Designated record sets are an important part of PHI. The HIPAA Privacy Rule guarantees the rights of individuals to see their protected health information (PHI) stored in designated record sets. In addition, the Department of Health and Human Services determined that patients have a Right of Access to their PHI within a designated record set.
Therefore, patients can get copies of their PHI from covered entities and their business associates maintaining patient PHI under this right.
Which types of PHI are in designated record sets?
A designated record set is a grouping of information or items that includes PHI. A covered entity uses it to make decisions about individuals. Examples include:
- Medical records
- Billing records
- Payment records
- Lab test results
- Medical images (X-rays, for example)
- Insurance information
- Wellness program files
- Disease management program files
- Case management records
- Health plan enrollment records
- Information on medications prescribed for a patient
Is any PHI excluded from the Right of Access?
Yes. Covered entities are not required to provide access to the following PHI categories:
- A mental health provider's personal psychotherapy notes, which are, per accepted professional practice, stored separately from the patient's other PHI and used to document or analyze therapy sessions
- Information prepared for use in current or possible future criminal, civil, or administrative proceedings or actions
- When PHI is not part of a designated record set because covered entities do not make decisions about individuals based on the following specific information:
- Provider performance reviews
- Business planning or management records
- Peer review records
- Quality assurance records
What information must a covered entity provide, and in what format?
The covered entity does not have to create new information about the requested PHI, such as explanations for the records. All that is required is the existing designated record set information. And patients must receive their documents within 30 days.
Patients or their representatives can request electronic or paper copies by mail or email. Also, patients cannot be required to pick up copies in person. Emails containing PHI must be HIPAA compliant.
Can the covered entity charge a fee to copy and send the requested PHI?
Yes, however, the fee can only cover labor and materials to prepare the requested copies, including postage.
Are there any circumstances when a patient's Right of Access request can be denied?
Yes, but they are narrowly defined. A patient can appeal a decision and ask a licensed healthcare professional to review it. It is the responsibility of the covered entity to choose the reviewer.
However, the reviewer cannot have participated in the original decision to deny access. If the following situations are likely to occur by viewing the PHI then a request can be denied.
- The patient's physical safety, life, or endangers another individual's physical safety or life.
- The PHI can "cause substantial harm" to someone named in the PHI (excluding healthcare providers mentioned in the PHI).
- Allowing the patient's personal representative access to the PHI can "cause substantial harm" to the patient or someone else.
The patient will not be able to access PHI with the following requests
- Psychotherapy notes or for PHI used in, or in preparation for, a criminal, civil, or administrative legal proceeding.
- Copies of PHI requested by an inmate which a correctional institution or a healthcare provider working under that institution's oversight holds, and possession of the copies will jeopardize the safety, health, custody, security, or rehabilitation of that inmate or other inmates or the safety of correctional institution employees or persons required to transport the inmate. The inmate will still be able to view their PHI.
- A designated record set used in a current clinical trial. The patient voluntarily agreed to a temporary suspension of the Right of Access when the trial began. The Right of Access will be reinstated after the clinical trial in this scenario.
- Records protected by the Privacy Act and the Privacy Act's stipulations require denial of the Right of Access.
- Someone other than a healthcare provider promised confidentiality and obtained the PHI. And patient access to the PHI "would be reasonably likely to reveal" the information's source.
How can covered entities safely send copies of the designated record set PHI to patients?
As determined by HHS, mailing and emailing copies of PHI to individuals, although posing a security risk to the PHI while it is in transit, is an acceptable risk to the covered entity's computer systems. Therefore, it is permitted to mail and email copies of protected health information.
Protect PHI by using encrypted email
The safest way for covered entities to send PHI copies to patients who request them is via encrypted email. To ensure strong email security, encrypt your emails. Cybercriminals routinely access computer systems through email. In addition, modern healthcare organizations are bombarded with phishing and ransomware attacks, making this more important than ever.
With Paubox Email Suite, healthcare organizations can seamlessly encrypt all outbound email messages, including the ePHI copies that your patients request. Integrate existing email platforms such as Microsoft 365 and Google Workspace directly into Paubox without downtime for training.
No patient portal or third-party applications are required. It's that easy. And a familiar email with no extra steps makes life easy for your patients. In addition, any Right of Access requests sent with Paubox guarantee HIPAA compliance. Send requested ePHI copies via encrypted email to ensure HIPAA compliance and give your patients an easy way to retain their PHI.
Don't leave your organization at risk. It's easier than you think to put the leading and most robust email cybersecurity solution in place with Paubox.
Try Paubox Email Suite for FREE today.