DISCLAIMER: The information provided in this article, other knowledge base articles, and the Compliancy Group website do not, and are not intended to, constitute legal advice. All information, content, and materials in the Knowledge Base and on the Compliancy Group website are for general informational purposes only.
What is the HIPAA Right of Access?
The HIPAA Privacy Rule generally provides individuals with a legal, enforceable right to see and receive, upon request, copies of the information in their medical and other health records maintained by their healthcare providers and health plans. This right is known as the HIPAA “right of access.”
What Records are Patients Entitled to Access?
The HIPAA Privacy Rule generally requires HIPAA-covered entities (health plans and most health care providers) to provide individuals, upon request, with access to the protected health information (PHI) about them in one or more “designated record sets” maintained by or for the covered entity.
What is a Designated Record Set?
A designated record set is a group of records maintained by or for a covered entity that comprises the:
Medical records and billing records about individuals maintained by or for a covered healthcare provider;
Enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or
Other records that are used, in whole or in part, by or for the covered entity to make decisions about individuals. NOTE: These records include records that are used to make decisions about any individuals, whether or not the records have been used to make a decision about the particular individual requesting access.
What is the Scope of the Right of Access?
The right of access includes a patient’s right to inspect and/or obtain a copy. An individual may also require that the covered entity transmit a copy of the records to which access is sought, to a designated person or entity of the person’s choice.
Individuals have a right of access to their PHI contained in designated record sets for as long as the information is maintained by a covered entity, or by a business associate on behalf of a covered entity, regardless of:
The date the information was created;
Whether the information is maintained in paper or electronic systems onsite, remotely, or is archived; or
Where the PHI originated (e.g., whether with the covered entity, another provider, etc.)
What are Examples of Health Information Individuals Can Access?
A variety of information maintained by or for a covered entity that contains PHI can be accessed upon request. Examples of this information include:
Medical records
Billing and payment records
Insurance information
Clinical laboratory test results
Medical images (such as X-rays)
Wellness and disease management program files
Clinical case notes
What Information Is Excluded from the Right of Access?
Two categories of information are expressly excluded from the right of access:
Psychotherapy notes: Psychotherapy notes are the personal notes of a mental healthcare provider documenting or analyzing the contents of a counseling session. These notes are maintained separately from the rest of the patient’s medical record. A provider is not required to provide these notes to patients who request them.
Information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding.
Can an Individual's Personal Representative Exercise the Right of Access?
Generally, an individual's personal representative (generally, a person with authority under State law to make health care decisions for the individual) also has the right to access PHI about the individual in a designated record set (as well as to direct the covered entity to transmit a copy of the PHI to a designated person or entity of the individual's choice), upon request.
How May an Individual Exercise the Right of Access? Writing, Verification, and Reasonable Measures
A covered entity may require individuals to request access in writing, provided the covered entity informs individuals of this requirement before the request is made. A covered entity may also permit an individual to make an electronic request, including by email or through a secure web portal. A covered entity may require individuals to make the request using the covered entity's own request form, provided that the use of the form does not create a barrier to or unreasonably delay the individual from obtaining access to his or her PHI.
Before a covered entity provides the requested access, the covered entity must, per the Privacy Rule, take reasonable steps to verify the identity of the person making the request for access. The Privacy Rule does not require any one specific form of verification (e.g., a driver license). Instead, the Rule leaves the type and manner of the verification to the covered entity's discretion and professional judgment. There is a limit to this discretion, however: the verification processes and measures that the covered entity uses, may not create barriers to or unreasonably delay the individual from obtaining access to his or her PHI.
A covered entity may choose to verify orally or in writing. Frequently, the type of verification depends upon how an individual requests and/or receives access. A person may request access in person, by phone (if permitted to do so by the covered entity), by fax, or email on the covered entity's supplied form, by secure web portal, or other means. The verification measures the covered entity can take must be reasonable under the circumstances. For example, if a covered entity requires that an individual request access on the covered entity's own form, the form can ask for basic information about the entity that would allow the covered entity to verify that the requestor is indeed the subject of the PHI or that person's personal representative. If a covered entity permits web portal request, the portal should be configured in advance with appropriate authentication controls. Authentication controls are measures designed to ensure that the person seeking access is in fact the person he or she claims to be (or that person's personal representative).
Some request and verification measures are unreasonable, and therefore are not permitted. For example, a doctor may not require an individual who wants a copy of her medical record mailed to her home address, to physically appear at the doctor's office to request access and provide proof of identity in person. A covered entity who receives a request in person, may not tell the requesting individual that he or she must mail the request. Requiring mail as opposed to simply providing access in person can unreasonably delay the covered entity's receipt of the request - and the individual's access as a result.
How Must a Covered Entity Provide Access?
The Privacy Rule requires a covered entity to provide an individual with access to their requested PHI in the form and the format the individual requested it in, if the PHI is readily producible in that form and format. If the PHI is not readily producible in that form and format, the covered entity must provide access in a readable hard copy form or other format, as agreed to by the covered entity and the individual.
If the individual requests electronic access to PHI that the covered entity maintains electronically, the covered entity must provide the individual with access to the information in the requested electronic form and format, if it is readily producible in that form and format, or if not, in an agreed upon alternative, readable electronic format. The terms "form and format" refer to how the PHI is conveyed to the individual (e.g., on paper or electronically, type of file, etc.) The various form and format requests along with how the covered entity is expected to respond to them are listed below:
Requests for Paper Copies – Where an individual requests a paper copy of PHI maintained by the covered entity either electronically or on paper, the Department of Health and Human Services expects that the covered entity will be able to provide the individual with the paper copy requested.
Requests for Electronic Copies Maintained on Paper – Where an individual requests an electronic copy of PHI that a covered entity maintains only on paper, the covered entity is required to provide the individual with an electronic copy if it is readily producible electronically (e.g., the covered entity can readily scan the paper record into an electronic format) and in the electronic format requested if readily producible in that format. If the covered entity cannot produce the PHI in the requested electronic format, the covered entity must provide the PHI in a readable alternative electronic format or hard copy format as agreed to by the covered entity and the individual.
Requests for Electronic Copies Maintained Electronically - Where an individual requests an electronic copy of PHI that a covered entity maintains electronically, the covered entity must provide the individual with access to the PHI in the requested electronic form and format, if the PHI is readily producible in that file and format. If the PHI is not readily producible in that file and format, the covered entity must provide access to an agreed-upon alternative readable electronic format. Practically speaking, this means that while a covered entity is not required to buy new software or equipment to accommodate every possible request, the covered entity must have the capability to provide some form of electronic copy of PHI maintained electronically. It is only if an individual declines to accept any of the electronic formats readily producible by the covered entity, that the covered entity may then satisfy the request for access by providing the individual with a readable hard copy of the PHI.
Are Summaries and Explanations of PHI Acceptable?
In lieu of providing access to PHI, the covered entity may provide the individual with a summary of the PHI requested. Before a covered entity may provide a summary, the individual must choose in advance to receive the summary (including in the electronic or paper form being offered by the covered entity), and must choose in advance to agree to the fees (assuming the fee amount is permitted under the right of access rule) that may be charged by the covered entity of the summary
Alternatively, the covered entity may provide the individual with both the PHI and an explanation of the PHI. Before the covered entity does so, the individual must choose in advance to receive the explanation (including in the electronic or paper form being offered by the covered entity), and must choose in advance to agree to the fees (assuming the fee amount is permitted under the right of access rule) that may be charged by the covered entity for the explanation.
Do Individuals Have the Right to Challenge the Denial of a Request for Access?
Under certain limited circumstances, a covered entity may, under the HIPAA right of access rule, deny an individual’s request for access to all or a portion of the PHI requested.
In some of these circumstances, an individual has a right to have the denial reviewed by a licensed healthcare professional designated by the covered entity who did not participate in the original decision to deny. In other circumstances, however, the denial is not reviewable.
When Can an Individual Have a Denial Reviewed?
If a denial is made on one or more of these grounds, the individual can have the denial reviewed:
The access requested is reasonably likely to endanger the life or physical safety of the individual or another person. NOTE: This ground for denial does not extend to concerns about psychological or emotional harm (e.g., concerns that the individual will not be able to understand the information or may be upset by it).
The access requested is reasonably likely to cause substantial harm to a person (other than a healthcare provider) referenced in the PHI.
The provision of access to a personal representative of the individual that requests such access is reasonably likely to cause substantial harm to the individual or another person.
If the denial is made on one or more of these grounds, the individual has the right to have the denial reviewed by a licensed healthcare professional who is designated by the covered entity to act as a reviewing official and who did not participate in the original decision to deny. The covered entity must provide or deny access in accordance with the determination of the reviewing official.
When Are the Grounds for Denial Unreviewable?
A covered entity may deny an individual access without providing the individual an opportunity for review, in the following circumstances:
The PHI is contained in psychotherapy notes.
The PHI is part of information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding.
The request for access is made by an inmate of a correctional institution and the correctional institution has determined that allowing access would jeopardize the health, safety, security, custody, or rehabilitation of the inmate or other inmates, or the safety of correctional officers, employees, or other persons at the institution, or responsible for the transporting of the inmate.
The requested PHI is in a designated record set that is part of a research study that includes treatment (e.g., clinical trial) and is still in progress. NOTE: For access to be denied, the individual must have agreed to the temporary suspension of access when consenting to participate in the research. The individual’s right of access is reinstated upon completion of the research.
The requested PHI is in federal Privacy Act-protected records (i.e., certain records under the control of a federal agency, which may be maintained by a federal agency or a contractor to a federal agency), and denial of access is consistent with the requirements of the Act.
The requested PHI was obtained by someone other than a healthcare provider (e.g., a family member of the individual) under a promise of confidentiality, and providing access to the information would be reasonably likely to reveal the source of the information.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article