Understanding HIPAA Right of Access- A Patient’s Right to Access their Medical Records
According to a recent study there has been widespread noncompliance with the HIPAA right of access. In fact, more than half of the providers that were assessed in this report were either not fully compliant with the HIPAA law or it took multiple attempts before becoming compliant. (1)
What is HIPAA Right of Access?
The HIPAA Privacy Rule provides patients with a legal and enforceable right to obtain copies of the information in their medical records, upon request. Furthermore, covered entities are required to provide individuals with access to their PHI (protected health information) when requested in one or more “designated record sets” maintained by or for the covered entity. This also includes the right to obtain or transmit a copy of the PHI to a designated person or entity of the patient’s choice. (2)
What is a Designated Record Set?
A “designated record set” is defined as a group of records maintained by or for a covered entity. A record is any item or group of information that includes PHI and is kept, collected, used, or disseminated by or for a covered entity. Including:
However, when a covered entity responds to a patient request for medical records, they are not required to create any additional information, such as explanatory materials that do not already exist in the designated record set.
Information Excluded from the Right of Access
A patient does NOT have a right to access PHI that is not part of a designated record set because the information is not used to make decisions about the patient. This may include quality assessments or improvement records, hospital peer review files, patient safety records, or business planning and management records that are used for business decisions rather than to make decisions about patients.
Additionally, patients do NOT have the right to access the following:
Requests for Access
A covered entity may require patients to submit their requests for health records in writing, but they must inform patients of this requirement. Additionally, covered entities may offer patients the option to use email/secure web portal to make their request or by supplying a form. As long as the request to not create unreasonable delay from the patient obtaining their PHI. (2,3)
Timeliness in Providing Access
When providing patients access to their PHI, a covered entity must provide this information no later than 30 calendar days from receiving the request. While this is the maximum limit, covered entities are encouraged to respond as soon as possible.
If the covered entity is unable to provide access within the 30-day requirement, for reason such as the information is offsite and not readily accessible---then the covered entity may extend this timeframe no more than 30 additional days. The extension must be provided in writing with the reason for the delay, and the date by which the patient will receive the PHI. Only one extension is permitted per access request. (2,3)
For questions regarding the Right to Access or HIPAA regulations contact the experts at MedSafe. MedSafe is the nation's leading one-stop resource for outsourced safety and health compliance solutions in healthcare.
Toll-free: (888) MED-SAFE
References: