAA for the last three years. OCR announced its 20th settlement over HIPAA right of access just this week, while it hasn’t issued an enforcement discretion over a data breach or security violation since June 2020.

In fact, the majority of OCR settlements made within the last two years stemmed from access violations, in far greater frequency than penalties launched against providers that fail to comply with HIPAA breach requirements.

But just as the threat landscape shows protecting patient safety is likely more important than protecting patient data, ensuring patient access rights should also be viewed as crucial to both compliance and improving the overall health care system.

SC media spoke with two former HHS privacy leaders and ongoing patient privacy and access advocates, Deven McGraw of Ciitizen and Lucia Savage of Omada Health, to get a sense of why OCR has cracked down on access violations and ongoing implications, along with debunking some of the most common misconceptions about the HIPAA rule.

HIPAA is clear: timely patient access equals better care outcomes

HHS OCR launched its HIPAA Right of Access Initiative in 2019, driven by the idea that when patients have access to their data in a secure meaningful format, it improves care outcomes for the entire sector.

Patient access rights are directly outlined in HIPAA, which states that covered entities and relevant business associates are required to provide an individual with access to their protected health information upon request, within a reasonable timeframe, and for a nominal fee.

The patient or their representative is allowed to obtain or inspect a copy of their data for as long as it is maintained by the entity, regardless of when the record was created or if it is in electronic or paper formats, according to the rule.

HIPAA Right of Access has always been broad and very important in health care, “yet very underutilized,” said Deven McGraw, co-founder and chief regulatory officer of Ciitizen. “People don't feel like they have a right, and [the rules are] also under-implemented by the entities that are subject to these laws. There are many obstacles put in their way.”

“There’s not a full acceptance of the power that providing data has given patients more agency and enhances their ability to be more involved in their own care. I don’t think there is a kind of universal acceptance of that concept,” she added. “Overall, there’s a sort of ignorance that the law does, in fact, give patients the right to have their records.”

Driving patient access was one of the reasons McGraw was excited to join the federal government in 2015. As former deputy director of health information privacy at the HHS Office of Civil Rights, some of her tenure was spent driving patient privacy and access initiatives.

Click here for full coverage of the 2021 SC Media Women in IT Security

The passion for privacy and data governance is something that developed over time, driven by a frustration that patients don’t have a lot of control or insight into what’s going to happen to them particularly when they’re sick.

McGraw said it felt like the “wrong context: people can’t treat themselves. We rely on the advice of medical professionals who have the learning and experience. At the same time, the care and treatment is happening to the patient within the context of their lives.” 

“Yet, patients have so little decision-making power and agency over [care],” she added. “The lack of access to data is really part of what undermines a patient in having the ability to choose their own pathways, to advocate for themselves, to figure out [their] treatment path.”

The way to empower patients is to provide them with the necessary data to support decision making in terms of their care. As McGraw sees it, “a lack of health literacy is another aspect of that: If you don’t have the data, you really have nothing. You cannot make decisions in your life without data,” and health care decisions are one of the most important choices one can make.

McGraw joined Ciitizen following her HHS tenure: a free service that helps patients get more out of their health records through a platform aimed at finding better treatment options and helping to gain access to their patient records.

“We did realize we were breaking ground and that we might ruffle some feathers right with what we were doing,” she noted. “What gets measured and publicly reported gets improved in health care… And we were in a really good position to make a difference there.”

For now, Ciitizen is continuing to look for ways to improve its report cards so “that it measures not just how patients get data from medical records departments, but about the quality of data that’s available through API portals and about the data available through other sources.”

The main goal is to raise the bar on how patients access their data through these new sources and mechanisms, with patient scorecards becoming more than just grades for health information management department responses, but a broad look across the ecosystem around patient access data.

Arguably, one of the largest patient privacy and digital health advocates is none other than Lucia Savage, chief privacy and regulatory officer for Omada Health, a fully integrated digital health platform and program for chronic disease patients that relies on data-driven insights.

For Savage, a digital health proponent and leader, the key thing is to make these platforms and data sharing relevant to what patients need, while ensuring they can be confident in these business partners.

Unfortunately, some health apps have done a disservice to this mission with the vast majority of mHealth apps and mental health apps routinely engaging in dubious data-sharing practices without informing the user.

As Savage and a number of industry stakeholders noted, HIPAA does not protect consumer-generated health data when it isn’t sourced by the health care provider. Nor does HHS or any of its departments have the power to enact regulation to protect health app privacy.

It was a key congressional issue before the pandemic, the economic fallout, and other pressing priorities, but for now, health app privacy is regulated by the Federal Trade Commission — and not as much as stakeholders would like.

“In time, those concerns and the law will sort itself out,” said Savage. “However, I think the absence of baseline protections that apply the same everywhere is eroding generalized trust in digital health. And so I worry about that for a minute.”

HIPAA noncompliance commonplace for the majority

When the Ciitizen team worked to get records for users in the early days, McGraw said she found many providers were stunned with some of the compliance facts her team shared about access rights, including that OCR had put out guidance to clarify some of these issues.

Ciitizen sought to take a pulse of access compliance and worked with medRxiv to audit and interview 3,000 health care organizations. The scorecard helped to break down some of the largest myths due to the educational effort that informed people that they weren’t in compliance with HIPAA — and the reasons why.

The first access compliance report released in August 2019 painted a dismal picture: more than half of health care providers were failing to comply with HIPAA access rights. For many patients, it took multiple attempts or referrals to organization supervisors before the records were shared.

The most common failure was refusal to send records to the patient via email. And even when providers did comply, it was only after the entity’s privacy officer or supervisor was called and educated on just what the HIPAA rule required. At the time, just 18 percent of providers successfully and accurately complied.

Two months later, with hopes that providers would be better informed, a follow-up report showed that barely half of providers were in compliance with the rule. Many of the biggest challenges Ciitizen observed were due failure to provide patients with records in the requested form or format.

A third report released in May 2020 found significant improvement, with only 27 percent of providers requiring serious intervention before providing access to requested records.

As HHS works to enact and enforce its info blocking and interoperability rules through the Trusted Exchange Framework and Common Agreement, the “efforts to automate access through open standard APIs — which takes the form and format issue off the table — will go a long way to resolving a major compliance obstacle.”

TEFCA will be enacted in the first quarter of 2022.

“There are just a number of misconceptions after misconceptions, based on engrained policies that were probably not accurate to begin with but that people have just assumed are compliant with the law,” said McGraw. “They follow these old policies, and it’s quite eye-opening.”

Debunking API privacy and security myths

Misconceptions about HIPAA access rights are common, typically centered on education gaps, legitimate tech concerns, and outdated ideologies.

Long before HHS sought to drive data sharing across the health care sector, the Health Information Technology for Economic and Clinical Health Act of 2009 included a statutory provision that said an electronic health record has to allow a patient to direct the provider to transmit their protected health record anywhere else, explained Savage. At Omada, it’s called “directed transmission.”

In one example, patients in Omada’s diabetes management program often need to share data relevant to their care. Within their portal, there’s a button that explains how to do it and what will happen, as well as the consent needed to share that data.

There’s another element called “dynamic consent,” providing permission related to the time it’s needed as it has context. Savage explains that the rule has been around since 2009, it just requires technology and cooperative "business partners.”

“I think the API role will fortify the ability of people to do direct transmission ... API role is for read-only, but you can see how the tools might work together,” said Savage. “I think as telehealth and virtual health become more ubiquitously available to patients, those tools will take advantage of these rules. But it will take a little while because of that old HITECH rule and API rule.”

For Savage, some of the largest concerns around access and the reliance on APIs to share data stem from organizations worried that patients will extract the data from the provider into an app that is not secure and that bad things will happen.

Consider how consumers manage banking, grocery shopping, car repairs, mortgages, and other real-world situations that heavily rely on tech to complete these tasks securely. So to that end, “if you're an adult, and you're managing it yourself,” it’s not on the organization if the person did not manage it responsibly.

But to be clear, “cybersecurity is not a joke, and most health care organizations need to up their game substantially,” said Savage. ”That's kind of the baseline... Any organization interacting with another organization has an active obligation to make sure the system is secure and other people aren't allowing intrusions into your system. That's an active current legal obligation.” 

It’s also important that these apps aren’t further burdening the patient with unnecessary “safeguards” that make it difficult for patients to access and share their information on their own, she explained. For example, some health systems prevent patients from taking a screenshot of what’s in the app.

It’s a good thing to prevent screen scraping from outside parties, “but you've also made it incredibly inconvenient for your patient because now they can't get their data out of there no matter what they do,” explained Savage. “Where does it fall in the standard that I have to protect my system from intrusions, but not my data from being screen scraped?”

“There’s a lot of room for debate in there. I go to a system that locks the app from screenshots, my husband goes to a system that doesn't. We both go to systems that use Epic, but it’s just a different approach to security,” she continued. So developers need to be asking, “what empowers the patient?”

Breaking down access challenges and misconceptions

There will always be the hyperbole arguments. But a recent article in the Journal of Medical Internet Research written by Savage and her husband Mark Savage, SDOH policy lead for Gravity Project, concluded that: “Patients have a legal right under HIPAA to a copy of their health data and to have their health data sent electronically to a third-party app of their choice.” 

“Doctors routinely disclose PHI appropriately to other legitimate recipients of that PHI and are not liable under HIPAA for what those recipients do with the PHI,” they added. Given these well-established rules and practices, doctors and their health systems should be equally confident in routinely sharing patients’ health data electronically with patients and their third-party apps.”

That means, the majority of misconceptions and myths surrounding data sharing can easily be debunked. But for now, they’re getting in the way of improving overall patient access rights. As McGraw explained, for example, access is not necessarily governed by state laws, nor do state laws dictate how much to charge patients for their records.

Other misconceptions include doctors assuming that their notes are not included in access rights. But it’s just not accurate: Those notes don’t belong to the doctor. McGraw stressed that access to provider notes is one of the biggest areas of consternation, despite troves of OpenNotes data dispelling the myths. 

Sharing provider notes “actually doesn’t undermine the doctor-patient relationship,” she explained. “It produces more engagement on the part of the patient.” For some providers, sharing notes has led to better patient outcomes.

Providers also worry that they’ll be inundated with calls and questions from patients about what’s in their record. But “inevitably, communicating with patients should be more of a value than to be frustrated.”

“There are a lot of scenarios that providers are fearing. But there are definitely more positives to sharing,” she explained. “The fact that the patient gets the data and shares it with a family member means that instructions are better understood and followed” because the family member can ensure the patient is adhering to the plan.

Part of the apprehension stems from dated notions of doctor-patient relationships that have persisted in medicine, which McGraw believes “underpin why it’s so hard for patients to get copies of their records.”

Patients still face difficulties, especially when trying to obtain older information that may “be buried in paper records.” That data isn’t easily accessible through a portal, such as obtaining medical images or EG tracing data and other critical information for parents of children with rare health conditions.

“How do we get to the point where they think first about making sure patients can get copies of their data? How can we avoid putting medical records departments in the basement and only have working hours of 9-5, when people are at work? We just don’t think first about how to empower the consumer,” she added. “We still treat consumers as people we do business with, as opposed to a true partnership.”

Significant improvements, but a long journey ahead

The OCR initiative and the 20 separate settlements for potential violations of the HIPAA Right of Access Rule have shined a light on the importance and enforcement discretion priorities of the agency, which have led to a “tremendous improvement in the ability of patients to access their health information.”

HHS and other federal government agencies are also working to make it easier for patients to get their data by just logging into their patient portal and getting a better complement of data, as opposed to just being able to lab test results without images or doctors’ notes, explained McGraw.

And thirdly, the Ciitizen scorecard that includes reports and grading on the team’s experiences in getting data for users and how to factor that into records.

“In the early days of patient portals, there wasn’t a lot of actionable data on the platforms. But that has been improving,” she noted. What remains a challenge are access barriers for patients with multiple health care providers, who must log into different device portals on a regular basis.

The agencies’ info blocking and interoperability rules are driven by the need for better data sharing among providers and patients to improve care outcomes. HHS is also working to allow people to leverage personal health record apps or platforms like Ciitizen’s, which gathers all that information into one place. However, McGraw notes that these efforts aren’t happening on a global scale.

“There’s been good progress, but there’s still a long way to go,” said McGraw. “We're absolutely closer to getting a health care system that works better for patients… with patients having access to their health information in a much more seamless way.”