|

HIPAA Right of Access

The HIPAA Privacy Rule created rights for individuals when it comes to their protected health information held by an organization. Due to the complex and sometimes vague language used in the Rule, misunderstandings of the rights we have under HIPAA can occur. In this article we will discuss the Right of Access. The Right of Access means an individual has the right to access their health information held by a covered entity. It is not related to texting. HHS provides the following guidance regarding the Right of Access. This article concludes with an update of the OCR’s Right of Access initiative.

Introduction

Providing individuals with easy access to their health information empowers them to be more in control of decisions regarding their health and well-being.  For example, individuals with access to their health information are better able to monitor chronic conditions, adhere to treatment plans, find and fix errors in their health records, track progress in wellness or disease management programs, and directly contribute their information to research. With the increasing use of and continued advances in health information technology, individuals have ever expanding and innovative opportunities to access their health information electronically, more quickly and easily, in real time and on demand. Putting individuals “in the driver’s seat” with respect to their health also is a key component of health reform and the movement to a more patient-centered health care system.

The regulations under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), which protect the privacy and security of individuals’ identifiable health information and establish an array of individual rights with respect to health information, have always recognized the importance of providing individuals with the ability to access and obtain a copy of their health information.  With limited exceptions, the HIPAA Privacy Rule (the Privacy Rule) provides individuals with a legal, enforceable right to see and receive copies upon request of the information in their medical and other health records maintained by their health care providers and health plans.

General Right

The Privacy Rule generally requires HIPAA covered entities (health plans and most health care providers) to provide individuals, upon request, with access to the protected health information (PHI) about them in one or more “designated record sets” maintained by or for the covered entity. This includes the right to inspect or obtain a copy, or both, of the PHI, as well as to direct the covered entity to transmit a copy to a designated person or entity of the individual’s choice. Individuals have a right to access this PHI for as long as the information is maintained by a covered entity, or by a business associate on behalf of a covered entity, regardless of the date the information was created; whether the information is maintained in paper or electronic systems onsite, remotely, or is archived; or where the PHI originated (e.g., whether the covered entity, another provider, the patient, etc.).

Information Included in the Right of Access: The “Designated Record Set”

Individuals have a right to access PHI in a “designated record set.” A “designated record set” is defined at 45 CFR 164.501 as a group of records maintained by or for a covered entity that comprises the:

  • Medical records and billing records about individuals maintained by or for a covered health care provider;
  • Enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or
  • Other records that are used, in whole or in part, by or for the covered entity to make decisions about individuals. This last category includes records that are used to make decisions about any individuals, whether or not the records have been used to make a decision about the particular individual requesting access.

The term “record” means any item, collection, or grouping of information that includes PHI and is maintained, collected, used, or disseminated by or for a covered entity.

Thus, individuals have a right to a broad array of health information about themselves maintained by or for covered entities, including: medical records; billing and payment records; insurance information; clinical laboratory test results; medical images, such as X-rays; wellness and disease management program files; and clinical case notes; among other information used to make decisions about individuals. In responding to a request for access, a covered entity is not, however, required to create new information, such as explanatory materials or analyses, that does not already exist in the designated record set.

Information Excluded from the Right of Access

An individual does not have a right to access PHI that is not part of a designated record set because the information is not used to make decisions about individuals. This may include certain quality assessment or improvement records, patient safety activity records, or business planning, development, and management records that are used for business decisions more generally rather than to make decisions about individuals. For example, a hospital’s peer review files or practitioner or provider performance evaluations, or a health plan’s quality control records that are used to improve customer service or formulary development records, may be generated from and include an individual’s PHI but might not be in the covered entity’s designated record set and subject to access by the individual.

In addition, two categories of information are expressly excluded from the right of access:

  • Psychotherapy notes, which are the personal notes of a mental health care provider documenting or analyzing the contents of a counseling session, that are maintained separate from the rest of the patient’s medical record. See 45 CFR 164.524(a)(1)(i) and 164.501.
  • Information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding. See 45 CFR 164.524(a)(1)(ii).

However, the underlying PHI from the individual’s medical or payment records or other records used to generate the above types of excluded records or information remains part of the designated record set and subject to access by the individual.

Personal Representatives

An individual’s personal representative (generally, a person with authority under State law to make health care decisions for the individual) also has the right to access PHI about the individual in a designated record set (as well as to direct the covered entity to transmit a copy of the PHI to a designated person or entity of the individual’s choice), upon request, consistent with the scope of such representation and the requirements discussed below. See 45 CFR 164.502(g) and https://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/personalreps.html for more information about the rights that can be exercised by personal representatives.

Requests for Access

Requiring a Written Request

A covered entity may require individuals to request access in writing, provided the covered entity informs individuals of this requirement.  See 45 CFR 164.524(b)(1).    Covered entities also may offer individuals the option of using electronic means (e.g., e-mail, secure web portal) to make requests for access.  In addition, a covered entity may require individuals to use the entity’s own supplied form, provided use of the form does not create a barrier to or unreasonably delay the individual from obtaining access to his PHI, as described below.

Verification

The Privacy Rule requires a covered entity to take reasonable steps to verify the identity of an individual making a request for access.  See 45 CFR 164.514(h).  The Rule does not mandate any particular form of verification (such as obtaining a copy of a driver’s license), but rather generally leaves the type and manner of the verification to the discretion and professional judgment of the covered entity, provided the verification processes and measures do not create barriers to or unreasonably delay the individual from obtaining access to her PHI, as described below. Verification may be done orally or in writing and, in many cases, the type of verification may depend on how the individual is requesting and/or receiving access – whether in person, by phone (if permitted by the covered entity), by faxing or e-mailing the request on the covered entity’s supplied form, by secure web portal, or by other means.  For example, if the covered entity requires that access requests be made on its own supplied form, the form could ask for basic information about the individual that would enable the covered entity to verify that the person requesting access is the subject of the information requested or is the individual’s personal representative. For those covered entities providing individuals with access to their PHI through web portals, those portals should already be set up with appropriate authentication controls, as required by 45 CFR 164.312(d) of the HIPAA Security Rule, to ensure that the person seeking access is the individual or the individual’s personal representative.

Unreasonable Measures

While the Privacy Rule allows covered entities to require that individuals request access in writing and requires verification of the identity of the person requesting access, a covered entity may not impose unreasonable measures on an individual requesting access that serve as barriers to or unreasonably delay the individual from obtaining access. For example, a doctor may not require an individual:

  • Who wants a copy of her medical record mailed to her home address to physically come to the doctor’s office to request access and provide proof of identity in person.
  • To use a web portal for requesting access, as not all individuals will have ready access to the portal.
  • To mail an access request, as this would unreasonably delay the covered entity’s receipt of the request and thus, the individual’s access.;

While a covered entity may not require individuals to request access in these manners, a covered entity may permit an individual to do so, and covered entities are encouraged to offer individuals multiple options for requesting access.

Providing Access

Form and Format and Manner of Access

The Privacy Rule requires a covered entity to provide the individual with access to the PHI in the form and format requested, if readily producible in that form and format, or if not, in a readable hard copy form or other form and format as agreed to by the covered entity and individual.  See 45 CFR 164.524(c)(2)(i). If the individual requests electronic access to PHI that the covered entity maintains electronically, the covered entity must provide the individual with access to the information in the requested electronic form and format, if it is readily producible in that form and format, or if not, in an agreed upon alternative, readable electronic format. See 45 CFR 164.524(c)(2)(ii). The terms “form and format” refer to how the PHI is conveyed to the individual (e.g., on paper or electronically, type of file, etc.) Thus:

  • Requests for Paper Copies – Where an individual requests a paper copy of PHI maintained by the covered entity either electronically or on paper, it is expected that the covered entity will be able to provide the individual with the paper copy requested.
  • Requests for Electronic Copies – Where an individual requests an electronic copy of PHI that a covered entity maintains only on paper, the covered entity is required to provide the individual with an electronic copy if it is readily producible electronically (e.g., the covered entity can readily scan the paper record into an electronic format) and in the electronic format requested if readily producible in that format, or if not, in a readable alternative electronic format or hard copy format as agreed to by the covered entity and the individual.
  • Where an individual requests an electronic copy of PHI that a covered entity maintains electronically, the covered entity must provide the individual with access to the information in the requested electronic form and format, if it is readily producible in that form and format. When the PHI is not readily producible in the electronic form and format requested, then the covered entity must provide access to an agreed upon alternative readable electronic format. See 45 CFR 164.524(c)(2)(ii). This means that, while a covered entity is not required to purchase new software or equipment in order to accommodate every possible individual request, the covered entity must have the capability to provide some form of electronic copy of PHI maintained electronically.; It is only if the individual declines to accept any of the electronic formats readily producible by the covered entity that the covered entity may satisfy the request for access by providing the individual with a readable hard copy of the PHI.

The covered entity also may provide the individual with a summary of the PHI requested, in lieu of providing access to the PHI, or may provide an explanation of the PHI to which access has been provided in addition to that PHI, so long as the individual in advance: (1) chooses to receive the summary or explanation (including in the electronic or paper form being offered by the covered entity); and (2) agrees to any fees (as explained below in the Section describing permissible Fees for Copies) that may be charged by the covered entity for the summary or explanation. See 45 CFR 164.524(c)(2)(iii).

A covered entity also must provide access in the manner requested by the individual, which includes arranging with the individual for a convenient time and place to pick up a copy of the PHI or to inspect the PHI (if that is the manner of access requested by the individual), or to have a copy of the PHI mailed or e-mailed, or otherwise transferred or transmitted to the individual to the extent the copy would be readily producible in such a manner. Whether a particular mode of transmission or transfer is readily producible will be based on the capabilities of the covered entity and the level of security risk that the mode of transmission or transfer may introduce to the PHI on the covered entity’s systems (as opposed to security risks to the PHI once it has left the systems). A covered entity is not expected to tolerate unacceptable levels of risk to the security of the PHI on its systems in responding to requests for access; whether the individual’s requested mode of transfer or transmission presents such an unacceptable level of risk will depend on the covered entity’s Security Rule risk analysis. See 45 CFR 164.524(c)(2) and (3), and 164.308(a)(1). However, mail and e-mail are generally considered readily producible by all covered entities. It is expected that all covered entities have the capability to transmit PHI by mail or e-mail (except in the limited case where e-mail cannot accommodate the file size of requested images), and transmitting PHI in such a manner does not present unacceptable security risks to the systems of covered entities, even though there may be security risks to the PHI while in transit (such as where an individual has requested to receive her PHI by, and accepted the risks associated with, unencrypted e-mail). Thus, a covered entity may not require that an individual travel to the covered entity’s physical location to pick up a copy of her PHI if the individual requests that the copy be mailed or e-mailed.

Timeliness in Providing Access

In providing access to the individual, a covered entity must provide access to the PHI requested, in whole, or in part (if certain access may be denied as explained below), no later than 30 calendar days from receiving the individual’s request. See 45 CFR 164.524(b)(2). The 30 calendar days is an outer limit and covered entities are encouraged to respond as soon as possible. Indeed, a covered entity may have the capacity to provide individuals with almost instantaneous or very prompt electronic access to the PHI requested through personal health records, web portals, or similar electronic means. Further, individuals may reasonably expect a covered entity to be able to respond in a much faster timeframe when the covered entity is using health information technology in its day to day operations.

If a covered entity is unable to provide access within 30 calendar days — for example, where the information is archived offsite and not readily accessible — the covered entity may extend the time by no more than an additional 30 days. To extend the time, the covered entity must, within the initial 30 days, inform the individual in writing of the reasons for the delay and the date by which the covered entity will provide access. Only one extension is permitted per access request.

Fees for Copies

The Privacy Rule permits a covered entity to impose a reasonable, cost-based fee if the individual requests a copy of the PHI (or agrees to receive a summary or explanation of the information).  The fee may include only the cost of: (1) labor for copying the PHI requested by the individual, whether in paper or electronic form; (2) supplies for creating the paper copy or electronic media (e.g., CD or USB drive) if the individual requests that the electronic copy be provided on portable media; (3) postage, when the individual requests that the copy, or the summary or explanation, be mailed; and (4) preparation of an explanation or summary of the PHI, if agreed to by the individual.  See 45 CFR 164.524(c)(4).  The fee may not include costs associated with verification; documentation; searching for and retrieving the PHI; maintaining systems; recouping capital for data access, storage, or infrastructure; or other costs not listed above even if such costs are authorized by State law.

Denial of Access

Grounds for Denial

Under certain limited circumstances, a covered entity may deny an individual’s request for access to all or a portion of the PHI requested.  In some of these circumstances, an individual has a right to have the denial reviewed by a licensed health care professional designated by the covered entity who did not participate in the original decision to deny.

Unreviewable grounds for denial (45 CFR 164.524(a)(2)):

  • The request is for psychotherapy notes, or information compiled in reasonable anticipation of, or for use in, a legal proceeding.
  • An inmate requests a copy of her PHI held by a covered entity that is a correctional institution, or health care provider acting under the direction of the institution, and providing the copy would jeopardize the health, safety, security, custody, or rehabilitation of the inmate or other inmates, or the safety of correctional officers, employees, or other person at the institution or responsible for the transporting of the inmate.  However, in these cases, an inmate retains the right to inspect her PHI.
  • The requested PHI is in a designated record set that is part of a research study that includes treatment (e.g., clinical trial) and is still in progress, provided the individual agreed to the temporary suspension of access when consenting to participate in the research.  The individual’s right of access is reinstated upon completion of the research.
  • The requested PHI is in Privacy Act protected records (i.e., certain records under the control of a federal agency, which may be maintained by a federal agency or a contractor to a federal agency), if the denial of access is consistent with the requirements of the Act.
  • The requested PHI was obtained by someone other than a health care provider (e.g., a family member of the individual) under a promise of confidentiality, and providing access to the information would be reasonably likely to reveal the source of the information.

Reviewable grounds for denial (45 CFR 164.524(a)(3)).  A licensed health care professional has determined in the exercise of professional judgment that:

  • The access requested is reasonably likely to endanger the life or physical safety of the individual or another person.  This ground for denial does not extend to concerns about psychological or emotional harm (e.g., concerns that the individual will not be able to understand the information or may be upset by it).
  • The access requested is reasonably likely to cause substantial harm to a person (other than a health care provider) referenced in the PHI.
  • The provision of access to a personal representative of the individual that requests such access is reasonably likely to cause substantial harm to the individual or another person.

Note that a covered entity may not require an individual to provide a reason for requesting access, and the individual’s rationale for requesting access, if voluntarily offered or known by the covered entity or business associate, is not a permitted reason to deny access. In addition, a covered entity may not deny access because a business associate of the covered entity, rather than the covered entity itself, maintains the PHI requested by the individual (e.g., the PHI is maintained by the covered entity’s electronic health record vendor or is maintained by a records storage company offsite).

Carrying Out the Denial

If the covered entity denies access, in whole or in part, to PHI requested by the individual, the covered entity must provide a denial in writing to the individual no later than within 30 calendar days of the request (or no later than within 60 calendar days if the covered entity notified the individual of an extension). See 45 CFR 164.524(b)(2). The denial must be in plain language and describe the basis for denial; if applicable, the individual’s right to have the decision reviewed and how to request such a review; and how the individual may submit a complaint to the covered entity or the HHS Office for Civil Rights. See 45 CFR 164.524(d).

If the covered entity (or one of its business associates) does not maintain the PHI requested, but knows where the information is maintained, the covered entity must inform the individual where to direct the request for access. See 45 CFR 164.524(d)(3).

The covered entity must, to the extent possible and within the above timeframes, provide the individual with access to any other PHI requested, after excluding the PHI to which the entity has a ground to deny access. See 45 CFR 164.524(d)(1). Complexity in segregating the PHI does not excuse the obligation to provide access to the PHI to which the ground for denial does not apply.

Review of Denial

If the denial was based on a reviewable ground for denial and the individual requests review, the covered entity must promptly refer the request to the designated reviewing official.  The reviewing official must determine, within a reasonable period of time, whether to reaffirm or reverse the denial.  The covered entity must then promptly provide written notice to the individual of the determination of the reviewing official, as well as take other action as necessary to carry out the determination.  See 45 CFR 164.524(d)(4).

Individual’s Right to Direct the PHI to Another Person

An individual also has a right to direct the covered entity to transmit the PHI about the individual directly to another person or entity designated by the individual.  The individual’s request to direct the PHI to another person must be in writing, signed by the individual, and clearly identify the designated person and where to send the PHI.  A covered entity may accept an electronic copy of a signed request (e.g., PDF), as well as an electronically executed request (e.g., via a secure web portal) that includes an electronic signature.  The same requirements for providing the PHI to the individual, such as the fee limitations and requirements for providing the PHI in the form and format and manner requested by the individual, apply when an individual directs that the PHI be sent to another person.  See 45 CFR 164.524(c)(3).

State Laws

State laws that provide individuals with greater rights of access to their PHI than the Privacy Rule, or that are not contrary to the Privacy Rule, are not preempted by HIPAA and thus still apply.  For example, a covered entity subject to a State law that requires that access to PHI be provided to an individual in a shorter time frame than that required in the Privacy Rule must provide such access within the shorter time frame because the State law is not contrary to the Privacy Rule.

Unless an exemption exists in the HIPAA Rules, State laws that are contrary to the Privacy Rule access provisions – such as those that prohibit certain laboratories from disclosing test reports directly to an individual – are preempted by HIPAA. See 45 CFR 160.203.  Thus, these State laws do not apply when an individual exercises her HIPAA right of access.  See 45 CFR Part 160, Subpart B.

Right of Access Initiative Update

OCR implemented the Right of Access Initiative as part of the agency’s promise to “vigorously enforce the rights of patients to receive copies of their medical records promptly and without being overcharged.” As of this year, the OCR has settled 43 cases under the Right of Access Initiative. The cases involved covered entities of all sizes, including a large 17-hospital non-profit health system as well as small private dental and psychiatry practices.

Leave a Reply