Individual Access Services. (a) Bidirectional Access to Health Information. An Individual User or an Individual User’s Personal Representative shall have the right to inspect, obtain a copy of, and have bidirectional electronic access to, PHI or PII about the Individual User as set forth in the Policies and Procedures and to the extent consistent with Applicable Law.
Individual Access Services. ASTHO appreciates the goal of ensuring patients have access to their own data. That said public health has not been provided with adequate resources to ensure it could respond through a QHIN to an National Headquarters 0000 Xxxxxxx Xxxxx, Xxxxx 000 Arlington, VA 22202 (000) 000-0000 Regional Office 000 Xxxxxxxxx Xxxxxx XX, Xxxxx 0000 Atlanta, GA 30308 (000) 000-0000 xxx.xxxxx.xxx @ASTHO individual’s access service request (provide an automated response to a smart phone application). Public health agencies are not covered entities or business associates under HIPAA and should not be treated as such. Some public health laws and rules do not allow individuals to access their own data or restrict how access is obtained (Example: a state rule requires the patient to come in person with photo ID for identity proofing). Furthermore, there may be other constraints, such as whether a non-custodial parent is authorized to access a minor’s health data, or an individual is under a conservatorship, that requires additional effort in ensuring the requester is properly authorized to receive data. We encourage ONC to consider providing public health agencies a specific exemption from this requirement as HIPAA does. A suggestion is to update language to extend the exemption provided to federal agencies to also include S/THAs and that these agencies be able to respond to individual requests only when laws allow and via methods, they have resources for. While this section says that applicable laws can allow disclosure of information despite someone exercising the right to not disclose, we would like to see clarity for public health reporting. If there was any lack of clarity this would be detrimental to public health agencies’ core mandates to prevent and control diseases and would put the population of every state at risk. Public health agencies have mandated core responsibilities and specific provisions under HIPAA as a “health oversight agency”, which allows them to collect data without patient consent or authorization. This must be echoed and supported in TEFCA more clearly. While TEFCA says that applicable laws can allow disclosure of information despite someone exercising a “Meaningful Choice” decision to not disclose, more specific language should be added to indicate that QHINs, participants, and participant members need to consider state laws from the beginning as “Meaningful Choice” implementation approaches are advanced. Additionally, if a QHIN or other participan...
Individual Access Services
