The Privacy Rule requires HIPAA covered entities to provide individuals, upon request, with access to the protected health information (PHI) about them in one or more “designated record sets” maintained by or for the covered entity. This includes the right to inspect or obtain a copy, or both, of the PHI. The individual may also direct the covered entity to transmit a copy to a designated person or entity of the individual’s choice. Individuals have a right to access this PHI for as long as the information is maintained by a covered entity, or by a business associate on behalf of a covered entity. This access is regardless of the date the information was created; whether the information is maintained in paper or electronic systems onsite, remotely, or is archived; or where the PHI originated (e.g., whether the covered entity, another provider, the patient, etc.).
A covered entity must provide access to the PHI requested, no later than 30 calendar days from receiving the individual’s request. Covered entities are encouraged to respond as soon as possible. Today with the advent of electronic medical records, a covered entity may have the capacity to provide individuals with almost instantaneous or very prompt electronic access to the PHI requested through personal health records, web portals, or similar electronic means.
If a covered entity is unable to provide access within 30 calendar days, the covered entity may extend the time by no more than an additional 30 days. To extend the time, the covered entity must inform the individual in writing of the reasons for the delay and the date by which the covered entity will provide access. Only one extension is permitted per access request.
Right of access has become a hot topic of great interest to the OCR. The Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services has recently announced the resolution of its twentieth investigation in its HIPAA Right of Access Initiative. OCR created this initiative to support individuals’ right to timely access to their health records at a reasonable cost under the HIPAA Privacy Rule. This initiative affects small and large healthcare organizations alike. All organization must take this seriously to prevent citations and fines.