Broadly speaking, the Health and Human Services Department's proposed regulations under the Health Insurance Portability and Accountability Act ("HIPAA") cover three major topics: privacy, access, and administrative simplification. The first article in this series discussed privacy. This article will discuss the flip side of the right to privacy, which is the individual's right to access.

Giving patients a legal right to access to their health information is not a new idea. 28 states already have laws giving patients the right to see their medical records, according to a 1999 study by the California Healthcare Foundation and Consumers Union, "Promoting Health, Protecting Privacy, a Primer."

The proposed HHS regulations would federalize the law of patient access. In general, the access rules would cover only health plans and providers, since these rules depend on patient contact and those institutions will have the patient contacts where notice is relevant. HHS relies, however, on the business partner rules to compel other institutions to adhere to the HHS policies so far as they are relevant.

The purpose of this article is to look at patients' rights under the proposed regulations and at some implications of those rights. Patients would get four main rights under the proposed regulations:

1. Notice of "information practices";
2. Access to their health information;
3. An accounting of who has seen their health information; and
4. The right to request amendment and correction of their health information.

It is in the required notice of information practices that the patient learns that he has an access right. The proposed regulations strictly regulate what the notice must contain, prescribing subject matter in some instances and actual contents in others. They also prescribe when the notice must be given, how it may be changed and when the institution can act on changes.

Contents.
The good news is that HHS visualizes the notice as merely a distillation of the institution's HHS-mandated internal policies and procedures for use and disclosure of information, thus imposing little burden beyond development of the internal policies and procedures. The bad news is that the degree of detail mandated in the regulations for just this "distillation" presages the burden of creating the internal policies and practices. The good news is that the specificity of the HHS regulations leaves room the room for the institution to make judgments, allowing a connect-the-dots approach to formulating notices. The following areas must be covered in the notice:

• an explanation of how the institution uses and discloses information, which can be a mere list in some instances (e.g., treatment, payment, administrative purposes, and quality assurance), but which must be fleshed out in others (e.g., education and research);
• identification of which uses and disclosures are required by law and which are merely permitted;
• for merely permissible uses and disclosures, when and how those uses and disclosures will be made.

The following statements must appear in the notice:

• the date of the notice;
• the institution will not use or disclose information for purposes not listed in the notice without the individual's authorization and that authorizations, once given, can be revoked;
• the patient can request that the institution restrict certain uses and disclosures of their information, although the institution need not agree;
• the patient is entitled to access to his information, including for copying;
• the patient is entitled to an accounting of who has seen his information
• the patient has the right to request amendment or correction of his information, together with a brief description of the procedures for submitting requests;
• the institution must protect the privacy of its information, provide the notice that the patient is now reading (sic!), and do what the notice says; and
• the institution can revise its information use and disclosure policy at any time, resulting in additional uses or disclosures without the patient's authorization, and how the patient will be notified of revisions.

AND all of this must be written in plain language.

Distribution of notice.
The notice must be distributed by the effective date of the final rule, at enrollment, within 60 days of a material change to the institution's information practices, and at least once every three years. It goes to every patient when first treated. It is also to be posted and put on fliers for patients. New policies would require new posting. Possibly the most interesting thing in this desert of formalities is the right of the institution to apply new policies retroactively. HHS has stated that it would impose too much of a burden on institutions to require them to segregate information collected under different use and disclosure policies. This would seem to preclude any reliance by a patient on these policies, notice of which HHS is taking such pains to require. Presumably, HHS takes the view that it has constrained the institutions' privileges to use and disclose information so that no very bad thing can happen so long as the institutions act within HHS's rules.

The access right itself is a broad right for patients to see and copy their health information held by covered institutions. The basic principle is that patients get their records unless there is a very good reason why not.

HHS defines the information that must be made available, the way in which it must be requested and provided, and the few exceptions to what must be provided. Business partners need not give access, unless they hold information different from covered institutions, but it may turn out that the burden of determining whether different information is held by the business partners will lead business partners to make their records available without taking advantage of this limitation.

What must be provided - the "designated record set".
The records to be made available are those that are used to affect the patient's rights and interests. HHS gives, as examples, information used to make health care decisions or used in determining whether to pay an insurance claim. This criterion enables institutions to exclude records kept for other purposes, like quality control.

A mechanical constraint is also used to further define what records must be made available. HHS limits access to "designated record sets," meaning "a group of any records under the control of any covered entity from which information is retrieved by the name of the individual or by some identifying number, symbol, or other identifying particular assigned to the individual." It does not extend to all records where the patient is identifiable by name, but only to records that are actually accessed by the institution by patient name (or other patient identifier).

Exceptions to Right of Access.
The exceptions to the right of access are all optional. Institutions need not invoke the exceptions and are expected to decide whether or not to do so on a case-by-case basis. As with all of the case-by-case determinations required by the proposed regulations, it is a very open question whether the burden of making the determinations will result in the institutions simply never taking advantage of the exceptions to disclosure. If access is denied, the patient must receive written notice of the denial explained in plain language, together with the part of the institution where a complaint about it could be made.

There are 5 proposed exceptions to the right of access:

• Disclosures reasonably likely to endanger life or physical safety.
• Disclosures likely to cause harm to another individual.
• Disclosures likely to reveal a confidential source of information.
• Disclosures of clinical trial information, during such trials.
• Disclosure of information compiled for a legal proceeding.

Access Procedures.
Institutions must either grant or deny access within 30 days of any request. Interestingly, there are no rules governing emergency requests, although emergency situations can easily be imagined. HHS expects institutions to act responsibly in emergency situations. Institutions will have a range of choices for physically providing access but must allocate the personnel, equipment or facilities needed to make the chosen method effective.

Patients are to have the right to know who has seen their records. Accountings are to be supplied within 30 days of requests. They are to state the date, the name and address of the organization or person who received the information, and a brief description of the information disclosed.

The potential administrative burden of recording access may be reduced by the rule that excepts disclosures for treatment, payment, and health care operations. HHS suggests that these exceptions be implemented by requiring users to record the purpose of the disclosure. On the other hand, it is also proposed, in HHS's administrative simplification rules, that institutions be required to log all disclosures in order to monitor information security. It will be the institutions that determine whether it will be more efficient to maintain separate logs for security and for patient accountings.

Under the proposed regulations, the patient would have the right to request changes in his information, but it would be up to the institution to decide whether to make the requested change. Only information (1) determined to be wrong or incomplete, (2) that the health plan or provider had created, and (3) that would be available for patients' access would need to be changed. Information originating elsewhere need not be changed, the theory being that the creator of the information is the only party that can easily check the accuracy and completeness of the information. To guard against the perpetuation of wrong or incomplete information, changes would have to be disseminated to all relevant other institutions, which would be obliged to make those changes in the records they maintain. Institutions would have to act on change requests within 60 days. As with denials of access, denials of changes would have to be made by written notice, with an explanation in plain language, and notice of how a complaint within the institution about the denial could be made. In addition, the patient would have to get notice of his right to file a written notice of disagreement with the denial, which would be filed with (and in the future disclosed with) the disputed information.