Since its inception, the HIPAA Privacy Rule’s requirements have been aggressively enforced by the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR). More recently, the HIPAA Privacy Rule’s right of access provisions have received a lot of attention. Since 2019, a total of 41 cases have been resolved. So far this year, there have been a total of 18 resolution agreements between OCR and covered entities.
When entering into a resolution agreement with OCR, a covered entity will generally pay an agreed upon resolution amount (e.g., $30,000) and comply with a corrective action plan. A corrective action plan may require an organization to develop, maintain, and/or revise policies and procedures regarding the privacy of individually identifiable health information and patient rights to access their health information. Corrective action plans also include other requirements such as providing training to all members of the workforce on policies and procedures including providing timely access to protected health information (PHI).
Summary of Current Right of Access Provisions
While the OCR provides an in-depth overview, we have found it is helpful for healthcare organizations to have a summarized version to easily understand the requirements of the right of access provisions.
Upon request covered entities are required to provide individuals with access to their health information that is held in designated record sets maintained by the covered entity. For most organizations, this would be records maintained in the electronic medical record (EMR); however, it would also include any records preserved in a paper chart, or stored on electronic media, etc. This means, individuals have the following rights:
• The right to inspect or obtain a copy, or both, of the health information.
• The right to direct a covered entity to transmit a copy to a designated person or entity of the individual’s choice.
• To access their health information as long as it is maintained by a covered entity or business associate.
What is a designated record set?
According to HHS, individuals have a right to access a broad array of health information. Designated record sets include medical records, billing records, payment and claims
records, health plan enrollment records, case management records, as well as other records used, in whole or in part, by or for a covered entity to make decisions about individuals.
Individuals do not have a right to:
- Access health information that is not part of the designated record set.
- Access the psychotherapy notes that a mental health professional maintains separately from the individual’s medical record and that document or analyze the contents of a counseling session with the individual.
- Access Information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding.
If an individual has appointed a personal representative in accordance with their State law, they have rights such as accessing health information about the individual in a designated record set, transmitting health information to a designated individual or entity, upon request.
How to Handle Requests for Access
The HHS guidance goes into significant detail on how to respond to access requests, including the form and format and manner of access, timeliness in providing access, fees for copies, how to handle a denial of access, the individual’s right to direct health information to another person, and State laws considerations. The following are recommended procedures to ensure healthcare organizations are compliant with current right of access provisions.
1. Patients or their personal representatives should submit requests for access or copies of their health information in writing. If you permit requests to be submitted verbally, be sure to maintain documentation of when the verbal request was submitted and when records were provided.
2. Requests for access are required to be fulfilled no later than 30 days following the receipt of the written or verbal request. If for some reason the request for access or copies of records cannot be provided within 30 days, the patient or personal representative must be provided a reason in writing stating why access to or copies of the records cannot be provided and when the expected date of completion is.
3. If for some reason health records have been destroyed or are no longer in possession, the patient or personal representative must be notified in writing. Preferably, this will include information regarding where the patient or representative may locate the requested records.
4. If a copy of the requested information is used or maintained electronically, it must be provided in the electronic form or format requested if it is readily producible.
5. If it is not readily producible, the records should be offered to be produced it in at least one readable electronic format that is agreed upon by the patient or their representative and the healthcare organization.
6. The patient or personal representative may also direct to transmit a copy of the information in electronic format to any other entity or person, provided that the request is clear and specific.
7. A healthcare organization privacy officer or designated employee must obtain verification of the requestor’s identity before granting access to the record.
Proposed Updates to Right of Access Requirements
As part of a Notice of Proposed Rulemaking issued by HHS in 2020, several updates to the HIPAA Privacy Rule including patient access requirements were included. In 2021 when HHS started receiving additional comments on the proposed rule, updates were anticipated as early as 2022. The proposed changes are now expected to be enforceable in 2023. Here are seven (7) of the most notable updates to the Right of Access requirements organizations should be prepared for:
1. Instead of 30 days to provide patients access to health information covered entities will have 15 days.
2. Patients are allowed to inspect their health information in person. This includes taking notes or photographs of their health information.
3. Under certain circumstances health information must be provided to individuals at no charge.
4. Estimated charges for access and disclosures should be posted on covered entities websites.
5. Transfer of health information to a third party is limited to health information maintained in an EHR.
6. Individuals will be able to request health information be transferred to a personal health application.
7. Covered entities will be required to respond to certain records requests from other covered healthcare providers and health plans, in cases when an individual directs those entities to do so under the HIPAA right of access.
Having a good understanding of and knowing what steps to take to comply with HIPAA’s Right of Access Provisions is critical for healthcare organizations. Rights of Access complaints are taken very seriously by the OCR. In 2023 when the proposed updates to the HIPAA Privacy Rule including Right of Access requirements are enforced, it will be important to review current policies and procedures and make updates as needed, such as changing timeframes to 15 days instead of 30; posting access and disclosures fee schedules; and allowing patients to inspect in person and take notes and photographs of their health information are some notable changes to be prepared for.
About the Author
Chad Schiffman joined Healthcare Compliance Pros (HCP) in 2014 as the Director of Compliance. Chad’s seasoned background includes over 20 years combined experience in healthcare, information technology and compliance consulting services. Chad is primarily involved in consulting with healthcare clients about their HIPAA and HIPAA HITECH-related issues including breach determination, breach mitigation and corporate OIG and CMS compliance.
Chad is involved in several on-site client audits and helps successfully implement HIPAA regulatory requirements to protect healthcare organizations from serious fines related to audits and breaches. Through his national experience in remediating regulatory issues, Chad possesses a broad knowledge of U.S. state and federal agencies and provides in-depth regulatory support and assistance for all clients.
In addition to working directly with clients related to all compliance matters, Chad is also a main contributor to HCP’s weekly healthcare forum where he shares his expert
knowledge related to industry topics, trending compliance news, and new regulation requirements. Chad is a published author with several advocacy groups including MGMA, AAOE, RBMA, AOA, PAHCOM, and HBMA.
Chad holds undergraduate degrees in the areas of Medical Specialties and Healthcare Administration, and a master’s degree in Healthcare Informatics.