An individual’s right to access their protected health information (PHI) should be nothing new to covered entities. In 1996, HIPAA Privacy Rule detailed an individual’s right to access PHI. As part of HITECH and the Final Omnibus Rule, modifications to the Privacy Rule have included additional requirements for covered entities and business associates.

Unfortunately, recent studies by the Office of Civil Rights (OCR) find that the individuals may not be aware of their rights under the Privacy Rule. To better understand their right to access and obtain a copy of their health information, the OCR has posted a fact sheet on their website.

Ideally, this involvement by the individual should improve overall care. A patient-centered approach allows the individual to monitor their own health, to better understand treatment plans, to identify any potential errors in the record and to request amendments, if necessary. Similar to the individual’s right, a personal representative working on the individual’s behalf has the right to access the individual’s PHI.

Note that this right does not include all PHI. Only PHI in a Designated Record Set as defined by 45CFR 164.501 is included in this right to access:
• Medical records and billing records about individuals maintained by or for a covered health care provider;
• Enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan;
• Other records that are used, in whole or in part, by or for the covered entity to make decisions about individuals. This last category includes records that are used to make decisions about any individuals, whether or not the records have been used to make a decision about the particular individual requesting access.

Although the Privacy Rule allows a covered entity to ask for an access request in writing and require verification of identity of the individual, any unreasonable barriers should be avoided such as:
• Requiring in person proof of identity if request for PHI to be mailed to individual;
• Requiring to mail in access request;
• Requiring use of web portal to request access

When a request for access is made, a covered entity cannot require a reason for the request. Covered entities need to provide access to requested PHI as soon as possible but no later than 30 days from the time of request (a one-time extension of an additional 30 days is possible if requested in writing from the individual). The “form and format”, paper or electronic copy should be as requested. Fees for copies may only include cost of labor, paper or electronic supplies, postage if mailed, or if requested and agreed to by individual, the time to prepare a summary. There is no specific requirement of the covered entity to provide any new material such as a summary or explanatory information.

If the covered entity denies a request to access, a written denial must be sent to the individual within 30 days of the request (60 days if individual notified of an extension). There are limited exceptions to this right to access an individual’s record.

Unreviewable grounds for denial (45 CFR 164.524(a)(2)):
• The request is for psychotherapy notes, or information compiled in reasonable anticipation of, or for use in, a legal proceeding.
• An inmate requests a copy of her PHI held by a covered entity that is a correctional institution, or health care provider acting under the direction of the institution, and providing the copy would jeopardize the health, safety, security, custody, or rehabilitation of the inmate or other inmates, or the safety of correctional officers, employees, or other person at the institution or responsible for the transporting of the inmate. However, in these cases, an inmate retains the right to inspect her PHI.
• The requested PHI is in a designated record set that is part of a research study that includes treatment (e.g., clinical trial) and is still in progress, provided the individual agreed to the temporary suspension of access when consenting to participate in the research. The individual’s right of access is reinstated upon completion of the research.
• The requested PHI is in Privacy Act protected records (i.e., certain records under the control of a federal agency, which may be maintained by a federal agency or a contractor to a federal agency), if the denial of access is consistent with the requirements of the Act.
• The requested PHI was obtained by someone other than a health care provider (e.g., a family member of the individual) under a promise of confidentiality, and providing access to the information would be reasonably likely to reveal the source of the information.
Reviewable grounds for denial (45 CFR 164.524(a)(3)). A licensed health care professional has determined in the exercise of professional judgment that:
• The access requested is reasonably likely to endanger the life or physical safety of the individual or another person. This ground for denial does not extend to concerns about psychological or emotional harm (e.g., concerns that the individual will not be able to understand the information or may be upset by it).
• The access requested is reasonably likely to cause substantial harm to a person (other than a health care provider) referenced in the PHI.
• The provision of access to a personal representative of the individual that requests such access is reasonably likely to cause substantial harm to the individual or another person

Please review the OCR Fact sheet to get more details of the individual’s rights and the HIPAA requirements of the covered entities and business associates.