The HIPAA Right of Access Rule

Introduction

Providing individuals easy access to their health information allows them greater control over their health decisions. With access, they can better manage chronic conditions, adhere to treatments, identify errors in records, track wellness progress, and contribute data for research. Advances in health information technology now make it possible to access health information electronically, quickly, and in real-time, supporting a more patient-centered approach to healthcare.

The HIPAA Privacy Rule upholds this access by granting individuals the right to view and receive copies of their health records, with limited exceptions. This rule reinforces privacy and security while empowering individuals to engage actively in their healthcare.

General Right

The HIPAA Privacy Rule mandates that covered entities, like health plans and most healthcare providers, provide individuals with access to their protected health information (PHI) in their “designated record sets” upon request. This access includes the right to inspect, obtain a copy, or have a copy sent to a chosen person or entity. Individuals retain this right for as long as the PHI is maintained by the covered entity or its business associates, regardless of when it was created, the format (paper or electronic), or its location.

Information Included in the Right of Access: The "Designated Record Set

 The "designated record set" consists of medical and billing records from healthcare providers, health plan records related to enrollment, claims, and case management, and any other records used to make decisions about individuals. Examples include medical records, payment records, insurance data, lab results, medical images, and clinical notes. However, covered entities are not required to create new information, such as explanations or analyses, in response to access requests.

Information Excluded from the Right of Access

Individuals do not have a right to access PHI that is outside the "designated record set" if it is not used for decisions about them. Excluded information includes records focused on quality assessment, business planning, or provider performance that are for general business use, like peer review files or quality control records.

Additionally, HIPAA explicitly excludes two categories from individual access rights:

1. Psychotherapy notes, which are personal notes of a mental health provider kept separately from other records.
2. Information for legal proceedings, gathered for civil, criminal, or administrative actions.

However, the underlying PHI from medical or payment records that informed these excluded records remains accessible to the individual.

Personal Representatives

An individual’s personal representative, who has legal authority to make healthcare decisions on their behalf, also has the right to access the individual's PHI within a designated record set. This includes the right to request a copy or direct its transmission to a specified person or entity, as allowed by the scope of their authority under State law.

Requests for Access

Requiring a Written Request

A covered entity can require individuals to submit access requests in writing if they inform them of this requirement. They may also offer electronic options, like email or secure portals, for submitting requests. Additionally, the entity can require individuals to use its specific form as long as doing so does not create barriers or cause unreasonable delays in accessing their PHI.

Verification

The Privacy Rule requires covered entities to verify the identity of individuals requesting access to their PHI, allowing flexibility in how they do so. No specific verification method is mandated, but the process should not create barriers or cause delays. Verification can be done orally or in writing, depending on the method of access (in-person, phone, fax, email, secure portal, etc.). For web portals, existing HIPAA Security Rule authentication controls are required to confirm that only the individual or their personal representative can access the information.

Unreasonable Measures

The Privacy Rule allows covered entities to require written requests and identity verification for access to PHI, but they cannot impose unreasonable measures that act as barriers or cause delays. For instance, a doctor cannot require an individual to appear in person to request or verify identity, to use a web portal, or to send requests by mail if these methods are burdensome. While these methods can be offered as options, covered entities are encouraged to provide multiple ways for individuals to request access.

Providing Access

Form and Format and Manner of Access

The Privacy Rule requires covered entities to provide PHI in the requested form and format, if readily producible. For electronic PHI, entities must provide it in the specified electronic format, or if unavailable, in an agreed-upon alternative format. For paper copies, entities must provide paper versions when requested, including scanning records to create electronic copies if possible.

Entities must accommodate requests to access PHI by mail, email, or other secure transfer methods, based on entity capabilities and security considerations. For example, email and mail are expected to be readily producible without excessive security risk, although unencrypted email may carry transit risks. Entities cannot require individuals to pick up PHI in person if they request mail or email. Additionally, upon an individual’s request and agreement to fees, entities may provide a summary or explanation of PHI instead of the original records.

Timeliness in Providing Access

Covered entities must provide access to requested PHI within 30 calendar days of receiving an access request, though they are encouraged to respond sooner if possible. Entities with electronic systems may offer near-instantaneous access through web portals or personal health records, and individuals may expect quicker responses from entities using health technology daily. If access cannot be provided within the 30-day limit (e.g., due to offsite archives), a one-time 30-day extension is allowed, with written notice to the individual explaining the delay and providing an expected access date.

Fees for Copies

The Privacy Rule allows covered entities to charge a reasonable, cost-based fee for providing copies of PHI or summaries/explanations upon request. This fee may include:

1. Labor costs for copying the requested PHI (in paper or electronic form).
2. Supplies for creating paper copies or electronic media (e.g., CDs or USB drives).
3. Postage for mailing copies or summaries.
4. Preparation costs for an explanation or summary, if agreed to by the individual.

However, the fee cannot cover costs related to verification, documentation, searching for or retrieving PHI, maintaining systems, or any other expenses not specifically listed, even if permitted by State law.

Denial of Access

Grounds for Denial

Under certain circumstances, a covered entity may deny an individual's request for access to some or all of their PHI. These denial grounds are categorized into unreviewable and reviewable.

Unreviewable Grounds for Denial:

1. Psychotherapy Notes: Requests for psychotherapy notes or information compiled for legal proceedings.
2. Inmate Requests: Denial of requests from inmates if providing access could jeopardize safety or security.
3. Research Studies: PHI involved in ongoing research where access was temporarily suspended with individual consent.
4. Privacy Act Protected Records: Requests for records controlled by federal agencies, consistent with the Privacy Act.
5. Confidentiality Promises: PHI obtained under a promise of confidentiality, where access could reveal the source of information.

Reviewable Grounds for Denial:

A licensed health care professional may review denials based on:

1. Physical Safety Risks: If access may endanger the life or physical safety of the individual or others (not applicable to psychological harm).
2. Substantial Harm: If access could cause substantial harm to another person referenced in the PHI.
3. Personal Representative Access: If access by a personal representative may cause substantial harm to the individual or another person.

Covered entities cannot require individuals to provide reasons for access requests, and cannot deny access solely based on the rationale offered by the individual. Additionally, PHI maintained by a business associate of the covered entity cannot be denied access based on the fact that the business associate holds the information.

Carrying Out the Denial

If a covered entity denies access to an individual's requested PHI, they must provide a written denial within 30 calendar days (or 60 days if an extension was notified). The denial must be clearly stated, outlining the reasons for the denial, the individual's right to request a review of the decision, and how to file a complaint with the covered entity or the HHS Office for Civil Rights.

If the covered entity or its business associates do not hold the requested PHI but know where it is maintained, they must inform the individual where to direct their request. Additionally, the covered entity is required to provide access to any other PHI that does not fall under the grounds for denial, regardless of any complexity in segregating the information

Review of Denial

If an individual requests a review of a denial based on a reviewable ground, the covered entity must promptly forward the request to a designated reviewing official. This official will then determine within a reasonable timeframe whether to uphold or overturn the denial. The covered entity must provide written notice to the individual of the reviewing official's decision and take any necessary actions to implement that determination.