The Department of Health and Human Services (HHS) has issued guidance regarding an Individual’s Right under HIPAA to Access their Health Information.
The link should be bookmarked by all organizations as a reference for future guidance, questions and answers:
Here is the introduction text from the guidance:
Providing individuals with easy access to their health information empowers them to be more in control of decisions regarding their health and well-being. For example, individuals with access to their health information are better able to monitor chronic conditions, adhere to treatment plans, find and fix errors in their health records, track progress in wellness or disease management programs, and directly contribute their information to research. With the increasing use of and continued advances in health information technology, individuals have ever expanding and innovative opportunities to access their health information electronically, more quickly and easily, in real time and on demand. Putting individuals “in the driver’s seat” with respect to their health also is a key component of health reform and the movement to a more patient-centered health care system.
The guidance is pretty thorough and long and should be read in detail. Here are some highlights:
Individuals have a right to access this PHI for as long as the information is maintained by a covered entity, or by a business associate on behalf of a covered entity, regardless of the date the information was created; whether the information is maintained in paper or electronic systems onsite, remotely, or is archived; or where the PHI originated (e.g., whether the covered entity, another provider, the patient, etc.).
Information Included in the Right of Access: The “Designated Record Set”
Individuals have a right to access PHI in a “designated record set.” A “designated record set” is defined at 45 CFR 164.501 as a group of records maintained by or for a covered entity that comprises the:
- Medical records and billing records about individuals maintained by or for a covered health care provider;
- Enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or
- Other records that are used, in whole or in part, by or for the covered entity to make decisions about individuals. This last category includes records that are used to make decisions about any individuals, whether or not the records have been used to make a decision about the particular individual requesting access.
Information Excluded from the Right of Access
An individual does not have a right to access PHI that is not part of a designated record set because the information is not used to make decisions about individuals. This may include certain quality assessment or improvement records, patient safety activity records, or business planning, development, and management records that are used for business decisions more generally rather than to make decisions about individuals.
In addition, two categories of information are expressly excluded from the right of access:
- Psychotherapy notes, which are the personal notes of a mental health care provider documenting or analyzing the contents of a counseling session, that are maintained separate from the rest of the patient’s medical record. See 45 CFR 164.524(a)(1)(i) and 164.501.
- Information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding. See 45 CFR 164.524(a)(1)(ii).
An individual’s personal representative (generally, a person with authority under State law to make health care decisions for the individual) also has the right to access PHI about the individual in a designated record set (as well as to direct the covered entity to transmit a copy of the PHI to a designated person or entity of the individual’s choice), upon request, consistent with the scope of such representation and the requirements discussed below.
Requests for Access
Requiring a Written Request
A covered entity may require individuals to request access in writing, provided the covered entity informs individuals of this requirement. See 45 CFR 164.524(b)(1). Covered entities also may offer individuals the option of using electronic means (e.g., e-mail, secure web portal) to make requests for access. In addition, a covered entity may require individuals to use the entity’s own supplied form, provided use of the form does not create a barrier to or unreasonably delay the individual from obtaining access to his PHI, as described below.
The Privacy Rule requires a covered entity to take reasonable steps to verify the identity of an individual making a request for access. See 45 CFR 164.514(h). The Rule does not mandate any particular form of verification (such as obtaining a copy of a driver’s license), but rather generally leaves the type and manner of the verification to the discretion and professional judgment of the covered entity, provided the verification processes and measures do not create barriers to or unreasonably delay the individual from obtaining access to her PHI
While the Privacy Rule allows covered entities to require that individuals request access in writing and requires verification of the identity of the person requesting access, a covered entity may not impose unreasonable measures on an individual requesting access that serve as barriers to or unreasonably delay the individual from obtaining access.
Form and Format and Manner of Access
The Privacy Rule requires a covered entity to provide the individual with access to the PHI in the form and format requested, if readily producible in that form and format, or if not, in a readable hard copy form or other form and format as agreed to by the covered entity and individual.
- Requests for Paper Copies – Where an individual requests a paper copy of PHI maintained by the covered entity either electronically or on paper, it is expected that the covered entity will be able to provide the individual with the paper copy requested.
- Requests for Electronic Copies –
Where an individual requests an electronic copy of PHI that a covered entity maintains only on paper, the covered entity is required to provide the individual with an electronic copy if it is readily producible electronically (e.g., the covered entity can readily scan the paper record into an electronic format) and in the electronic format requested if readily producible in that format, or if not, in a readable alternative electronic format or hard copy format as agreed to by the covered entity and the individual.
- Where an individual requests an electronic copy of PHI that a covered entity maintains electronically, the covered entity must provide the individual with access to the information in the requested electronic form and format, if it is readily producible in that form and format.
Timeliness in Providing Access
In providing access to the individual, a covered entity must provide access to the PHI requested, in whole, or in part (if certain access may be denied as explained below), no later than 30 calendar days from receiving the individual’s request.
Fees for Copies
The Privacy Rule permits a covered entity to impose a reasonable, cost-based fee if the individual requests a copy of the PHI (or agrees to receive a summary or explanation of the information). The fee may include only the cost of: (1) labor for copying the PHI requested by the individual, whether in paper or electronic form; (2) supplies for creating the paper copy or electronic media (e.g., CD or USB drive) if the individual requests that the electronic copy be provided on portable media; (3) postage, when the individual requests that the copy, or the summary or explanation, be mailed; and (4) preparation of an explanation or summary of the PHI, if agreed to by the individual.
Denial of Access
Grounds for Denial
Under certain limited circumstances, a covered entity may deny an individual’s request for access to all or a portion of the PHI requested. In some of these circumstances, an individual has a right to have the denial reviewed by a licensed health care professional designated by the covered entity who did not participate in the original decision to deny.
Note: there are Unreviewable and Reviewable grounds for denial. Examples of both are given in the guidance. The process for denying a request is detailed as well.
Individual’s Right to Direct the PHI to Another Person
An individual also has a right to direct the covered entity to transmit the PHI about the individual directly to another person or entity designated by the individual. The individual’s request to direct the PHI to another person must be in writing, signed by the individual, and clearly identify the designated person and where to send the PHI. A covered entity may accept an electronic copy of a signed request (e.g., PDF), as well as an electronically executed request (e.g., via a secure web portal) that includes an electronic signature.
State laws that provide individuals with greater rights of access to their PHI than the Privacy Rule, or that are not contrary to the Privacy Rule, are not preempted by HIPAA and thus still apply. For example, a covered entity subject to a State law that requires that access to PHI be provided to an individual in a shorter time frame than that required in the Privacy Rule must provide such access within the shorter time frame because the State law is not contrary to the Privacy Rule.
The guidance provides frequently asked questions and answers. The questions provide more insight into the regulations. There are around 15 questions / answers and examples include:
- Under what circumstances may a covered entity deny an individual’s request for access to the individual’s PHI?
- How timely must a covered entity be in responding to individuals’ requests for access to their PHI?
- Under the HIPAA Privacy Rule, do individuals have the right to an electronic copy of their PHI?
HHS has provided much needed insight into an individual’s right to access their own information. We are asked these questions all the time and this topic causes confusion in many healthcare organizations.