P6
Related Practice Areas
- The Markle Common Framework: Overview and Principles
- P1: The Architecture for Privacy in a Networked Health Environment
- P2: Model Privacy Policies and Procedures for Health Information Exchange
- P5: Authentication of System Users
- P9: A Common Framework for Networked Personal Health Information
- CT2: Authentication of Consumers
Additional Resources
- Policies in Practice: Individual Access
- Policies in Practice: The Download Capability
- Policies in Practice: Key Laws and Regulations
- Frequently Asked Questions
- Acknowledgements
Download P6: Patients' Access to Their Own Health Information
The HIPAA Privacy Rule: Accounting for Disclosures
Knowing who has had access to one’s personal health information is related to having access oneself. Accordingly, the Privacy Rule acknowledges the importance of allowing patients the ability to see who accessed their personal health information. With exceptions, the Privacy Rule gives patients the right to see to whom covered entities have disclosed their personal health information for the six years prior to the date of the request.27
Upon request, covered entities must provide consumers with an accounting of disclosures during the previous six years, including the date of the disclosure, the name of the person who received the information, a brief description of the protected health information disclosed, and a brief statement of the purpose of the disclosure. If a covered entity has made multiple disclosures to the same person for the same purpose, it may provide the above information only for the first disclosure as long as it also provides the frequency of the disclosures and the date of the last disclosure.28
Within 60 days of the request, a covered entity must provide the accounting or a written statement detailing a reason for why it needs an extension of time (no more than 30 days).29 The covered entity must provide an accounting of disclosures once a year without charge. However, if an individual requests an accounting more than once a year, a reasonable, cost-based fee may be imposed, provided that the individual was informed in advance of the fee and the covered entity also provides the individual with an opportunity to withdraw or modify the request in order to avoid the fee.30
Individuals do not have the right to accountings of certain disclosures, most notably disclosures to carry out treatment, payment, and health care operations and disclosures to the individual actually requesting the accounting of disclosures of their own PHI.31 Furthermore, a covered entity must temporarily suspend an individual’s right to receive an accounting of disclosures made to a health oversight agency or law enforcement official, if the agency or official provides the covered entity with a written statement illustrating that such an accounting would be reasonably likely to impede the agency's activities. The written statement must also specify the time period for which such a suspension is required.32
The HIPAA Privacy Rule and State Laws
In general, covered entities are required to follow both the Privacy Rule and related state laws. However, if a Privacy Rule provision contradicts state law, the Privacy Rule automatically preempts that law.33 Still, there are exceptions, for example, a state law prevails when that law “provides for the reporting of disease or injury, child abuse, birth, or death, or for the conduct of public health surveillance, investigation, or intervention.”34 State law remains in effect in other circumstances as well, such as when the Secretary of HHS determines that the state law is necessary to prevent fraud and abuse related to health care services, to meet state reporting on health care delivery or costs, or for the purposes of serving a need related to public health, safety, or welfare.35
The Privacy Rule also establishes that patients may be afforded stronger privacy safeguards at the state level. The Privacy Rule expressly stipulates that when state laws are more stringent than the Privacy Rule, they remain in force.36 Therefore, in some states, patients are granted easier access to their personal health information. For example, some state laws actually cap copying and postage fees for medical records, institute shorter time frames for granting access, or require additional accountings of disclosures.
State laws vary widely in terms of how they address health privacy, including the right to access personal health information. Whereas in some states, patients will be afforded only access rights guaranteed under the Privacy Rule, other states offer stronger rights of access. For instance, in New York, patients have a right to see their protected health information within 10 days, as opposed to the 30 days allowed by the Privacy Rule.37 New York caps copying charges at 75 cents per page, while California establishes a fee of 25 cents per page for a regular photocopy.38 In fact, many states, including Illinois, Missouri, Georgia, Arkansas, New Hampshire, and Nevada, cap copying fees to varying degrees.39 Meanwhile, states such as New York and Florida stipulate that access cannot be denied because of inability to pay.40