HHS provides Info on Patient’s HIPAA Right to Access their Health Information
Written by Editor   
Saturday, March 26, 2016 12:00 AM

Providing individuals with easy access to their health information empowers them to be more in control of decisions regarding their health and well-being. Putting individuals “in the driver’s seat” with respect to their health also is a key component of health reform and the movement to a more patient-centered health care system.  The HIPAA Privacy Rule provides individuals with a legal, enforceable right to see and receive copies upon request of the information in their medical and other health records maintained by their health care providers and health plans. 

The Privacy Rule generally requires HIPAA covered entities to provide individuals, upon request, with access to the protected health information (PHI) about them in one or more “designated record sets” maintained by or for the covered entity.  This includes the right to inspect or obtain a copy, or both, of the PHI, as well as to direct the covered entity to transmit a copy to a designated person or entity of the individual’s choice.  Individuals have a right to access this PHI for as long as the information is maintained by a covered entity, or by a business associate on behalf of a covered entity, regardless of the date the information was created; whether the information is maintained in paper or electronic systems onsite, remotely, or is archived; or where the PHI originated. 

Individuals have a right to access PHI in a “designated record set.”  A “designated record set” is defined at 45 CFR 164.501 as a group of records maintained by or for a covered entity that comprises the:

  • Medical records and billing records about individuals maintained by or for a covered health care provider;
  • Enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or
  • Other records that are used, in whole or in part, by or for the covered entity to make decisions about individuals.  This last category includes records that are used to make decisions about any individuals, whether or not the records have been used to make a decision about the particular individual requesting access. 

The term “record” means any item, collection, or grouping of information that includes PHI and is maintained, collected, used, or disseminated by or for a covered entity.

Thus, individuals have a right to a broad array of health information about themselves maintained by or for covered entities, including: medical records; billing and payment records; insurance information; clinical laboratory test results; medical images, such as X-rays; wellness and disease management program files; and clinical case notes; among other information used to make decisions about individuals.  In responding to a request for access, a covered entity is not, however, required to create new information, such as explanatory materials or analyses, that does not already exist in the designated record set.

An individual’s personal representative (generally, a person with authority under State law to make health care decisions for the individual) also has the right to access PHI about the individual in a designated record set (as well as to direct the covered entity to transmit a copy of the PHI to a designated person or entity of the individual’s choice), upon request, consistent with the scope of such representation.  A covered entity may require individuals to request access in writing, provided the covered entity informs individuals of this requirement. 

The Privacy Rule requires a covered entity to take reasonable steps to verify the identity of an individual making a request for access.   The Rule does not mandate any particular form of verification (such as obtaining a copy of a driver’s license), but rather generally leaves the type and manner of the verification to the discretion and professional judgment of the covered entity, provided the verification processes and measures do not create barriers to or unreasonably delay the individual from obtaining access to her PHI.  Verification may be done orally or in writing and, in many cases, the type of verification may depend on how the individual is requesting and/or receiving access.

While the Privacy Rule allows covered entities to require that individuals request access in writing and requires verification of the identity of the person requesting access, a covered entity may not impose unreasonable measures on an individual requesting access that serve as barriers to or unreasonably delay the individual from obtaining access. 

The Privacy Rule requires a covered entity to provide the individual with access to the PHI in the form and format requested, if readily producible in that form and format, or if not, in a readable hard copy form or other form and format as agreed to by the covered entity and individual.  The covered entity also may provide the individual with a summary of the PHI requested, in lieu of providing access to the PHI, or may provide an explanation of the PHI to which access has been provided in addition to that PHI, so long as the individual in advance: (1) chooses to receive the summary or explanation (including in the electronic or paper form being offered by the covered entity); and (2) agrees to any fees (as explained below in the Section describing permissible Fees for Copies) that may be charged by the covered entity for the summary or explanation.  

A covered entity also must provide access in the manner requested by the individual, which includes arranging with the individual for a convenient time and place to pick up a copy of the PHI or to inspect the PHI, or to have a copy of the PHI mailed or e-mailed, or otherwise transferred or transmitted to the individual to the extent the copy would be readily producible in such a manner.  Whether a particular mode of transmission or transfer is readily producible will be based on the capabilities of the covered entity and the level of security risk that the mode of transmission or transfer may introduce to the PHI on the covered entity’s systems.  A covered entity is not expected to tolerate unacceptable levels of risk to the security of the PHI on its systems in responding to requests for access; whether the individual’s requested mode of transfer or transmission presents such an unacceptable level of risk will depend on the covered entity’s Security Rule risk analysis. However, mail and e-mail are generally considered readily producible by all covered entities.  It is expected that all covered entities have the capability to transmit PHI by mail or e-mail (except in the limited case where e-mail cannot accommodate the file size of requested images), and transmitting PHI in such a manner does not present unacceptable security risks to the systems of covered entities, even though there may be security risks to the PHI while in transit (such as where an individual has requested to receive her PHI by, and accepted the risks associated with, unencrypted e-mail).  

In providing access to the individual, a covered entity must provide access to the PHI requested, in whole, or in part, no later than 30 calendar days from receiving the individual’s request. The 30 calendar days is an outer limit and covered entities are encouraged to respond as soon as possible.  Indeed, a covered entity may have the capacity to provide individuals with almost instantaneous or very prompt electronic access to the PHI requested through personal health records, web portals, or similar electronic means. If a covered entity is unable to provide access within 30 calendar days the covered entity may extend the time by no more than an additional 30 days.  To extend the time, the covered entity must, within the initial 30 days, inform the individual in writing of the reasons for the delay and the date by which the covered entity will provide access.  Only one extension is permitted per access request.

The Privacy Rule permits a covered entity to impose a reasonable, cost-based fee if the individual requests a copy of the PHI (or agrees to receive a summary or explanation of the information).  The fee may include only the cost of: (1) labor for copying the PHI requested by the individual, whether in paper or electronic form; (2) supplies for creating the paper copy or electronic media (e.g., CD or USB drive) if the individual requests that the electronic copy be provided on portable media; (3) postage, when the individual requests that the copy, or the summary or explanation, be mailed; and (4) preparation of an explanation or summary of the PHI, if agreed to by the individual. The fee may not include costs associated with verification; documentation; searching for and retrieving the PHI; maintaining systems; recouping capital for data access, storage, or infrastructure; or other costs not listed above even if such costs are authorized by State law.

Under certain limited circumstances, a covered entity may deny an individual’s request for access to all or a portion of the PHI requested.  Most of these may not be germane to the DC.  Review the source article for specific examples.

An individual also has a right to direct the covered entity to transmit the PHI about the individual directly to another person or entity designated by the individual.  The individual’s request to direct the PHI to another person must be in writing, signed by the individual, and clearly identify the designated person and where to send the PHI.  A covered entity may accept an electronic copy of a signed request (e.g., PDF), as well as an electronically executed request (e.g., via a secure web portal) that includes an electronic signature.  

State laws that provide individuals with greater rights of access to their PHI than the Privacy Rule, or that are not contrary to the Privacy Rule, are not preempted by HIPAA and thus still apply.  

Source:  http://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html