HIPAA and Access. Legal Summary and Recent Investigations

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) required that the Secretary of the U.S. Department of Health and Human Services (HHS) Secretary develop regulations protecting the privacy and security of certain health information. To ensure these protections work, HHS enacted the following two rules:

  • The HIPAA Privacy Rule. “The Privacy Rule, or Standards for Privacy of Individually Identifiable Health Information, establishes national standards for the protection of certain health information.”
  • The HIPAA Security Rule. “The Security Standards for the Protection of Electronic Protected Health Information (the Security Rule) establish a national set of security standards for protecting certain health information that is held or transferred in electronic form.”
  • “Today, providers are using clinical applications such as computerized physician order entry (CPOE) systems, electronic health records (EHR), and radiology, pharmacy, and laboratory systems. Health plans are providing access to claims and care management, as well as member self-service applications. While this means that the medical workforce can be more mobile and efficient (i.e., physicians can check patient records and test results from wherever they are), the rise in the adoption rate of these technologies increases the potential security risks.”

“A major goal of the Security Rule is to protect the privacy of individuals’ health information while allowing covered entities to adopt new technologies to improve the quality and efficiency of patient care.”

HIPAA requires that entities covered by HIPAA must grant individuals the right to inspect their protected health information (PHI) and obtain a copy of their PHI. There are specific rules on how the PHIA must be kept. The Office for Civil Rights (OCR), issued guidance on this right of access -in 45 CFR § 164.524. Within HHS, the Office for Civil Rights (OCR) has the responsibility for enforcing the Privacy and Security Rules – including voluntary compliance and civil penalties.

“The guidance remains in effect only to the extent that it is consistent with the court’s order in Ciox Health, LLC v. Azar, No. 18-cv-0040 (D.D.C. January 23, 2020), which may be found at https://ecf.dcd.uscourts.gov/cgi-bin/show_public_doc?2018cv0040-51. More information about the order is available at https://www.hhs.gov/hipaa/court-order-right-of-access/index.html. Any provision within this guidance that has been vacated by the Ciox Health decision is rescinded.”


The OCR of the DHHS announced a new online decision tool to help HIPAA covered entities understand protected health information compliance during the COVID-19 emergency

The HIPAA Right of Access

Patients should have the right to access to their PHI because the information gives patients control over their health decision. As an example, patients who have access to their health information can better monitor their health condition, stay with their treatment plans, fix any mistakes in their health records, track their progress, and help contribute their information for research.

As technology advances, patients should have more ways to access their health information in real- time. While there are some exceptions, the HIPAA Privacy Rule (the Privacy Rule) gives “individuals a legal, enforceable right to see and receive copies upon request of the information in their medical and other health records maintained by their health care providers and health plans.”

Covered entities that must provide access to health record generally included:

  • Health care providers. This includes the following – but only if the providers transmit information in an electronic form for which HHS has adopted a standard:
    • Doctors
    • Clinics
    • Psychologists
    • Dentists
    • Chiropractors
    • Nursing Homes
    • Pharmacies
  • Health plans include:
    • Health insurance companies
    • HMOs
    • Company health plans
    • Government programs such as Medicare, Medicaid, and the military and veterans’ health care programs that pay for health care
  • Healthcare clearinghouses. “This includes entities that process nonstandard health information they receive from another entity into a standard (i.e., standard electronic format or data content), or vice versa.”

Generally, the PHI should provide the PHI in “designated record sets” that the covered entity keeps.  The right of access, according to the OCR guidance, includes:

  • Both the right to inspect the PHI and have a copy of the PHI.
  • “The right to direct the covered entity to transmit a copy to a designated person or entity of the individual’s choice.”

The right of access lasts “as long as the information is maintained by a covered entity, or by a business associate on behalf of a covered entity, regardless of the date the information was created; whether the information is maintained in paper or electronic systems onsite, remotely, or is archived; or where the PHI originated (e.g., whether the covered entity, another provider, the patient, etc.).”


Interview with an expert in healthcare privacy and security, both on the federal side with HIPAA, and the state side, especially California law.

What information should be included in the Right of Access: The “Designated Record Set?”

The designated record set, according to the OCR guidance, consists of a group of records maintained by or for a covered entity that comprises the:

  • Medical and billing records about a person kept by or for a covered health care provider
  • Enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan
  • Other records that are used, in whole or in part, by or for the covered entity to make decisions about individuals. “This last category includes records that are used to make decisions about any individuals, whether or not the records have been used to make a decision about the particular individual requesting access.”

The word “record” means “any item, collection, or grouping of information that includes PHI and is maintained, collected, used, or disseminated by or for a covered entity.”

This means patients have a broad right of access to medical information about themselves including:

  • Medical records
  • Billing records
  • Insurance information
  • Medical test results including X-Ray images and other images
  • Wellness information
  • Disease management files
  • Clinical case notes

Covered entities are not required to create new information such as explanations that aren’t already in the designated record set.

What information is not part of the right of access?

Patients don’t have the right to access PHI which isn’t part of the designated record set – because that information isn’t used to make medical decisions about the patient. For example, a health provider doesn’t have to provide business planning, some quality assessment information, patient safety activity records, or other information that’s used to make business decisions instead of medical decisions. For example, a physician’s performance review records which may include a person’s PHI might not be considered part of the designated record set. Two areas of information that are specifically excluded from the right of access are:

  • “Psychotherapy notes, which are the personal notes of a mental health care provider documenting or analyzing the contents of a counseling session, that are maintained separate from the rest of the patient’s medical record. See 45 CFR 164.524(a)(1)(i) and 164.501.”
  • “Information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding. See 45 CFR 164.524(a)(1)(ii).”

Personal Representatives

Generally, a person’s personal representative is someone with authority under state law to make health care decisions for that person also has the right of access to PHI about that individual – subject to certain conditions.

How to make the requests for access

The form of the request

  • Writing. Covered entities do have the right to require that people submit a right of access request in writing – as long as the covered entity informs the person of this requirement.
  • Electronically. Covered entities can give the individual the option of making the right of access request electronically, such as by email or through a secured web portal.
  • A form. Covered entities can require that individuals use the entity’s own form – provided the form doesn’t unreasonably delay the person’s ability to access his/her PHI.


The Privacy Rule does require that the covered entity “take reasonable steps to verify the identity of an individual making a request for access.”

There’s no specific form of verification. The manner of verification is generally up to the covered entity’s professional judgment – provided there are no unreasonable barriers to accessing the PHI. Verification methods may vary depending on the method of request (writing, electronic, or form).

“For example, if the covered entity requires that access requests be made on its own supplied form, the form could ask for basic information about the individual that would enable the covered entity to verify that the person requesting access is the subject of the information requested or is the individual’s personal representative.”

Unreasonable Measures

Covered entities generally can’t impose unreasonable measures to restrict the right of access (other than requiring the above verification requests). Examples of unreasonable requests include:

Physicians can’t require that a patient:

  • Who wants the doctor to mail the PHI to their home address – come to the physician’s office to request access and verify their identity
  • Use a web portal – since some people may not have the technology or tech skills to use a web portal
  • Mail the right of access request – because this could cause an unreasonable delay.

Generally, covered entities should consider multiple right of access options.

While a covered entity may not require individuals to request access in these manners, a covered entity may permit an individual to do so, and covered entities are encouraged to offer individuals multiple options for requesting access.

How should access be provided?

The covered entity should provide the PHI (when possible) to the individual – in the form and manner that the individual requests. If, for example, the entity provides electronic access, then the PHI should be provided in electronic form. Common types of request forms include:

  • Paper copies. Generally, all covered entities should be able to provide PHI in paper form.
  • Electronic copies.
    • If the covered entity only uses a paper form to keep PHI, the covered entity should still produce the form electronically – if the provider is readily able to do so – such as scanning the paper record.
    • If the PHI is kept electronically, then “the covered entity must provide the individual with access to the information in the requested electronic form and format, if it is readily producible in that form and format.”
    • If the PHI can’t be readily produced electronically, then the covered entity should produce the PHI in an agreed-upon “alternative readable electronic format. “This means that, while a covered entity is not required to purchase new software or equipment in order to accommodate every possible individual request, the covered entity must have the capability to provide some form of electronic copy of PHI maintained electronically.” Only if the person declines all available electronic formats, then a hard copy of the PHI can be provided.

A summary of the PHI or an explanation along with the PHI can be provided – if the person making the request agrees to receive the information in those ways and agrees to any fees that may (subject the provisions on right of access fees) “be charged by the covered entity for the summary or explanation.”

Other access issues include the time and place to inspect or pick up the PHI to have the PHI mailed or emailed. Other factors, such as security effects, may also need to be considered.

Right of access time requirements

Generally, the covered entity must provide the PHI no later than 30 calendar days from the date of the request. In many cases, the information will be supplied almost instantaneously. In some cases, the entity may use another 30 days.

The fees for the PHI

The HHS Privacy rule does give the covered entity the right to charge a reasonable fee for the PHI, (based on cost). The fee can only include the cost of labor and supplies. Postage can be charged if the PHI is being mailed. The entity can also charge for “preparation of an explanation or summary of the PHI if agreed to by the individual.” The fee can’t include the cost to verify the individual, “documentation; searching for and retrieving the PHI, maintaining systems, recouping capital for data access, storage, or infrastructure; or other costs not listed above even if such costs are authorized by State law.

The Office of Civil Rights has issued guidance on the right of access of patients and qualified individuals, such as personal representatives, to the patient’s personal health information. The guidance includes information about the manner and form of the request, what information doesn’t need to be provided, the fees that can be charged for the PHI, and many other types of information.

Doctors and medical practices should contact Cohen Healthcare Law Group, PC for legal advice on HIPAA right of privacy and right of access issues. Our experienced healthcare attorneys will review the HIPAA requirements and penalties for noncompliance.

Contact Us

    Book your Legal Strategy Session now
    Cohen Healthcare Law Logo

    Contact our healthcare law and FDA attorneys for legal advice relevant to your healthcare venture.

    Start typing and press Enter to search