P6
Related Practice Areas
- The Markle Common Framework: Overview and Principles
- P1: The Architecture for Privacy in a Networked Health Environment
- P2: Model Privacy Policies and Procedures for Health Information Exchange
- P5: Authentication of System Users
- P9: A Common Framework for Networked Personal Health Information
- CT2: Authentication of Consumers
Additional Resources
- Policies in Practice: Individual Access
- Policies in Practice: The Download Capability
- Policies in Practice: Key Laws and Regulations
- Frequently Asked Questions
- Acknowledgements
Download P6: Patients' Access to Their Own Health Information
The HIPAA Privacy Rule: Accessing Protected Health Information
In promulgating the HIPAA regulations, the United States Department of Health and Human Services (HHS) recognized that allowing consumers access to their health information is a necessary component of a well-functioning health care system. Based on the principle of informed consent, the Privacy Rule acknowledges that in order to have meaningful control over personal health care decisions—including limitations on who can access information—individuals need to have access to their own health information. The Privacy Rule gives consumers rights with regard to certain health care organizations, or “covered entities,” defined as health plans, health care clearinghouses, and health care providers who transmit health information in electronic form in connection with specified financial and administrative transactions.4
In general, protected health information under the Privacy Rule correlates with what most consumers would consider their medical record. Whether or not their health information is paper-based or stored electronically, the Privacy Rule affords patients the right to access their medical record within 30 days of a request.
The Privacy Rule explicitly gives patients the right to inspect and obtain a copy of protected health information held in a “designated record set” by the covered entity.5 Protected health information (PHI) is defined as “individually identifiable health information,” with the exception of some education and other records.6 Consumers only have a right to access PHI if, and for as long as, it is maintained in a designated record set, which the Privacy Rule defines as a “group of records maintained by or for a covered entity that is:
- the medical records and billing records about individuals maintained by, or for a covered health care provider;
- the enrollment, payment, claims adjudication, and case or medical management record systems maintained by, or for a health plan; or
- used, in whole or in part, by or for the covered entity to make decisions about individuals.”7
Although the Privacy Rule grants consumers the right of access in most situations, there are several specific situations in which covered entities are neither required to give consumers access to their own protected health information held in a designated record set nor required to allow the individual a review of the denial. For instance, individuals do not have the right to access psychotherapy notes or information compiled in reasonable anticipation of, or for use in a civil, criminal, or administrative action or proceeding.8
On the other hand, there are some circumstances when covered entities have the right to deny access, but individuals also have the right to request a review of that denial. For example, if in the exercise of professional judgment, a licensed health care professional believes that the access requested is reasonably likely to endanger the life or physical safety of the individual or another person, the covered entity can then deny access.9 Also, if the PHI makes reference to another person, unless the other person is a health care provider, and a licensed health care professional believes that the access requested is reasonably likely to cause substantial harm to such other person, a covered entity can deny access to the health information.10 Again, in these types of situations, an individual has a right to request a review of the denial.11
The Privacy Rule outlines a basic process for individuals seeking access to their medical information and establishes guidelines to ensure covered entities provide access in a timely manner. As a basic principle, the Privacy Rule establishes that covered entities must allow individuals to request access to their own records; the law allows covered entities to require that requests be written provided that patients are informed of this requirement.12 Otherwise, patients may request access orally.
Within 30 days of the receipt of the request, the covered entity must act on the request by providing the patient access, providing a written denial of access, or informing the individual of the reason for which the covered entity needs additional time (but no more than 30 days) to complete the request.13 The one exception is for information not maintained or accessible to the covered entity on-site; in this instance, the covered entity may take up to 60 days to take one of the above actions.14
If the covered entity grants access, it must provide the individual with the information in the format requested if possible and otherwise in a readable hard copy or another format agreed upon by both the covered entity and the individual.15 However, the covered entity may provide a summary of the health information if the individual agrees in advance to the summary and to any additional fees it would produce. The covered entity must arrange with the individual for “a convenient time and place to inspect or obtain a copy of the protected health information, or mail the copy of the protected health information at the individual’s request” and may charge a “reasonable, cost-based fee” if the individual requests a copy of the record, but the fee can only include costs for copying, postage, and the development of a summary if the individual agreed to one.16
If the covered entity denies access to a patient, it must deny access only to the specific information for which it has grounds to deny access. In addition, and within 30 days, the covered entity must provide the individual with a denial written in plain language. The statement must contain the basis for the denial, information about the individual’s review rights if applicable and how to exercise those rights, as well as a description detailing pertinent names, titles, and contact information of how the individual may file a complaint. Furthermore, if the covered entity does not maintain the protected health information about the individual requested, but has knowledge about where it is stored, the law requires the covered entity to inform the individual about where to submit a request for access.17
If the individual requests a review of the covered entity’s denial, the covered entity must ensure that the review is conducted by a licensed health care professional who was not directly involved in the denial. The covered entity must forward the request in a timely manner to the reviewer, and the designated reviewing professional must determine “within a reasonable period of time” whether or not to deny access. Once a decision is made, the covered entity must immediately provide notice to the individual and take any necessary action.18