On Jan. 7, 2016, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services released guidance clarifying individuals’ right to access their protected health information (PHI) maintained by or for their health care providers and health plans (covered entities) under the HIPAA Privacy Rule, 45 CFR § 164.524. According to OCR, the government is taking this action in response to recent studies and OCR’s own enforcement experience where, “far too often individuals face obstacles to accessing their health information, even from entities required to comply with the HIPAA Privacy Rule.  This must change.”1 HIPAA provides individuals with a legal, enforceable right to see and receive copies upon request of the information in their medical and other health records maintained by covered entities.2

The guidance released by OCR addresses the scope of information covered by HIPAA’s access right, the very limited exceptions to this right, the form and format in which information is provided to individuals, the requirement to provide access to individuals in a timely manner, and the intersection of HIPAA’s right of access with the requirements for patient access under the HITECH Act’s Electronic Health Record (EHR) Incentive Program. 

Providers and Health Information Subject to HIPAA Privacy Rule

Under the HIPAA Privacy Rule, individuals have the general right to access medical and health information in designated records maintained by covered entities. This includes information maintained by business associates—those entities maintaining PHI on behalf of covered entities. Covered entities are responsible for fulfilling these Privacy Rule requirements and for ensuring their business associates promptly forward all PHI requests.

Designated records include a broad array of health information, including medical records, billing and payment records, insurance information, clinical laboratory test reports, X-rays, wellness and disease management program information.

Covered entities must take “reasonable steps” to verify the identity of individuals requesting access to their records. Verification may be done orally or in writing, but should not be used to create a barrier or delay for the individual. Some examples of impermissible verification systems include requiring the individual to physically visit the health care provider’s office or to mail in a form.

Health Information Not Subject to Release or Access under the HIPAA Privacy Rule

Except in very limited circumstances, an individual has a right to access their entire PHI that a covered entity (or its business associate) maintains in a designated record set.

  • Some information is not subject to release or patient access under the Privacy Rule:

    • Mental health professionals are not required to provide patients with access to psychotherapy notes that are maintained separately from the individual’s medical record and that document or analyze the contents of a counseling session with the individual.

    • Health care providers are not required to create new information that does not already exist in the designated record.

    • Information compiled in reasonable anticipation of, or for use in, a legal proceeding. But, the individual maintains the right to access the underlying PHI in the designated record.

Timeframe for Response under HIPAA and EHR

Generally, a covered entity must act on an individual’s request for access no later than 30 calendar days after the receipt of the request. Please note that the 30 day deadline applies regardless of whether they maintain the PHI or need to obtain the PHI from their business associate.

The EHR Incentive Program deadlines still apply.

Other Information

  • Form and Format; Manner of Access: Generally, covered entities must provide access in the manner requested by the individual, including providing records in electronic format.

  • Fees for Copies: Covered entities may charge an individual a reasonable, cost-based fee for a copy of their records.

  • HIPAA Preemption and State Laws: HIPAA does not pre-empt state laws which are more protective of individual privacy rights.