The Right to Access Protected Health Information

One of the key elements of HIPAA has been to provide individuals with a right to access PHI such that they may be in more control of decisions regarding their health and well-being.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA), was created to protect the privacy and security of individuals’ identifiable health information and in addition to establish individual rights with respect to health information. It has always recognized a key feature, which is to provide individuals with the ability to access and obtain a copy of their health information.

The HIPAA Privacy Rule (the Privacy Rule) was created to provide individuals with a legal, enforceable right to see and receive copies upon request of the information in their medical and other health records maintained by their health care providers and health plans, with limited exceptions,

It is the intention of the HIPAA Privacy Rule to provide individuals with easy access to their health information.  This will make it easier for individuals to take charge of the decisions that may affect their healthcare and well-being.  By allowing patients access to their medical documentation they are better able to monitor chronic conditions, adhere to treatment plans, find and fix errors in their health records, track progress in wellness or disease management programs, and directly contribute their information to research.  These opportunities will give individuals the opportunity to be more connected with their healthcare which is a major component of the movement to a more patient-centered health care system.

The HIPAA Privacy Rule requires covered entities (health plans and most health care providers) to provide individuals, upon request, with access to the protected health information (PHI) about them in one or more “designated record sets” maintained by or for the covered entity. This includes the right to inspect or obtain a copy, or both, of the PHI, as well as to direct the covered entity to transmit a copy to a designated person or entity of the individual’s choice. Individuals have a right to access this PHI for as long as the information is maintained by a covered entity, or by a business associate on behalf of a covered entity, regardless of the date the information was created; whether the information is maintained in paper or electronic systems onsite, remotely, or is archived; or where the PHI originated (e.g., whether the covered entity, another provider, the patient, etc.).  A new rule called the Information Blocking rule requires covered entities and business associates to not block the release of electronic protected health information to patients.

Individuals are given the opportunity to access PHI in a “designated record set.” A “designated record set” is defined as a group of records maintained by or for a covered entity that comprises the:

• Medical records and billing records about individuals maintained by or for a covered health care provider;
• Enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or
• Other records that are used, in whole or in part, by or for the covered entity to make decisions about individuals.

The term “record” means any item, collection, or grouping of information that includes PHI and is maintained, collected, used, or disseminated by or for a covered entity.

Not all information is included in the right of access. There is some information that is not part of the designated record set and would not be involved. This would include management records that are used for business decisions, quality assessment or improvement records, patient safety activity records, or business planning and development records. It may also include a hospital’s peer review files, practitioner or provider performance evaluations, any record used to improve customer service or any formulary development records.

Most importantly there are two categories of information that are expressly excluded from the right of access:

• Psychotherapy notes, which are the personal notes of a mental health care provider documenting or analyzing the contents of a counseling session. These are maintained separate from the rest of the patient’s medical record.
• Information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding.
• The underlying PHI from the individual’s medical or payment records or other records used to generate the above types of excluded records or information remains part of the designated record set and subject to access by the individual.

An individual’s personal representative under State law has authority to make healthcare decisions.  The representative has the right to access PHI about the individual in a designated record set in addition to transmit a copy of the PHI to a designated person or entity of the individual’s choice upon request.

A patient may request access of PHI from a covered entity and this may require a written request. The individual must be notified of this requirement. The entity may offer the use of their own form as long as it does not create a barrier or delays the obtaining access to the PHI. In addition, the entity may offer patients the option of using electronic means such as an email or a web portal to obtain access to PHI.

A patient may request the covered entity to transmit their PHI to another person or entity designated by the individual.  This request must be in writing, signed by the individual and clearly identify the person and where the PHI will be sent.  A covered entity may accept an electronic copy of the signed request (pdf) or allow an electronically executed request that includes an electronic signature such as a web portal.  The same fee limitations and requirements for providing protected health information in

The Privacy Rule expects a covered entity to take appropriate steps to verify the identity of individuals who make a request for access to PHI.  The Rule does not give specifics on how to obtain verification but instead leaves it to the discretion and professional judgement of the covered entity.  It also expects the method of verification to not create barriers or unreasonable delay in obtaining access to the records.  Various methods are available such as orally or in writing.  It could be given in person, phone, fax or by email.  It often depends on how the individual requests the information.

If and individual asks the covered entity to transmit a copy of PHI directly to another person, the covered entity must provide a copy to the designated recipient.  The request must be in writing, signed by the individual and clearly designate the person and where to send the protected health information.

In order to obtain access to PHI the Privacy Rule requires individuals to do so in writing and also to verify the identity of the person making the request.  Covered entities are advised to not impose unreasonable measures on individuals as they attempt to obtain access to their PHI.  For example it may be unreasonable to request all individuals to use a web portal to obtain access as not all have access to the internet.  Covered entities should make available several options for requesting access.

When an individual is given access to PHI the Privacy rule requires the covered entity to do so in the form and format agreed upon by the covered entity and the individual. If for example the individual requests the PHI in an electronic form the covered entity must make it available in that form as long as this is how it is maintained and it is readily reproducible. If it is not available in that specific format then they must decide on an alternate readable format. It is only if the individual declines to accept any of the electronic formats readily producible by the covered entity that the covered entity may satisfy the request for access by providing the individual with a readable hard copy of the PHI.

The recently introduced Information Blocking Policy requires organizations to provide electronic protected health information in a timely manner to patients.

If an individual requests a paper copy, then the covered entity is expected to produce it in this format.

If an entity maintains the PHI in a paper format and the individual requests it in an electronic format the covered entity is expected to scan the PHI and provide it in an electronic format. The electronic format may vary as long as there is agreement between the individual and the covered entity.

A summary of the PHI may sometimes be provided to an individual instead of providing access to the PHI.  The covered entity may also provide an explanation of the PHI along with the PHI provided.  This is acceptable as long as the individual chooses to receive the summary or explanation and agrees to any fees associated with summary or explanation.  The individual also gets to choose the form or format for the delivery (electronic or paper form).

It is the responsibility of the covered entity to give the individual access to the PHI in the manner requested, which may include a convenient time and place to pick up the designated PHI or to inspect the PHI (if that is the manner of access requested by the individual), or to have a copy of the PHI mailed or e-mailed, or otherwise transferred or transmitted to the individual as long as the copy would be easily reproduced.

In transmitting the PHI it is the duty of the covered entity to determine the security risks involved in transfer.  The covered entity should not take unacceptable risks to the security of the PHI and must rely on the entity’s Security Rule risk analysis to make this decision.  It is usually acceptable to send the PHI by regular mail since the inherent risks of compromise are low.  Sending by an unencrypted email may represent a significant risk and the individual must be made aware of these risks if this is the manner, they choose to receive the PHI.

A covered entity must provide access to the PHI requested, in whole, or in part, no later than 30 calendar days from receiving the individual’s request. In today’s healthcare environment, access through electronic portals may be very quick. If you are working in a state that has a more stringent requirement such as 15 days in the state of Texas, that is the rule you follow.

If a covered entity is unable to provide access within 30 calendar days, for example, when the information is held offsite and not readily accessible, the covered entity may extend the time by no more than an additional 30 days. The covered entity may extend the time frame by informing the individual within the initial 30 days in writing of the reasons for the delay and the date by which the covered entity will provide access. Only one extension is permitted per access request.

If the covered entity (or one of its business associates) does not maintain the PHI requested, but knows where the information is maintained, the covered entity must inform the individual where to direct the request for access.

There are limits on permissible fee for records. An access request covers the following:

• Labor for copying the PHI requested, whether in paper or electronic form;
• Supplies for creating the paper or electronic copy; and
• Postage
• Preparation of an explanation or summary of the PHI if agreed to by the individual

The fee may not include costs associated with verification; documentation; searching for and retrieving the PHI; maintaining systems; recouping capital for data access, storage, or infrastructure; or other costs not listed above even if such costs are authorized by State law.

When a third-party submits a request for sharing patient records on its own behalf with an authorization and cites HITECH fees as the highest charged, they are in error.  Most importantly, the access fee limits don’t apply.

There are several situations in which a covered entity may deny an individual’s request for access to all or a portion of the PHI which is requested.  There are other situations in which the circumstances for denial may be reviewed by a licensed healthcare professional who did not participate in the original decision.

Situations that do not require review:

• The request is for psychotherapy notes, or information related to a legal proceeding.
• An inmate requests a copy of her PHI held by a covered entity that is a correctional institution, or health care provider acting under the direction of the institution, and providing the copy would jeopardize the health, safety, security, custody, or rehabilitation of the inmate or other inmates, or the safety of correctional officers, employees, or other person at the institution or responsible for the transporting of the inmate.  An inmate retains the right to inspect their PHI despite these cautions.
• The requested PHI is in a designated record set that is part of a research study that includes treatment (e.g., clinical trial) and is still in progress, provided the individual agreed to the temporary suspension of access when consenting to participate in the research.  The individual’s right of access is reinstated upon completion of the research.
• The requested PHI is in Privacy Act protected records (i.e., certain records under the control of a federal agency, which may be maintained by a federal agency or a contractor to a federal agency), if the denial of access is consistent with the requirements of the Act.
• The requested PHI was obtained by someone other than a health care provider (e.g., a family member of the individual) under a promise of confidentiality and providing access to the information would be reasonably likely to reveal the source of the information.

Situations in which review is possible:

• The access requested is reasonably likely to endanger the life or physical safety of the individual or another person.  This ground for denial does not extend to concerns about psychological or emotional harm (e.g., concerns that the individual will not be able to understand the information or may be upset by it).
• The access requested is reasonably likely to cause substantial harm to a person (other than a health care provider) referenced in the PHI.

A covered entity may not require an individual to provide a reason for requesting access.  If the covered entity learns the reason for the access, they many not use that as a reason for denying access.  In addition, a covered entity may not deny access because a business associate of the covered entity, rather than the covered entity itself, maintains the PHI requested by the individual.

In the situation that a covered entity denies access, in whole or in part, to PHI requested by the individual, the covered entity must provide a denial in writing to the individual no later than within 30 calendar days of the request or 60 calendar days if there is an extension.  The denial response must be clearly written and explain the reason for the denial. If necessary, there must be an explanation of the right to obtain a review and how to request it.  The individual must also be notified how they may submit a complaint to the covered entity or the HHS Office for Civil Rights.

The covered entity must provide the individual with access to any other PHI requested, after excluding the PHI to which the entity has a ground to deny access. Any difficulty in separating the PHI does not excuse the obligation to provide access to the PHI to which the ground for denial does not apply.

If a denial is based on situations that warrant a review, the covered entity must promptly refer the case to a reviewing party.  The reviewing party must then determine within a reasonable period of time whether to support or reverse the denial.  The covered entity must provide a written notice to the individual as quickly as possible.

Occasionally state laws provide greater rights of access to PHI than noted in the Privacy Rule.  These are not negated by HIPAA and still apply.  There are state laws that require access of PHI in a shorter time period than HIPAA and must be followed.

There is a new regulation that impacts providers and must be considered in conjunction with HIPAA.

The 21^st Century Cures Act required the Office of the National Coordinator for Health Information Technology (ONC) to implement provisions of the Act related to information blocking of electronic health information (EHI), interoperability and the ONC Health IT Certification Program.

The Information Blocking rules prohibit information blocking and direct the provider to fulfill requests for access, exchange and use of EHI held in a designated record set.

Information Blocking is generally an action that interferes with, prevents or

materially discourages access, exchange, or use of EHI when the provider/entity knows it is likely to do so.

This is a federal regulation that works in conjunction with HIPAA to make EPHI more accessible to the patient and for treatment and other permissible purposes and is not meant require disclosure of EPHI that is not permitted by HIPAA or state law.

For more details visit our information blocking page.

• There are eight exceptions to the Information Blocking rule that do not constitute information blocking, providing certain technical regulatory conditions are met. Meeting an exception offers certainty that practices will not be considered information blocking.

An exception exists if it is reasonable and necessary to prevent harm to a patient or another person

• If it protects the individual’s privacy
• protects the security of EHI
• if the request is infeasible
• if it helps to preserve the overall IT performance
• provides certain conditions such as the content and manner of access
• If fees are charged for accessing
• to license interoperability elements for EHI to be accessed.

It gives patient the right to direct a covered entity to disclose EHI to a third-party app of the patient’s choice, such a personal health record app.

The Office of Inspector General has oversight and will determine penalties for providers.

For more information on exceptions please visit our dedicated page.