Exploring the HIPAA Privacy Rule’s Right of Access Provisions

September 23, 2022 - The HIPAA Privacy Rule’s right of access provisions ensure that patients can obtain access to their protected health information (PHI). Failure to do so may result in hefty monetary penalties and mandated corrective action plans.

The HHS Office for Civil Rights (OCR) has been consistently resolving cases with healthcare organizations across the country over alleged failures to provide timely and complete access to health records under these provisions.

Most recently, OCR resolved three HIPAA right of access cases with three dental practices, bringing the total number of cases to 41 since it launched the HIPAA Right of Access Initiative in 2019.

“Patients have a fundamental right under HIPAA to receive their requested medical records, in most cases, within 30 days,” OCR Director Melanie Fontes Rainer stated.

“I hope that these actions send the message of compliance so that patients do not have to file a complaint with OCR to have their medical records requests fulfilled.”

It is important that HIPAA-covered entities have a solid understanding of a patient’s right to access their own health records and how to provide that access in a timely and compliant manner.

Right of Access Basics

“With the increasing use of and continued advances in health information technology, individuals have ever expanding and innovative opportunities to access their health information electronically, more quickly and easily, in real time and on demand,” HHS guidance stated.

“Putting individuals ‘in the driver’s seat’ with respect to their health also is a key component of health reform and the movement to a more patient-centered health care system.”

In general, the HIPAA Privacy Rule requires covered entities to provide patients with access to their PHI “in one or more ‘designated record sets’ maintained by or for the covered entity,” upon request.

“This includes the right to inspect or obtain a copy, or both, of the PHI, as well as to direct the covered entity to transmit a copy to a designated person or entity of the individual’s choice,” HHS continued.

Regardless of when the information was created, or whether it is maintained on paper or electronically, patients always have the right to access their PHI, so long as it is held by a covered entity or business associate.

A “designated record set” refers to records that consist of medical and billing records about individuals, enrollment, payment, claims adjudication, and case or medical management record systems, and any other records that are used by covered entities or business associates to make decisions about the individual who submitted the request.

Essentially, the provisions state that patients should be able to easily access any health information collected about them by covered entities, from X-rays to billing and payment information. However, a covered entity or business associate is not obligated to create new information that does not already exist in a designated record set.

The only record types that are excluded from the right of access provisions are psychotherapy notes and information to be used in civil, criminal, or administrative legal actions.

Responding to Access Requests

The HIPAA Privacy Rule requires covered entities to verify the identity of the requester before complying with the request, but it does not specify any particular steps to verifying the patient’s identity.

The verification process should not pose a barrier to providing timely access. Requests are often submitted via email, by phone, or by secure web portal.

“For example, if the covered entity requires that access requests be made on its own supplied form, the form could ask for basic information about the individual that would enable the covered entity to verify that the person requesting access is the subject of the information requested or is the individual’s personal representative,” the HHS guidance stated.

“For those covered entities providing individuals with access to their PHI through web portals, those portals should already be set up with appropriate authentication controls, as required by 45 CFR 164.312(d) of the HIPAA Security Rule, to ensure that the person seeking access is the individual or the individual’s personal representative.”

Essentially, the requirements must be reasonable. Covered entities cannot require patients to only submit requests via a web portal, because some patients may not have easy access to the portal.

Patients also have a right to receive the requested information in their preferred format. For example, if an individual requests a paper copy of their records, covered entities are expected to accommodate that request.

The same thing goes for electronic copies, even if the records were originally maintained on paper. If that is the case, covered entities are required to provide the patient with an electronic copy of the information, if it is “readily producible in that form and format.”

If the information is not readily producible in the preferred format, the covered entity must work with the requester to agree upon an alternative readable electronic format.

Patients may also agree to receive a summary or explanation of the PHI instead of receiving an actual copy of the records. If the patient agrees to this, they must be willing to take on any reasonable fees that could be associated with creating the summary.

“A covered entity is not expected to tolerate unacceptable levels of risk to the security of the PHI on its systems in responding to requests for access; whether the individual’s requested mode of transfer or transmission presents such an unacceptable level of risk will depend on the covered entity’s Security Rule risk analysis,” HHS continued.

Security risks should be considered throughout the process. Generally, mail and email “are considered readily producible by all covered entities” and do not present “unacceptable security risks.”

Time, Fee Requirements

Timeliness is a key component of HIPAA right of access compliance. Failure to provide timely access to records is more often than not the primary allegation in OCR enforcement actions surrounding right of access.

Covered entities must provide individuals with access to their PHI within 30 calendar days of receiving the request.

“The 30 calendar days is an outer limit and covered entities are encouraged to respond as soon as possible,” HHS stressed.

“Indeed, a covered entity may have the capacity to provide individuals with almost instantaneous or very prompt electronic access to the PHI requested through personal health records, web portals, or similar electronic means.”

In some circumstances, providing access to records within 30 days may be unreasonable. If so, covered entities are permitted to extend the timeline by no more than 30 additional days. Covered entities must communicate the delay to the patient, and only one extension is permitted per request.

While the HIPAA Privacy Rule does permit covered entities to impose a fee on individuals who request records, the fee must be cost-based and reasonable.

The fee can only account for the cost of labor for copying the PHI, supplies for creating paper or electronic copies (such as a USB drive), postage, and the preparation of a summary or explanation of the PHI, if requested.

“The fee may not include costs associated with verification; documentation; searching for and retrieving the PHI; maintaining systems; recouping capital for data access, storage, or infrastructure; or other costs not listed above even if such costs are authorized by State law,” HHS emphasized.

Other Considerations

Understanding the logistics of responding to an access request and provisions surrounding timeliness and fees are crucial for covered entities to know to avoid potential HIPAA violations and enforcement actions.

However, there are some less likely scenarios that HHS has addressed that covered entities should be aware of. For example, there are a few instances in which covered entities can deny a request.

As previously mentioned, covered entities can deny requests for psychotherapy notes or records that may be used in a legal proceeding. In addition, patients may be denied access to their records if the designated record set is part of a research study that includes treatment and is still in progress.

In other circumstances, licensed healthcare professionals may deny requests if the access is “reasonably likely” to endanger or cause substantial harm to the life or safety of another person.

“Note that a covered entity may not require an individual to provide a reason for requesting access, and the individual’s rationale for requesting access, if voluntarily offered or known by the covered entity or business associate, is not a permitted reason to deny access,” HHS noted.

“In addition, a covered entity may not deny access because a business associate of the covered entity, rather than the covered entity itself, maintains the PHI requested by the individual (e.g., the PHI is maintained by the covered entity’s electronic health record vendor or is maintained by a records storage company offsite).”

It is also important to note that individuals have the right to ask a covered entity to transmit PHI to another individual or entity. The individual’s request must be in writing and must specify where to send the records.

The HHS guidance also included frequently asked questions about interactions with third parties, how to calculate cost-based fees for access requests, and how state laws interact with HIPAA when it comes to right of access.

At the heart of these provisions is a patient’s right to obtain health records that were created about them by covered entities and their business associates. With this access, patients can be better equipped to advocate for their health needs.