The Office for Civil Rights (OCR) recently released guidance related to the right to access protected health information (PHI) under the Health Insurance Portability and Accountability Act (HIPAA). The guidance combines into one document explanations of the HIPAA requirements related to an individual’s access right with much of the agency’s previously-released technical assistance on point. The guidance provides a comprehensive overview of how and when an individual is entitled under the regulation to request and receive copies of PHI. It also clarifies the related responsibilities a covered entity or business associate has when responding to an access request. Of note, it discusses OCR’s expectations related to some of the more vague sections of HIPAA, including how to verify the identity of someone who requests PHI and produce PHI in the “form and format requested,” as required by the regulation. OCR noted this guidance is the first in a series of tools that will be developed to further clarify HIPAA’s right of access to PHI.
TIP: In light of the upcoming OCR audits, businesses subject to HIPAA should review the guidance to gain insight into OCR’s expectations and update their policies and procedures as needed.