Q&A: Adhering to OCR's Right of Access initiative
Q: The Office for Civil Righs (OCR) has settled its first case related to its Right of Access initiative. What is important to know about this from a security standpoint? Where are common security missteps with releasing information to patients upon request?
A: Individuals have a right to ask for a copy of their designated record set (DRS) and request copies of their DRS to a third party of their choosing, so from a security perspective, the most important area to focus on would be transmission. Paper copies may be sent via US Postal Service, FedEx, UPS, and so forth, and those vehicles are generally secure. There’s no need for additional security measures to protect the paper copy.
Since individuals have a right to ask for a copy of their DRS electronically, there are other security steps that need to be taken. Whether the DRS is delivered on a CD or emailed to an individual, the data needs to be encrypted. When sending the copy on a CD or other portable media, it’s wise to make sure the media is password protected and the password is sent “out of band” or in a separate mailing.
This would also be true if you are sending a link that requires a unique password to access the record versus making the DRS copy available in a patient portal. Appropriate practice would be to send the link in one email and the password in another.
The three biggest mistakes made when sending an individual a copy of a DRS are not encrypting the data, including the password and the link or media in the same mailing or email, and not validating the mailing or email address before sending. All three mistakes could lead to a breach of unsecure PHI.
Editor’s note: Chris Apgar, CISSP, is president of Apgar & Associates LLC, in Portland, Oregon. He is also a BOH editorial advisory board member. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions. Opinions expressed are those of the author and do not represent HCPro or ACDIS.