ONE HALLMARK OF my work as chief privacy officer at the
Office of the National Coordinator for Health IT (ONC) was reminding everyone about the individual’s right to get a copy of
their own protected health information (PHI) and, since 2009,
to download or transmit it directly from a certified electronic
health record (EHR) system.
In my last few months at ONC in late 2016, and continuing into
2017, I had two occasions to exercise this right myself. This essay
describes my release of information (ROI) experiences in an annotated context. It also suggests ways Health Insurance Portability and Accountability Act (HIPAA)-covered entities and their
business associates, including specialized document handling
companies, can improve the ROI experience for everyone.
AHIMA’s members are familiar with this right of an individual to
get their own PHI (I will refer to this as the Access Rule). The Office for Civil Rights (OCR) and ONC have excellent materials on the
rule available for review. 1 The original regulation was finalized in
2000 as 45 CFR 164.524.2 In section 13242 of the Health Information
Technology for Economic and Clinical Health Act (HITECH), Congress interpreted that regulation to require, in statute, that it also
included an individual’s right to transmit the PHI “directly from
an electronic health record” system. 3 In 2013, OCR updated the
Access Rule in light of HITECH. 4 These rules underlie the work I
did with ONC. Finally, in December 2016, Congress passed and
President Obama signed the 21st Century Cures Act (Cures), which
adds requirements that EHR vendors and healthcare providers not
“block” an individual’s ability to compile a longitudinal record of
their health history—a record that could be compiled relatively
easily if the Access Rule really worked as written. 5 My own experience is just one of thousands of experiences that illustrate it doesn’t
work as written, and that we have a lot of work to do.
On a business trip in 2016 it became clear that I needed some
dental work. As it turned out, a 41-year-old filling had failed.
I saw my dentist July 6, 2016. He removed the old silver and
drilled out the rot, leaving a 2mm hole in my tooth, which required a crown. He started that work and I paid $1,965. He submitted a request to the insurance company for reimbursement.
On August 9, the insurance company denied benefits, claiming that a crown was unnecessary. On September 26, 2016 the
dentist filed an appeal. In the appeal, the dentist included his
complete notes and the digital photos from several angles of
the 2mm hole in the tooth. He also opined that the hole was too
large to be filled with a traditional filling.
On October 3, 2016 I also filed a detailed written appeal, as I
had paid my dentist in full. In that appeal, I requested a copy of
any PHI used to decide my benefits claim that my dentist had
not supplied. I also requested an estimate of the copying costs
for such PHI, not knowing what was in their files.
The Access Rule’s preamble from 2000 explains that one rea-
son for the rule is an individual’s right under federal law to know
the evidence used to make an adverse benefit determination
against them. 6 In the case of PHI, this evidence is contained in a
“designated record set,” which is PHI “used by a covered entity
to make decisions” such as benefit denials “about the individ-
ual.” 7 Note that my request was in writing, the data was clearly
identified, and there was no question about my identity. I re-
ceived no answer. Then, the following saga unfolded:
On November 9, 2016 the insurance company sent me a
denial letter identical to the prior denial letter, but with a
new date. They did not respond in any way to my request
for my PHI. I complained to the insurance regulator, the
District of Columbia Department of Health.
By December 26, 2016 I still had not received my PHI. On
December 27, nearly three months after my first request, I
filed a complaint with OCR using its online tool. I uploaded
my October 3, 2016 letter which included the request for PHI.
On December 30, 2016 I called the insurance carrier. After
first being disconnected when I escalated to a supervisor,
I finally found a person who promised me I would get a
response in seven to 10 days. I never got a response.
On January 25, 2017, I received a nice letter from OCR say-
ing it had informally contacted my insurance company,
and explained in detail my rights. But it did not say how
much longer I would wait for my PHI.
On February 14, I called OCR. I spoke to an OCR analyst
who told me to wait another 30 days for my PHI. She also
told me that the insurance company’s privacy officer had
called OCR in response to OCR’s letter, but that the pri-
vacy officer had never heard of nor seen my request for my
PHI. I told the OCR analyst that the company’s poor inter-
nal processes did not excuse the failure to supply my PHI.
I then continued to wait.
On February 25, I filed a second complaint with OCR be-
Bitter ROI Irony
Lucia Savage, JD, served as chief privacy officer at the Office of the
National Coordinator for Health IT from 2014 to 2017.