Can healthcare providers reject a request for PHI?

Yes, healthcare providers can reject requests to access protected health information (PHI) under specific circumstances. These regulations divide the grounds for denial into unreviewable and reviewable categories. 

Can a provider reject a request for PHI?

Based on the FAQ section of the HHS’s official website, “A covered entity may deny an individual access to all or a portion of the PHI requested in only very limited circumstances.”

A healthcare provider can legally refuse a request for Protected Health Information (PHI) in specific scenarios to safeguard privacy and safety. For example, providers are permitted to deny access to psychotherapy notes, which are kept separate from the rest of a patient's medical records and contain particularly sensitive information. 

Access can also be denied when PHI forms part of ongoing legal investigations or judicial proceedings where disclosure could compromise the legal process. If a provider reasonably believes that releasing information could cause harm to the patient or another person, such as in cases of abuse or endangerment, they may withhold that information to prevent potential harm. 

See also: HIPAA Compliant Email: The Definitive Guide

Unreviewable grounds for denying access to PHI

Unreviewable grounds for denying a patient's access to their PHI are specific conditions where a healthcare provider can refuse a patient's request to access their PHI, and this decision is final and not subject to review. 

1. Psychotherapy notes or legal proceedings: Access to psychotherapy notes or information compiled for legal proceedings can be denied. This is because such information is highly sensitive and requires a higher level of confidentiality.
2. Inmate requests in correctional institutions: If an inmate in a correctional facility requests their PHI, this request can be denied. The denial is permissible if providing the PHI could jeopardize the health, safety, security, custody, or rehabilitation of anyone in the institution, including other inmates, or affect the safety of staff and others involved in transporting the inmate.
3. PHI in ongoing research studies: Access to PHI that is part of an active research study, such as a clinical trial, can be denied. This applies if the patient agreed to suspend their access rights when consenting to participate in the research. Their right to access the PHI is reinstated after the completion of the research.
4. Privacy Act protected records: If the PHI is protected under the Privacy Act, such as records held by a federal agency, access can be denied. This denial is valid if providing access would conflict with the requirements of the Privacy Act.
5. Confidentially obtained information: When PHI is obtained from a source other than a health care provider (like a family member) under a promise of confidentiality, access can be denied. This is especially the case if giving access would likely reveal the source of the information.

See also: Report reveals more patients are accessing health data online

Reviewable grounds for denying access to PHI

Reviewable grounds for denying patients access to their PHI refers to specific situations where a healthcare provider can initially refuse access, but the decision is subject to review. These grounds are primarily centered around concerns for safety and harm. 

1. Endangerment to life or safety: If a licensed healthcare professional believes that allowing access to PHI is likely to endanger the life or physical safety of the individual requesting it or another person, they can deny access. This ground does not extend to concerns about psychological or emotional harm.
2. Potential harm to others: If access to the PHI is likely to cause substantial harm to a person (other than a healthcare provider) who is referenced in the PHI, the provider can deny the request.
3. Harm through personal representatives: If the PHI is requested by a personal representative of the individual (such as a family member or legal guardian), and it's believed that providing access is likely to cause substantial harm to the individual or another person, the request can be denied.

See also: Authorized access to medical records is important, too

FAQs

Can a healthcare provider reject a request for PHI without any reason?

No, healthcare providers cannot reject requests for PHI without a reason. 

What should I do if my request for PHI is denied?

If your request for PHI is denied, the healthcare provider should provide you with a written explanation of the reason for the denial. 

Are there any types of PHI that cannot be accessed by the patient?

Yes, there are specific types of PHI that patients cannot access. This includes psychotherapy notes, information compiled for legal proceedings, and certain information that a healthcare provider believes could cause serious harm to the patient or others if disclosed.

Can a healthcare provider charge a fee for accessing my PHI?

Yes, healthcare providers can charge a reasonable, cost-based fee for providing access to or copying your PHI.