The Department of Health and Human Services (“HHS”) has issued guidance clarifying individuals’ right under the HIPAA Privacy Rule to access their protected health information (“PHI”) maintained by covered entities, including health plans.
Background. Under HIPAA’s Privacy Rule, individuals have the right to access their own PHI from “covered entities (e.g., doctors, hospitals and group health plans). Regulations issued in 2013 expanded this right to cover electronic PHI.
HHS Guidance. Among other things, HHS’s guidance addresses: the scope of information to be provided; limited exceptions to this right; the form and format in which PHI is to be provided; and the requirement to provide access to individuals in a timely manner.
Highlights from the guidance are as follows:
Covered information. Individual rights extend only to PHI maintained in a designated record set. A “designated record set” is defined as a group of records maintained by or for a covered entity that comprises the: (i) medical records and billing records of individuals maintained by or for a covered health care provider; (ii) enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; and (iii) other records that are used, in whole or in part, by or for the covered entity to make decisions about individuals.
The guidance provides examples of PHI included and excluded from a designated record set.
The following two categories of information are expressly excluded from the right of access: (i) psychotherapy notes, which are the personal notes of a mental health care provider documenting or analyzing the contents of a counseling session, that are maintained separately from the rest of the patient’s medical record; and (ii) information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding.
Access Requests. Covered entities may require individuals to request access in writing and may offer electronic means for submitting requests, but they cannot require individuals to come to a physical office, use a web portal or mail a request. Covered entities may prescribe a particular form to be used for requests so long as it does not create a barrier or unreasonably delay access.
Providing Access. PHI must generally be provided in the format requested by the individual or in a mutually agreeable format. Individuals who request that PHI be transmitted in an unencrypted email must be warned of the risks and confirm the delivery method. (Note: Covered entities that take these steps will not be responsible if an unauthorized disclosure occurs during PHI transmission.) Individuals’ rights to access PHI through other unsecured means depends on the covered entity’s capabilities and the security risk that it would pose to other PHI maintained on its system.
Third Parties. Covered entities must fulfill a written request to direct PHI to a third party if the request is signed by the individual and clearly identifies the designated recipient.
Timeliness. In general, covered entities must provide access to requested PHI within 30 calendar days following the receipt of a valid request. If a covered entity is unable to provide access within 30 days, it may extend the deadline for responding by no more than an additional 30 days.
Fees. The Privacy Rule permits a covered entity to impose a reasonable, cost-based fee where an individual requests a copy of PHI. The guidance specifies that covered entities may not recover costs associated with verification, documentation, searching for and retrieving PHI, systems maintenance, and capital expenditures for data access, storage or infrastructure.
The HHS guidance is available at: http://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html