What is the HIPAA Right of Access?
The HIPAA Privacy Rule generally provides individuals with a legal, enforceable right to see and receive, upon request, copies of the information in their medical and other health records maintained by their healthcare providers and health plans. This right is known as the HIPAA “right of access.”
What Records are Patients Entitled to Access?
The HIPAA Privacy Rule generally requires HIPAA-covered entities (health plans and most health care providers) to provide individuals, upon request, with access to the protected health information (PHI) about them in one or more “designated record sets” maintained by or for the covered entity.
What is a Designated Record Set?
A designated record set is a group of records maintained by or for a covered entity that comprises the:
Medical records and billing records about individuals maintained by or for a covered healthcare provider;
Enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or
Other records that are used, in whole or in part, by or for the covered entity to make decisions about individuals. NOTE: These records include records that are used to make decisions about any individuals, whether or not the records have been used to make a decision about the particular individual requesting access.
What is the Scope of the Right of Access?
The right of access includes a patient’s right to inspect and/or obtain a copy. An individual may also require that the covered entity transmit a copy of the records to which access is sought, to a designated person or entity of the person’s choice.
Individuals have a right of access to their PHI contained in designated record sets for as long as the information is maintained by a covered entity, or by a business associate on behalf of a covered entity, regardless of:
The date the information was created;
Whether the information is maintained in paper or electronic systems onsite, remotely, or is archived; or
Where the PHI originated (e.g. whether with the covered entity, another provider, etc.)
What are Examples of Health Information Individuals Can Access?
A variety of information maintained by or for a covered entity that contains PHI can be accessed upon request. Examples of this information include:
Medical records
Billing and payment records
Insurance information
Clinical laboratory test results
Medical images (such as X-rays)
Wellness and disease management program files
Clinical case notes
What Information Is Excluded from the Right of Access?
Two categories of information are expressly excluded from the right of access:
Psychotherapy notes: Psychotherapy notes are the personal notes of a mental healthcare provider documenting or analyzing the contents of a counseling session. These notes are maintained separately from the rest of the patient’s medical record. A provider is not required to provide these notes to patients who request them.
Information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding.
Do Individuals Have the Right to Challenge the Denial of a Request for Access?
Under certain limited circumstances, a covered entity may, under the HIPAA right of access rule, deny an individual’s request for access to all or a portion of the PHI requested.
In some of these circumstances, an individual has a right to have the denial reviewed by a licensed healthcare professional designated by the covered entity who did not participate in the original decision to deny. In other circumstances, however, the denial is not reviewable.
When Can an Individual Have a Denial Reviewed?
If a denial is made on one or more of these grounds, the individual can have the denial reviewed:
The access requested is reasonably likely to endanger the life or physical safety of the individual or another person. NOTE: This ground for denial does not extend to concerns about psychological or emotional harm (e.g., concerns that the individual will not be able to understand the information or may be upset by it).
The access requested is reasonably likely to cause substantial harm to a person (other than a healthcare provider) referenced in the PHI.
The provision of access to a personal representative of the individual that requests such access is reasonably likely to cause substantial harm to the individual or another person.
If the denial is made on one or more of these grounds, the individual has the right to have the denial reviewed by a licensed healthcare professional who is designated by the covered entity to act as a reviewing official and who did not participate in the original decision to deny. The covered entity must provide or deny access in accordance with the determination of the reviewing official.
When Are the Grounds for Denial Unreviewable?
A covered entity may deny an individual access without providing the individual an opportunity for review, in the following circumstances:
The PHI is contained in psychotherapy notes.
The PHI is part of information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding.
The request for access is made by an inmate of a correctional institution and the correctional institution has determined that allowing access would jeopardize the health, safety, security, custody, or rehabilitation of the inmate or other inmates, or the safety of correctional officers, employees, or other persons at the institution, or responsible for the transporting of the inmate.
The requested PHI is in a designated record set that is part of a research study that includes treatment (e.g., clinical trial) and is still in progress. NOTEL For access to be denied, the individual must have agreed to the temporary suspension of access when consenting to participate in the research. The individual’s right of access is reinstated upon completion of the research.
The requested PHI is in federal Privacy Act-protected-records (i.e., certain records under the control of a federal agency, which may be maintained by a federal agency or a contractor to a federal agency), and denial of access is consistent with the requirements of the Act.
The requested PHI was obtained by someone other than a healthcare provider (e.g., a family member of the individual) under a promise of confidentiality, and providing access to the information would be reasonably likely to reveal the source of the information.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article