In an effort to ensure that consumers are able to rightfully access their health information, the Health and Human Services Department released new guidance on the HIPAA Privacy Rule.
The guidance covers information such as patients' general rights to their protected health information, what data is excluded from that right to access, how an individual may request access and how an entity must provide the information, among other topics.
Patients’ General Rights
Individuals have a right to access PHI in a “designated record set.” A “designated record set” is defined as a group of records maintained by or for a covered entity that comprises the:
- Medical records and billing records about individuals maintained by or for a covered health care provider;
- Enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or
- Other records that are used, in whole or in part, by or for the covered entity to make decisions about individuals.
What Information is Included?
Individuals have a right to a broad array of health information about themselves maintained by or for covered entities, including:
- Medical records
- Billing and payment records
- Insurance information
- Clinical laboratory test results
- Medical images, such as X-rays
- Wellness and disease management program files
- Clinical case notes
- Other information used to make decisions about individuals
What Information is Excluded?
An individual does not have a right to access PHI that is not part of a designated record set because the information is not used to make decisions about individuals. For example:
- Performance evaluations
- Business plans
- Patient safety activity
Two categories of information are expressly excluded from the right of access:
- Psychotherapy notes, which are the personal notes of a mental health care provider documenting or analyzing the contents of a counseling session, that are maintained separate from the rest of the patient’s medical record.
- Information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding.
How an Individual May Request Access
A patient can request their records directly or through a personal representative (a person with authority under State law to make health decisions for you).
- The covered entity may require individuals to request access in writing, provided the covered entity informs individuals of this requirement.
- The covered entity may offer individuals the option of using electronic means (e.g., e-mail, secure web portal) to make requests for access.
- The covered entity may require individuals to use the entity’s own supplied form, provided use of the form does not create a barrier to or unreasonably delay the individual from obtaining access to his PHI, as described below.
The rule requires a covered entity to take reasonable steps to verify the identity of an individual. However, the rule does not mandate any particular form of verification. This is left to the discretion of the covered entity. Patient may be required to present:
- Driver’s license
- Social Security Card
- Demographic information specific to the individual
How the Covered Entity Must Provide Information
The covered entity must provide the individual with access to their PHI in the form and format requested by the individual, if it is readily producible in such form and format.
- In person
- Via Mail
- Via Email/Secure Portal
A covered entity may not impose unreasonable measures on an individual requesting access that serve as barriers to or unreasonably delay the individual from obtaining access. For example, a doctor may not require an individual:
- Who wants a copy of her medical record mailed to her home address to physically come to the doctor’s office to request access and provide proof of identity in person.
- To use a web portal for requesting access, as not all individuals will have ready access to the portal.
- To mail an access request, as this would unreasonably delay the covered entity’s receipt of the request and thus, the individual’s access.
In providing access to the individual, a covered entity must provide access to the PHI requested, in whole, or in part, no later than 30 calendar days from receiving the individual’s request.
How Much Can A Covered Entity Charge for Copies?
The rule permits a covered entity to impose a reasonable, cost-based fee.
The fee may include only the cost of:
- Labor for copying the PHI requested by the individual, whether in paper or electronic form;
- Supplies for creating the paper copy or electronic media (e.g., CD or USB drive) if the individual requests that the electronic copy be provided on portable media;
- Postage, when the individual requests that the copy be mailed; and
- Preparation of an explanation or summary of the PHI, if agreed to by the individual.