What are HIPAA Right of Access provisions?

The right of access provisions in the HIPAA Privacy Rule aims to empower individuals by giving them greater control over their health information and ensuring they can obtain copies of their PHI when needed.

What is the purpose of the HIPAA Right of Access provisions?

The right of access provisions under the Privacy Rule ensure that individuals can access and obtain copies of their PHI held by covered entities under certain conditions. These provisions allow individuals to be informed about and have control over how their health information is used in a timely and transparent manner. 

What types of health information are covered by the Right of Access provisions?

1. Medical records: This includes medical history, diagnoses, laboratory test results, imaging reports, progress notes, treatment plans, and other records created or maintained by healthcare providers.
2. Billing and payment records: This includes information related to charges for healthcare services, insurance claims, explanations of benefits (EOBs), and any other records associated with the financial aspects of healthcare.
3. Prescription and medication information: Information about prescribed medications, dosage instructions, pharmacy records, and related documentation.
4. Health insurance information: Insurance policy details, coverage information, claims history, and other records related to health insurance coverage.
5. Correspondence and communications: Correspondence between healthcare providers, such as referrals, consultation reports, and communications related to the individual's healthcare. 

Related: A simple summary of the HIPAA Privacy Rule

Covered entities and business associates 

Covered entities must provide individuals with access to their PHI upon request, in the format requested if it is readily producible, or in a mutually agreed-upon format. This needs to be provided within 30 days of the request, although there are certain limited exceptions.

The right of access provision also requires business associates, as agents of covered entities, to support covered entities in fulfilling individuals' right to access. They may be involved in processing access requests, securely transmitting PHI, or assisting with the retrieval and preparation of the requested information.

Charging a fee for providing copies of PHI

While covered entities are permitted to charge these fees, they should generally provide individuals with copies of their PHI free of charge. This fee must be reasonable and cost-based. It should cover only particular labor, supply, and postage costs associated with providing the copy. Charging fees for access to PHI can create barriers to individuals' ability to obtain their health information. 

Therefore, waiving access fees is encouraged, especially when the individual's financial situation would make it difficult for them to afford the fees. Individuals should be informed in advance of any fees that may be charged for providing copies of their PHI. It is recommended to have an approximate fee schedule available to individuals and, if requested, give a breakdown of the labor, supplies, and postage charges. 

What are the limitations of the right of access provisions?

The right of access applies only to PHI held by covered entities, such as healthcare providers, health plans, and healthcare clearinghouses, that are subject to HIPAA regulations. It does not apply to all types of health information or all entities that may have individuals' health information. 

Furthermore, The provisions do not apply to certain types of data exempted under the HIPAA Privacy Rule. For example, it does not include psychotherapy notes, information compiled for legal proceedings, or information that may be subject to certain privacy laws, such as federal laws governing the confidentiality of substance abuse treatment records.

Limited timeframe for response

Covered entities are required to provide individuals with access to their PHI within 30 days of receiving a request. However, in certain circumstances, the entity may have an additional 30-day extension to respond, provided they inform the individual of the reason for the delay within the initial 30-day period.

Steps to take when PHI access is requested

1. Verify the identity of the individual: Before disclosing any PHI, the covered entity should verify the identity of the individual making the request. They may request certain information or documentation to confirm their identity, such as a government-issued ID or relevant account information.
2. Acknowledge the request: Send an acknowledgment to the individual, confirming that their access request has been received and is being processed. Include relevant contact information for any inquiries or updates. Remember to use communication that aligns with HIPAA, such as HIPAA compliant email. 
3. Review the request: Evaluate the scope and specifics of the access request. Determine what PHI is being requested and whether any exceptions or limitations apply. This could include considering whether certain information is exempt from disclosure, such as psychotherapy notes or information that may harm the individual or others.
4. Retrieve and prepare the requested information: Locate the requested PHI within the organization's records and assemble it for disclosure. Ensure that any sensitive or confidential information that should not be disclosed is appropriately redacted or removed.
5. Respond within the designated timeframe: The HIPAA Privacy Rule requires covered entities to respond to access requests within 30 days. Provide the individual with the requested PHI in the format they have specified, whether a printed copy or an electronic format, unless the individual requests a different format that is not readily available.
6. Explain any denials or restrictions: If the covered entity denies the individual's access request or imposes limitations, they must provide a written explanation. This explanation should cite the specific basis in the HIPAA Privacy Rule that justifies the denial or limitation.
7. Maintain documentation: Document all actions taken in response to the access request, including the verification of identity, retrieval of PHI, communications with the individual, and any denials or restrictions. This documentation helps demonstrate compliance in case of an audit or potential complaint.

Related: What are hard bounces?