Under the HIPAA Privacy Rule, covered entities are required to provide individuals with access to their protected health information (PHI) upon request, which is often called “right of access”. But while individuals have rights to their PHI, there are some very important nuances around what can and should be included in response to a record request.
THE DESIGNATED RECORD SET
Requested information is typically defined within a “designated record set” (DRS), which includes information maintained by a covered entity. Unless a very good, limited reason exists for excluding a piece of information, it is most likely considered part of the DRS.
At a minimum, a designated record set typically includes:
- For health plans: information regarding enrollment, payment, claims adjudication, and case or medical management record systems
- For covered entities (healthcare providers): medical and billing records maintained by or for the provider, lab results, imaging
So what is excluded from the designated record set? Well, not much but the exclusions that do exist are important to note:
- Psychotherapy notes – these are considered personal notes of a therapist that typically are not required or useful for treatment, payment, or health care operations purposes
- Information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding
FIVE THINGS TO KNOW ABOUT REQUESTS FOR ACCESS
- The covered entity must act on a request for access quickly but no later than 30 days after receipt of the request. If this cannot be met, they may have one extension with a written statement of the reasons for the delay and the date to complete action on the request
- Verification is required. The Privacy Rule generally leaves the type and manner of verification to the discretion of the covered entity (oral, written, etc.), provided the verification processes does not create delays in providing access (i.e., in-person, web portal, or physical mail proof)
- Access must be provided to the individual in the form and format requested. If the format is not available, a readable hard copy or such other form as agreed upon must be provided
- Any requests for access to be provided to another person must be clear, written, and signed
- Covered entities may impose a reasonable, cost-based fee. This only includes costs directly related to copy labor, supplies, postage, or preparation (if agreed upon by requesting individual) of summaries
ARE THERE ANY CIRCUMSTANCES WHERE ACCESS CAN OR SHOULD BE DENIED?
Specific circumstances allow a covered entity to deny a request for access. These are categorized as either reviewable or unreviewable.
Here are the unreviewable grounds for denial:
- The request is for psychotherapy notes, or information compiled in reasonable anticipation of, or for use in, a legal proceeding
- A covered entity that is a correctional institution (or a provider acting under the direction of a correctional institution) may deny an inmate’s request to obtain protected health information if it would threaten the health, safety, security, custody, or rehabilitation of the individual or of other inmates, or the safety of others at or related to the correctional institution
- PHI part of research or treatment studies may be temporarily suspended for the course of the study (if the individual agreed to the denial of access when consenting to participate in study with understanding that access will be reinstated upon research completion)
- PHI contained in Privacy Act protected records (i.e., records maintained by a government agency) may be denied, if the denial of access under the Privacy Act would meet the requirements of that law
- PHI obtained from someone other than a provider under a promise of confidentiality and the access requested would be reasonably likely to reveal the source of the information
And the reviewable grounds for denial:
- Requested access is reasonably likely to endanger the life or physical safety of the individual or another person (this does not include psychological harm or emotional distress)
- The access requested is reasonably likely to cause substantial harm to a person (other than a health care provider) referenced in the PHI
WHAT ABOUT HIPAA AUTHORIZATION FORMS?
Individuals may also request PHI through a HIPAA authorization form, and this type of request actually differs from the HIPAA right of access. Unlike the exercise of one’s right under HIPAA to access PHI, when a covered entity receives a valid HIPAA authorization form, HIPAA permits, but does not require, the covered entity to disclose PHI1.
HIPAA authorizations require certain “core elements” not required in a HIPAA right of access request to be valid. A description of the information to be used or disclosed that identifies the information in a specific and meaningful manner (i.e., HHS has made clear that requests for “all PHI” are not specific enough, but one’s “entire medical record” is2).