Do business associates have to grant patients access to their records?

Business associates are generally not directly responsible for granting patients access to their health records. According to the HHS, “The Privacy Rule regulates covered entities, not business associates… The business associate contract must provide that the business associate will make such information available to the covered entity in order for the covered entity to fulfill its obligation to the individual.” This means that responsibility falls on the covered entities, such as healthcare providers or insurers, who are the custodians of the patient's health information.

The role of a business associate in relation to patient records

The role of a business associate centers around the management, protection, and appropriate use of patient records, acting under the guidelines set by their business associate agreement (BAA). A few responsibilities include: 

1. Processing or handling PHI: Business associates often handle or process protected health information (PHI) for various purposes, such as claims processing, data analysis, billing, benefit management, practice management, and providing IT services. 
2. Implementing safeguards: Business associates are required to implement appropriate safeguards to prevent unauthorized use or disclosure of PHI, in compliance with the Privacy Rule. This includes technical safeguards such as the use of HIPAA compliant email software. 
3. Compliance with privacy rule standards: Through BAAs, business associates agree to comply with certain Privacy Rule standards and conditions for protecting PHI. 
4. Cooperating with covered entities: Business associates cooperate with covered entities in fulfilling the latter's obligations under HIPAA. This includes providing access to PHI when a patient requests it, amending PHI as directed by the covered entity, and providing an accounting of disclosures.
5. Reporting breaches: Business associates are required to report any PHI breaches to the covered entity, ensuring that they comply with HIPAA’s breach notification requirements.
6. Direct interaction with patients (in some cases): In situations where a business associate is the only holder of a designated record set, or a part thereof, they may directly interact with patients. This could involve providing access to, or amending, PHI at the request of the patient, if stipulated in the BAA.

See also: How to know if you’re a business associate

Specific conditions under which a business associate must provide access to records

When the business associate is the sole holder of certain parts of the designated record set or if the covered entity does not duplicate their records. In such cases, the business associate must make the information available to either the covered entity or directly to the individual, depending on the terms outlined in the BAA. The BAA, a legally binding contract between a covered entity and a business associate, must specify the circumstances under which the business associate is required to provide access to PHI. This agreement ensures compliance with HIPAA’s rules for safeguarding PHI and upholding individuals' rights to access their health information. 

Exceptions or limitations to a business associate’s obligation to grant access to records

A business associate’s obligation to grant access to records is subject to certain exceptions and limitations, often detailed in the BAA with the covered entity. 

1. When the business associate holds information that is merely a duplicate of what the covered entity already possesses; the business associate is not required to provide access, as the covered entity can fulfill such requests. 
2. Access need not be granted to psychotherapy notes or information compiled for legal proceedings.
3. Legal or regulatory constraints, as well as technical limitations, could restrict a business associate's ability to provide access. 
4. Considerations regarding the safety, privacy, and security of PHI might also limit a business associate’s responsibility to grant access.

See also: When should you ask for a business associate agreement?

FAQs

What is a covered entity?

A covered entity is a healthcare provider, health plan, or healthcare clearinghouse that transmits health information electronically and must comply with HIPAA regulations.

What are patient rights under HIPAA?

Under HIPAA, patients have the right to access their medical records, request corrections, and receive information about how their health information is used and shared.

When can a covered entity refuse access to patient records?

A covered entity can refuse access to patient records if releasing the information would endanger someone's life or physical safety, violate another person’s privacy, or involve psychotherapy notes.