OCR Continues to Emphasize Individuals' Rights to Access Health Information
Earlier this month, the U.S. Department of Health and Human Services Office for Civil Rights (OCR) announced the release of three YouTube videos and an infographic on individuals' rights to access health information. In contrast to guidance on the same topic published earlier this year, these videos are specifically geared toward consumers in an effort to increase individuals' understanding of their rights under HIPAA. Each video focuses on a specific topic: the basics of an individual’s access rights; the fees that may be charges for such access; and the rights of third parties to access an individual’s health information. The infographic also provides an overview of these rights.
OCR explained that consumers’ understanding of their basic access rights is important in helping patients take more control over their healthcare decisions. OCR also noted that individuals who access their health information are more equipped to follow treatment plans, discover errors in their medical records, and share their information for research purposes. Even though this new guidance was developed for consumers, OCR's repeated recent dissemination of information on this issue demonstrates its dedication to individual access rights. Healthcare entities must ensure that they have the proper policies, procedures, and training to comply.
Separately, in security-related news, OCR issued a warning on June 7 regarding vulnerabilities in third-party applications. While Covered Entities and Business Associates are more cognizant of vulnerabilities in operating systems and install updates and patches as needed, OCR reported that companies are less likely to do the same for third-party applications. To beef up security in these applications, OCR suggests that Covered Entities and Business Associates should:
- test third-party applications for security vulnerabilities prior to installation and on a regular basis afterward;
- install patches or updates to the software continuously; and
- carefully review end user license agreements to understand security risks in the applications.