Guidance or warning? HHS addresses an individual’s HIPAA right of access
On January 7, 2016, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) released guidance on the rights of individuals to access and obtain copies of their health information, and on related obligations of HIPAA covered entities and their business associates.
Under the Privacy Rule, patients have the right to access their protected health information (PHI) held by a covered entity (e.g., most health care providers and health plans) or business associate of a covered entity in a “designated record set.” In particular, patients have rights to inspect and obtain copies of their PHI and to direct the covered entity to transmit a copy of their PHI to persons or entities designated by the patient. HIPAA covered entities and their business associates have corresponding obligations to allow such access upon request as long as they maintain the PHI in paper or electronic form, generally regardless of when and where the PHI was created.
This guidance consists of a fact sheet and Frequently Asked Questions (FAQs) explaining various aspects of patient access, including:
PHI that is included within a “designated record set” and therefore generally subject to patient access
Categories of PHI that are not subject to HIPAA patient access rights, namely, (i) psychotherapy notes, (ii) information compiled for use in litigation or an investigative proceeding or in reasonable anticipation of such use, and (iii) information that is not part of a designated record set
The process for requesting access, including the covered entity’s obligation to verify the identity of the person requesting access
Format, timing and manner of patient access and copies
Grounds to deny access, as well as requirements to provide notice and review of denial of access
Interplay and distinctions between individual access rights under the Privacy Rule and electronic health record (EHR) incentive programs
Covered entity responsibilities when a patient requests transmission of PHI in an unsecure manner (patient should be warned and accept the risks before unsecure transmission)
When a laboratory report is completed and therefore subject to patient access
In addition to informing individuals of their right to access their health information and reminding covered entities and business associates of their obligations to provide access, this guidance should be viewed as a warning to covered entities and business associates who fall short in providing access. Last summer OCR officials observed high volumes of patient access complaints and indicated OCR’s intention to issue guidance, which it has now released. In announcing this guidance, OCR Director Jocelyn Samuels suggested that patient access is a high priority issue for OCR:
…, it is more important than ever for individuals to have ready access to their health information. Unfortunately, based on recent studies and our own enforcement experience, far too often individuals face obstacles to accessing their health information, even from entities required to comply with the HIPAA Privacy Rule. This must change.
Covered entities and business associates should review this guidance and update their policies, procedures and training to ensure compliance with their obligations to provide individuals with access to their health information.
 The Privacy Rule defines “designated record set” to include a broad range of health information, such as medical records, billing and payment records, insurance information, completed lab and imaging test reports, clinical case notes, and other information that is used to make decisions about the individual.