This article summarizes this important patient right and includes details from OCR’s 2016 Guidance on the process of providing patients with access to their protected health information (PHI). An upcoming article of Compliance Connection will be devoted to the topic of fees that can be charged to individuals for copies of their PHI, with additional updates and examples from OCR’s 2016 Guidance.

Providing Patient Access under HIPAA

Upon request, HIPAA covered entities such as community health centers and behavioral health organizations, are required to provide individuals with access to their protected health information (PHI). Individuals have the right to inspect or receive a copy of the health information contained in their medical record. This right is legally enforceable by OCR and is specified in the HIPAA Privacy Rule (the Privacy Rule). The 2016 Guidance includes specific details on the logistics of providing patients with their information from the initial patient request to fulfilling the request.

Below are key steps when handling a patient request for access to their medical record:

A. Patient Requests

Covered entities have flexibility in designing the method by which patients may request their record. For example, covered entities may require a patient to submit the request in writing, electronically, and/or through a supplied form. Covered entities must inform individuals of the organization’s requirements for patient requests.

The covered entity may not impose an unreasonable measure that serves as a barrier to access or unreasonably delays an individual’s access to their medical record. Examples of unreasonable measures include:

• Requiring a patient to physically come into the clinic when they request a record to be mailed;
• Exclusively requiring the use of an online form as not all individuals may have ready access to the internet; or 
• Needing the patient to mail a request for access (due to the probable delay in receipt and response).

OCR encourages covered entities to provide multiple options for individuals to request access.

B. Verification of Identity

The Privacy Rule specifies that covered entities must take reasonable steps to verify the identity of an individual requesting access to PHI. OCR notes that the method of verification is up to the covered entity and may depend on how the information is requested. The covered entity may not impose verification methods that create barriers or unreasonable delays in granting a patient access. According to the 2016 Guidance, if a covered entity allows patients to submit requests online, the web portal used should have authentication controls that verify an individual’s identity.

An individual’s designated personal representative(s) may also request access to the individual’s PHI. Personal representatives are those that are authorized under State law to make decisions on behalf of an individual. Covered entities should ensure that they also have a methodology in place to verify the identity of personal representatives.

C. Content

Required Information

A patient’s right to access is limited to the “designated record set” maintained by the covered entity. A designated record set includes the following:

1. Medical records and billing records;
2. Enrollment, payment, claims adjudication, and case or medical management record systems; and/or
3. Other records that are used, in whole or in part, by or for the covered entity to make decisions.

According to OCR’s 2016 Guidance, the broad array of health information to which individuals have a right to access includes “medical records, billing and payment records, insurance information, clinical laboratory test reports, X-rays, wellness and disease management program information, and notes (such as clinical case notes or “SOAP” notes… but not including psychotherapy notes…), among other information generated from treating the individual or paying for the individual’s care or otherwise used to make decisions about individuals.”

Covered entities are not required to create new information such as an explanation or analysis of the designated record set; a patient’s access is limited to only what currently exists. Nevertheless, as an alternate to or in addition to providing access to their medical record, covered entities may provide a summary of or an explanation of the information. To use this option, covered entities must ensure, in advance, that the individual chooses this option and agrees to any fees associated with production of the information.

Excluded Information

Information that is not part of the designated record set does not need to be provided in response to a patient’s request for access to their record. Examples of information that is typically excluded from an individual’s request include:

1. Quality assessment or improvement records; 
2. Patient safety activity records; 
3. Business planning, development, and management records (e.g. peer review files and provider performance evaluations); 
4. Information compiled in anticipation of a legal action or proceeding; and
5. Psychotherapy notes, which are the personal notes of a mental health care provider documenting or analyzing the contents of a counseling session, that are maintained separate from the rest of the patient’s medical record.

In circumstances where information can be excluded, covered entities may deny a patient access. For more information on the process of denial, please see the ‘Denial of Access’ section below.

D. Form, Format, and Manner

Covered entities are required to provide access to the PHI in the ‘form and format’ requested by the patient, if that form and format is readily producible. The table below explains how covered entities can satisfy the form and format protocol set forth by HHS:

*This refers to the manner in which the covered entity maintains medical records

Only in instances where a medical record is not readily producible in the manner requested or where an individual declines receipt in a format readily producible are covered entities allowed to resort to an alternate method agreed upon by the covered entity and the patient. In the 2016 Guidance, OCR provides the following example of the response to a patient request for their record in Word format:

For example, a covered entity that maintains the requested PHI only on paper may be able to readily produce a scanned PDF version of the PHI but not the requested Word version. In this case, the covered entity may provide the individual with the PDF version if the individual agrees to accept the PDF version. If the individual declines to accept the PDF version, or if the covered entity is not able to readily produce a PDF or other electronic version of the PHI, the covered entity may provide the individual with a hard copy, such as a photocopy, of the PHI.

Email and mail are considered readily producible methods and must be utilized when requested. If the patient’s record includes diagnostic images and email cannot accommodate the file size of the images, OCR expects covered entities to offer patient access through an alternate means, such as on portable media that can be mailed to the individual. If an individual requests a copy of their PHI by unencrypted email, the covered entity must provide a brief warning about the risk that the individual’s PHI could be read or otherwise access by a third party while in transit. If the individual confirms that s/he still wants to receive PHI by unencrypted email, then the covered entity must comply with the request.

HHS requires that covered entities must also provide PHI in the manner requested, such as a time and place of pick up, or mail/email format, if the manner does not present an unacceptable security risk.

E. Time Frame

A patient’s PHI should be provided within 30 calendar days of receiving the request. OCR views the 30 calendar days as an outer limit for covered entities to respond and OCR encourages covered entities to respond as soon as possible. The timeline applies regardless of:

• Whether the PHI is maintained by the covered entity or a business associate on behalf of the covered entity, or the covered entity uses a business associate to fulfill individual requests for access;
• Whether the covered entity negotiates with the individual on the format of the response;
• Whether the PHI is old, archived and/or not otherwise readily accessible.

If the 30 days is not sufficient, the covered entity may extend the time by another 30 days by informing the individual in writing why the request is delayed and providing a date by which access will be provided. The 30 day limit may only be extended once and must be extended within the initial 30 days. In the 2016 Guidance, OCR also encourages covered entities to provide the requested information in pieces as it becomes available, if the individual agrees to receive the information in such a manner.

Circumstances for Denying Access

Covered entities may not deny a patient access based upon the individual’s reasons for requesting access. The 2016 Guidance notes that “individuals, in exercising their rights of access under the Privacy Rule, are not required to state their purpose for requesting access.”

Covered entities may deny an individual’s request for access to all or a portion of the PHI requested only under certain limited circumstances. A denial of access is either reviewable (through a specific process discussed below) or unreviewable.

A. Unreviewable grounds

Covered entities may deny access on certain unreviewable grounds, including when:

• The request is for psychotherapy notes, or information complied in reasonable anticipation of, or for use in, a legal proceeding;
• The requested PHI is in a designated record set that is part of a research study that includes treatment (e.g. clinical trial) and is still in progress, provided the individual agreed to the temporary suspension of access when consenting to participate in the research; and,
• The requested PHI was obtained by someone other than a health care provider (e.g. a family member of the individual) under a promise of confidentiality and providing access to the information would be reasonably likely to reveal the source of the information.

B. Reviewable grounds

Covered entities may deny access on certain reviewable grounds. In these circumstances, an individual has a right to have the denial reviewed by a licensed health care professional designated by the covered entity who did not participate in the original decision to deny access. Reviewable grounds for denial exist when a licensed health care professional has determined, in the exercise of their professional judgment, that:

• The access requested is reasonably likely to endanger the life or physical safety of the individual or another person. This ground for denial does not extend to concerns about psychological or emotional harm (e.g., concerns that the individual will not be able to understand the information or may be upset by it);
• The access requested is reasonably likely to cause substantial harm to a person (other than a health care provider) referenced in the PHI; or
• The provision of access to a personal representative of the individual that requests such access is reasonably likely to cause substantial harm to the individual or another person.²

If denying access, the covered entity must send the patient a denial notice, written in plain language, describing the reason for the denial, the right to have the decision reviewed (if applicable), and how a complaint may be submitted to the covered entity or OCR. This denial must be sent within 30 days of receiving the request.

If some information can be segregated from the deniable information, then that information must be separated and provided to the individual.

Takeaways and Tips

In order to respond to a patient's request to access their record, health centers must have appropriate policies and procedures in place so they can respond in a timely fashion. Health centers should ensure that they have policies in place to address requests for PHI, which includes procedures on the following:

• Patient medical record requests; 
• Verification of patients and personal representatives; 
• Content of the designated record set; 
• Form, format, and manner of addressing requests; 
• Timing of addressing request; 
• Grounds for denying access, protocol for denying access, and methodology to review denial; and 
• Fees.

Readers with an active subscription that includes our HIPAA Privacy Toolkit may find it helpful to review the Sample Policy and Procedure: A Patient's Right to Access Protected Health Information. For more information about the HIPAA Privacy Toolkit, please click here.

 AUTHOR’S NOTE: The author thanks Ty Kayam, candidate for Juris Doctor and Master of Public Health at Northeastern University School of Law, for her contribution to the preparation of this article.

1. U.S. Department of Health and Human Services, Office of Civil Rights, Individuals’ Right under HIPAA to Access their Health Information 45 CFR § 164.524, available at http://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/ (last accessed Jul. 9, 2016).

2. Emphasis added by U.S. Department of Health and Human Services, Office of Civil Rights.