The HIPAA Omnibus Rule, also known as the Final Rule, gives patients the right to request an electronic copy of PHI (protected health information) that is maintained in an EHR (electronic health record). The covered entity that received the request must provide the patient with their PHI in the format requested, if it is readily producible. If the record is not maintained in the requested format, the covered entity must provide the patient with the PHI in an electronic form agreed to by both parties. If the patient does not agree to the electronic formats offered a hard copy may be provided to fulfill the request. Key points to remember:
- Paper/Hybrid records – this rule only applies to records in electronic format. If you have a paper record or hybrid, the PHI that is on paper is not required to be scanned. A hard copy of the paper record can be given to the patient along with the electronic record in the agreed upon electronic format.
- Patient’s flash drive – a covered entity is not required to use an individual’s flash drive or any other form of electronic storage to transfer their PHI. It is recommended not to use any form of electronic storage that is given by the requester
- Unencrypted emails – a covered entity is permitted to send individuals unencrypted emails, only if the requester agrees to this after being notified of the risks of sending PHI in an unencrypted email.
I would recommend setting a policy for the department with only one electronic format option available to supply PHI to requesters. The more options you have increases the difficulty and time it takes to release the PHI and it also increases the likelihood of a breach. How does your hospital handle requests for PHI in an electronic format?