Skip to the main content.
Talk to sales Start for free
Talk to sales Start for free

3 min read

How to handle patient data request

Picture of Kirsten Peremore Kirsten Peremore July 31, 2023

HIPAA Compliance
How to handle patient data request

A patient data request is a formal or informal inquiry made by an individual, typically a patient, to access or obtain their protected health information (PHI) held by a healthcare provider, medical facility, or health organization. This request allows patients to review, receive copies of, or gain insights into their medical records, test results, treatment history, and other relevant health-related data.

 

Can a healthcare organization reject a request for patient data?

Healthcare organizations generally cannot reject a request for patient data from the individual or their authorized representative. HIPAA grants patients the right to access their PHI held by covered entities, which includes healthcare providers, health plans, and healthcare clearinghouses. However, there are a few circumstances where a healthcare organization may be allowed to deny or limit a patient's data request:

  1. Verification of identity: The organization may deny the request if they cannot verify the identity of the requester as the individual or their authorized representative. Verifying identity is necessary to prevent unauthorized access to sensitive patient information.
  2. Non-existent or unavailable records: If the requested records do not exist or are unavailable due to legitimate reasons, the organization may be excused from providing them. However, they should inform the patient promptly and explain the reason for the denial.
  3. Information exempt from access: Some types of information may be exempt from patient access under HIPAA. For example, if disclosing specific information could harm the patient or others, the organization may limit access to such information.
  4. Psychotherapy notes: In some cases, psychotherapy notes maintained separately from the rest of the medical records may not be accessible to patients.

See more: What are patient rights under HIPAA?

 

How to develop a patient data request process

  1. Identify responsible personnel: Designate specific individuals or roles responsible for managing and overseeing patient data requests, including data access, verification, and disclosure. This may include privacy officers, designated custodians, or an assigned team. 
  2. Outline the request process: Describe how patients can submit data access requests, whether through written forms, online portals, or other designated channels.
  3. Verification of identity procedure: Specify the procedures for verifying the identity of the requester to ensure that only authorized individuals can access patient data.
  4. Review process: Explain how the request will be evaluated to determine if it complies with HIPAA regulations and if the requested data can be disclosed to the patient.
  5. Data disclosure: Detail how the requested information will be provided to the patient (e.g., electronic copy, printed records) and within what timeframe.
  6. Denial or limitation of access: Clarify the circumstances under which access may be denied or limited, as permitted under HIPAA.

See more: What is the HIPAA treatment exception?

 

How long do you have to respond to a request?

The HIPAA Privacy Rule stipulates that covered entities must provide the requested information within 30 days of receiving the patient's request. However, there is a provision that allows covered entities to extend the response time by an additional 30 days under certain circumstances. 

If an extension is necessary, the covered entity must notify the patient within the initial 30-day period, explaining the reason for the delay and providing the new expected date for providing the requested information. Note that the total response time, including any permissible extension, should not exceed 60 days from the date of the patient's request.

RelatedWhat is the HIPAA right to amend?

 

Costs associated with patient data requests 

While patients have the right to access their health information, covered entities may charge reasonable fees for providing copies of the records. These fees should be in line with state laws and HIPAA regulations. They should cover only the cost of copying and mailing the records. The fees must not be a deterrent to the patient's ability to access their data.

HIPAA acknowledges that patients might face financial challenges in accessing their health information. In such cases, healthcare providers are encouraged to work with patients to find a feasible solution, which may include waiving or reducing the fees.

 

Penalties for failing to provide patient data

In the context of patient data requests, a covered entity may be penalized if they do not provide the requested health information within the specified time frame, fail to verify the patient's identity properly, deny the request without a valid reason, or impose unreasonable fees for providing copies of the patient's records.

HHS's Office for Civil Rights (OCR) is responsible for enforcing HIPAA's Privacy, Security, and Breach Notification Rules. Individuals who believe their privacy rights have been violated under HIPAA can file complaints with the OCR. The OCR investigates these complaints to determine if there have been any breaches or improper disclosures of PHI. If the OCR finds a violation has occurred, the HHS can impose civil monetary penalties. 

See more: HIPAA Compliant Email: The Definitive Guide

Subscribe to Paubox Weekly

Every Friday we'll bring you the most important news from Paubox. Our aim is to make you smarter, faster.