FAQs About HIPAA and the Right of Access Part two

This article is a continuation or of our discussion about the HIPAA right of access to public health information requirements. Here are more US HHS Frequently Asked Questions (and Answers) about the right of patients to access their private health information.

Scope of Information Covered by Access Right

What personal health information (PHI) do individuals have a right under HIPAA to access from their health care providers and health plans?

Generally, patients can, on request, obtain their medical and health information which is about the patient – in one or multiple designated record sets kept by the patient’s providers and health plants (the covered HIPAA entities).

A designated record set includes:

• Medical records
• Billing records
• Payment and claims records
• Health plan enrollment records
• Case management records
• Clinical laboratory tests
• X-rays
• Wellness and disease management records
• Psychotherapy notes with some limitations.
• Other records used to make decisions about the patient’s health

The right of access to these records applies to covered entities and to “business associates” of the covered entities. The covered entity is only required to provide access to the patient health information (PHI) which the patient actually requests.

The HIPAA right of access does not include such things as peer review files, health practitioner evaluations, and quality control records. The right of access to psychotherapy notes does not apply to notes “that a mental health professional maintains separately from the individual’s medical record and that document or analyze the contents of a counseling session with the individual.” The right of access also doesn’t cover, though it doesn’t necessarily prohibit, information compiled “in reasonable anticipation of, or for use in, a legal proceeding.”

Does the right to access information apply to paper medical records or just electronic medical records?

The right applies to both electronic and medical records – and other formats too. However, the covered entity only needs to produce the information requested once (when the PHI is kept in multiple record sets).

Does the individual have a right to access PHI about themselves maintained by a covered entity that is very old or is archived?

Yes. The date the information was created, and whether the information is kept onsite or offsite, doesn’t affect the right to access the information. Some limited exceptions may apply.

Does an individual have a right under HIPAA to access PHI about the individual maintained by a business associate of a covered entity?

Yes. This means the covered entity must, if a patient exercises his/her right to access, provide the PHI that the entity holds AND the PHI that any of its associates holds. The health provider or other covered entity is not required to provide duplicate records if the provider and the business associate both have the same designated record set.

There is a related question. Is the business associate required to provide the PHI directly to the patient/individual who requests the PHI – or does the business associate provide the PHI to the covered entity who then provides the PHI to the patient/individual? The answer to this question is generally controlled by the business associate agreement between the covered entity and the business associate.

“Regardless of the agreement, the PHI is required to be given to the patient within the 30 calendar day timeframe (60 calendar days for applicable extensions) once the request is made to either the covered entity or to the business associate. “All of the access requirements that apply with respect to PHI held by the covered entity (e.g., limitations on fees that may be charged) apply with respect to PHI held by the business associate.”

Does an individual have a right under HIPAA to access, from a clinical laboratory, the genomic information the laboratory has generated about the individual?

Yes. A patient can request access to a designated record set that includes the laboratory test reports and the underlying information the test generates and related test information.

“For example, a clinical laboratory that is a HIPAA covered entity and that conducts next generation sequencing (NGS) of DNA on an individual must provide the individual, upon the individual’s request for PHI concerning the NGS, with a copy of the completed test report, the full gene variant information generated by the test, as well as any other information in the designated record set concerning the test.”

Does the HIPAA right of access include more than just clinical laboratory test results?

Yes. Patients can request a designated record set maintained by or for a clinical laboratory that is a covered entity. If the patient requests access to all the information the laboratory has about the patient, the laboratory must provide access to all the lab’s PHI. For example, the lab may be required to provide:

• Completed test reports
• Underlying data used to generate the reports
• Test orders
• Ordering provider information
• Billing information
• Insurance information

The Timelines for Providing Access

Why does HIPAA give covered entities 30 days to supply PHI when so much information is digitized and would seem to be deliverable in a much shorter time frame?

It is true that many requests can be fulfilled in very short time frames if the information is stored electronically. It’s also true that there are often times when the patient needs the information promptly. The HIPAA Privacy Rule (which governs the right to access) recognizes that not every covered entity has a current and efficient information system. The 30-day time frame is a way to recognize some entities need more time to locate the PHI and more time to then provide the PHI in the format the patient/individual requests. The 30-day limit is essentially an outer limit (unless there is a request for an extension). Most entities should be able to prove the PHI in less than 30 days. Some covered entities should be able to provide the information instantaneously.

Form and Format and Manner of Access

Under the HIPAA Privacy Rule, do individuals have the right to an electronic copy of their PHI?

Yes – provided the covered entity such as a health provider keeps its PHI information electronically. Further, the covered entity must provide the individual with access to the PHI in the electronic form and format requested by the individual, if the PHI is readily producible in that form and format, or if not, in a readable alternative electronic format as agreed to by the individual and covered entity. See 45 CFR 164.524(c)(2)(ii).

When the covered entity uses electronic record keeping methods, the entity should also be able to print out a copy – but only if the person making the request declines to receive the PHI electronically.

What is the intersection of the HIPAA right of access and the HITECH Act’s Medicare and Medicaid Electronic Health Record Incentive Program’s “View, Download, and Transmit” provisions?

“Under the HIPAA Privacy Rule, an individual has the right to access PHI maintained about the individual by a covered entity in a designated record set. This may contain electronic or non-electronic PHI. “

“Under the HITECH Act’s Electronic Health Record (EHR) Incentive Program, eligible professionals, eligible hospitals, and critical access hospitals (CAHs) may receive incentive payments under Medicare and Medicaid and avoid payment reductions under Medicare for successfully demonstrating meaningful use of Certified EHR Technology, which includes providing patients the ability to view online, download, and transmit their health information.”

“It is important to note that in some respects the EHR Incentive Program contains more exacting standards than the baseline requirements of the HIPAA Privacy Rule, while the HIPAA Privacy Rule contains more comprehensive requirements than the EHR Incentive Program (e.g., the HIPAA Privacy Rule access right applies to electronic and paper records, while the EHR Incentive Program applies to certain electronic records).”

The US HHS discussion of this question is quite lengthy. An experienced healthcare lawyer can explain the US HHS response in more detail.

Can patients (based on the HIPAA right of access requirements) obtain copies of their x-rays or other diagnostic images, and if so, in what format?

Yes. Covered entities are required to provide medical records including X-Rays and other images. Additionally, the covered entity must provide the imaging information in the form and format the patient requests – as long as the covered entity can produce the image in that form and format.

“The large file size of some x-rays or other images may impact the mechanism for access.”

Is a covered entity responsible if the entity complies with an individual’s access request to receive PHI in an unsecure manner (e.g., unencrypted e-mail) and the information is intercepted while in transit?

Generally, covered entities should use reasonable safeguards in responding to a person’s right of access request (such as entering the correct e-mail address.

“Covered entities are not responsible for a disclosure of PHI while in transmission to the individual based on the individual’s access request to receive the PHI in an unsecure manner (assuming the individual was warned of and accepted the risks associated with the unsecure transmission). This includes breach notification obligations and liability for disclosures that occur in transit.”

Generally, covered entities aren’t responsible for “safeguarding the information once delivered to the individual.” If a covered entity does learn of a breach, the entity is responsible for notifying the person who made the request of the breach. The entity “may be liable for impermissible disclosures of PHI that occur in all contexts except when fulfilling an individual’s right of access under 45 CFR 164.524 to receive his or her PHI or direct the PHI to a third party in an unsecure manner.”

Other Right of Access Questions

Is a health care provider permitted to deny an individual’s request for access because the individual has not paid for health care services provided to the individual?

No. The entity does have the right to charge a reasonable, cost-based fee for the copy of the PHI. However, the covered entity cannot deny the individual access to the PHI because the entity’s bill for healthcare services hasn’t been paid.

Under HIPAA, when can a family member of an individual access the individual’s PHI from a health care provider or health plan?

Generally, a person (such as a patient) can designate a personal representative who has the right to ask for the PHI for that patient. The HIPAA Privacy Rule requires that the “personal representative is someone authorized under State or other applicable law to act on behalf of the individual in making healthcare-related decisions.” A common example is when an authorized personal representative of a patient’s estate makes the request for the PHI. Personal representatives may also include people who have a valid power of attorney or similar authority to act when a patient becomes physically or mentally incompetent.

Alternatively, a patient can usually request (in writing) that the covered entity send the PHI to a person, such as a family member, that the patient directs.

The HHS FAQs confirm the broad scope of the HIPAA right of access rule. Generally, if a patient asks for his full medical profile, all relevant healthcare information should be disclosed. Business associates must also comply with the HIPAA right of access requirements. The goal of the right of access rule is to enable the patient to understand his/her healthcare issues. The doctor’s goal is to serve the patient.

Doctors and medical practices should contact Cohen Healthcare Law Group, PC for legal advice on HIPAA right of access and other HIPAA issues. Our experienced healthcare attorneys help healthcare providers establish HIPAA compliance protocols.