Handling Requests to Access PHI under HIPAA

By Sheba Vine, JD, CPCO, VP & General Counsel, 1st Healthcare Compliance
Twitter: @1sthcc

HIPAA provides patients with fundamental rights to access, inspect and obtain a copy of their health information for as long as the information is maintained by the healthcare provider (covered entity) regardless of the date created, format of the PHI or where the PHI originated. Individuals also have the option of requesting a summary or explanation of the PHI requested. In responding to these requests, providers should be aware of the requirements under the HIPAA Privacy Rule.

HIPAA does not require these requests to be in a specific format. Healthcare providers may accept oral requests, require patients to submit written requests, or complete a form prepared by the provider. But the provider must make patients aware of such requirements and they cannot impose unreasonable measures that act as barriers to (or could unreasonably delay) one’s access. HHS lists the following examples as unreasonable measures:

  • If a patient asks to have a copy of their medical records mailed to their home address, the doctor may not require the patient to travel to the doctor’s office to request access and provide proof of identity.
  • A doctor may not require a patient to use a web portal for requesting access because not all patients may have access to the Internet.
  • A doctor may not require a patient to mail in a request for access because such a requirement could unreasonably delay the provider’s receipt of the request and thus, the patient’s access.

To avoid creation of any such barriers or delays, providers are encouraged to offer more than one method for patients to request access to their health information.

A patient’s right to access pertains to PHI within a designated record set which is a group of records maintained by or for a provider, including such items as:

  1. the patient’s medical and billing records,
  2. enrollment payment, claims adjudication, and case or medical management record systems kept by or for a health plan, and
  3. any other records that are used by or for the provider to make decisions about individuals. Access to PHI outside the scope of the designated record set is not permitted because such information is not used to make decisions about individuals. Examples of items that are not part of the designated record set include quality assessment records, patient safety activity records, or business planning, development, and management records that are used to make business decisions.

Once a patient request is received, the provider has 30 days to respond. According to HHS, 30 days is an outer limit and providers are expected to respond in a timely manner, well before 30 days. In the event this is not possible, and the patient is agreeable, the provider is encouraged to give access to the PHI as it becomes available. HIPAA does allow a one-time 30-day extension if the provider gives written notice within the initial 30-day period to the patient, along with the reasons for the delay and a date that access will be provided.

The provider should give access to PHI in the form and format requested by the patient, if readily producible. In this regard, providers are expected to have the capability to transmit PHI by mail and email if requested by the individual and therefore cannot require an individual to travel to the provider’s physical location in order to obtain the requested PHI.

On the other hand, if the patient’s request to access all or a portion of PHI is denied the patient has the right to have the denial reviewed by a licensed healthcare professional designated by the provider in certain circumstances.

Finally, the provider can only charge a cost-based and “reasonable” fee for providing the PHI. Fees for copies may only include cost of labor, paper or electronic supplies, postage if mailed, and if requested the time to prepare a summary or explanation of the PHI. Costs associated with verification and documentation, searching for/retrieving PHI, maintaining systems and storage cannot be passed onto the patient. For more information visit the following HHS links: Fees for Copies and Clarification of Permissive Fees.

This article was originally published on 1st Healthcare Compliance and is republished here with permission.