Individuals' Right Under HIPAA To Access Their Health Information - HHS

2/20/2017 IndividualsRightunderHIPAAtoAccesstheirHealthInformation|HHS.
gov
HHS.gov U.S.DepartmentofHealth&HumanServices
HealthInformationPrivacy
IndividualsRightunderHIPAAtoAccesstheirHealthInformation45
CFR164.524
NewlyReleasedFAQsonAccessGuidance
NewClarification$6.50FlatRateOptionisNotaCaponFeesforCopiesofPHI
Introduction
Providingindividualswitheasyaccesstotheirhealthinformationempowersthemtobemoreincontrolof
decisionsregardingtheirhealthandwellbeing.Forexample,individualswithaccesstotheirhealth
informationarebetterabletomonitorchronicconditions,adheretotreatmentplans,findandfixerrorsin
theirhealthrecords,trackprogressinwellnessordiseasemanagementprograms,anddirectlycontribute
theirinformationtoresearch.Withtheincreasinguseofandcontinuedadvancesinhealthinformation
technology,individualshaveeverexpandingandinnovativeopportunitiestoaccesstheirhealth
informationelectronically,morequicklyandeasily,inrealtimeandondemand.Puttingindividualsinthe
driversseatwithrespecttotheirhealthalsoisakeycomponentofhealthreformandthemovementtoa
morepatientcenteredhealthcaresystem.
TheregulationsundertheHealthInsurancePortabilityandAccountabilityActof1996(HIPAA),which
protecttheprivacyandsecurityofindividualsidentifiablehealthinformationandestablishanarrayof
individualrightswithrespecttohealthinformation,havealwaysrecognizedtheimportanceofproviding
individualswiththeabilitytoaccessandobtainacopyoftheirhealthinformation.Withlimitedexceptions,
theHIPAAPrivacyRule(thePrivacyRule)providesindividualswithalegal,enforceablerighttoseeand
receivecopiesuponrequestoftheinformationintheirmedicalandotherhealthrecordsmaintainedby
theirhealthcareprovidersandhealthplans.
GeneralRight
ThePrivacyRulegenerallyrequiresHIPAAcoveredentities(healthplansandmosthealthcareproviders)
toprovideindividuals,uponrequest,withaccesstotheprotectedhealthinformation(PHI)aboutthemin
oneormoredesignatedrecordsetsmaintainedbyorforthecoveredentity.Thisincludestherightto
inspectorobtainacopy,orboth,ofthePHI,aswellastodirectthecoveredentitytotransmitacopytoa
designatedpersonorentityoftheindividualschoice.IndividualshavearighttoaccessthisPHIforas
https://www.hhs.gov/hipaa/forprofessionals/privacy/guidance/access/index.html 1/41
2/20/2017 IndividualsRightunderHIPAAtoAccesstheirHealthInformation|HHS.gov
longastheinformationismaintainedbyacoveredentity,orbyabusinessassociateonbehalfofa
coveredentity,regardlessofthedatetheinformationwascreatedwhethertheinformationismaintained
inpaperorelectronicsystemsonsite,remotely,orisarchivedorwherethePHIoriginated(e.g.,whether
thecoveredentity,anotherprovider,thepatient,etc.).
InformationIncludedintheRightofAccess:TheDesignatedRecordSet
IndividualshavearighttoaccessPHIinadesignatedrecordset.Adesignatedrecordsetisdefinedat
45CFR164.501asagroupofrecordsmaintainedbyorforacoveredentitythatcomprisesthe:
Medicalrecordsandbillingrecordsaboutindividualsmaintainedbyorforacoveredhealthcare
provider
Enrollment,payment,claimsadjudication,andcaseormedicalmanagementrecordsystems
maintainedbyorforahealthplanor
Otherrecordsthatareused,inwholeorinpart,byorforthecoveredentitytomakedecisionsabout
individuals.Thislastcategoryincludesrecordsthatareusedtomakedecisionsaboutanyindividuals,
whetherornottherecordshavebeenusedtomakeadecisionabouttheparticularindividualrequesting
access.
Thetermrecordmeansanyitem,collection,orgroupingofinformationthatincludesPHIandis
maintained,collected,used,ordisseminatedbyorforacoveredentity.
Thus,individualshavearighttoabroadarrayofhealthinformationaboutthemselvesmaintainedbyorfor
coveredentities,including:medicalrecordsbillingandpaymentrecordsinsuranceinformationclinical
laboratorytestresultsmedicalimages,suchasXrayswellnessanddiseasemanagementprogramfiles
andclinicalcasenotesamongotherinformationusedtomakedecisionsaboutindividuals.Inresponding
toarequestforaccess,acoveredentityisnot,however,requiredtocreatenewinformation,suchas
explanatorymaterialsoranalyses,thatdoesnotalreadyexistinthedesignatedrecordset.
InformationExcludedfromtheRightofAccess
AnindividualdoesnothavearighttoaccessPHIthatisnotpartofadesignatedrecordsetbecausethe
informationisnotusedtomakedecisionsaboutindividuals.Thismayincludecertainqualityassessment
orimprovementrecords,patientsafetyactivityrecords,orbusinessplanning,development,and
managementrecordsthatareusedforbusinessdecisionsmoregenerallyratherthantomakedecisions
aboutindividuals.Forexample,ahospitalspeerreviewfilesorpractitionerorproviderperformance
evaluations,orahealthplansqualitycontrolrecordsthatareusedtoimprovecustomerserviceor
formularydevelopmentrecords,maybegeneratedfromandincludeanindividualsPHIbutmightnotbe
inthecoveredentitysdesignatedrecordsetandsubjecttoaccessbytheindividual.
Inaddition,twocategoriesofinformationareexpresslyexcludedfromtherightofaccess:
Psychotherapynotes,whicharethepersonalnotesofamentalhealthcareproviderdocumentingor
analyzingthecontentsofacounselingsession,thataremaintainedseparatefromtherestofthe
patientsmedicalrecord.See45CFR164.524(a)(1)(i)and164.501.
Informationcompiledinreasonableanticipationof,orforusein,acivil,criminal,oradministrativeaction
orproceeding.See45CFR164.524(a)(1)(ii).
However,theunderlyingPHIfromtheindividualsmedicalorpaymentrecordsorotherrecordsusedto
generatetheabovetypesofexcludedrecordsorinformationremainspartofthedesignatedrecordset
andsubjecttoaccessbytheindividual.
PersonalRepresentatives
Anindividualspersonalrepresentative(generally,apersonwithauthorityunderStatelawtomakehealth
caredecisionsfortheindividual)alsohastherighttoaccessPHIabouttheindividualinadesignated
recordset(aswellastodirectthecoveredentitytotransmitacopyofthePHItoadesignatedpersonor
entityoftheindividualschoice),uponrequest,consistentwiththescopeofsuchrepresentationandthe
requirementsdiscussedbelow.See45CFR164.502(g)and
http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/personalreps.htmlformore
informationabouttherightsthatcanbeexercisedbypersonalrepresentatives.
RequestsforAccess
RequiringaWrittenRequest
Acoveredentitymayrequireindividualstorequestaccessinwriting,providedthecoveredentityinforms
individualsofthisrequirement.See45CFR164.524(b)(1).Coveredentitiesalsomayofferindividuals
theoptionofusingelectronicmeans(e.g.,email,securewebportal)tomakerequestsforaccess.In
addition,acoveredentitymayrequireindividualstousetheentitysownsuppliedform,provideduseof
theformdoesnotcreateabarriertoorunreasonablydelaytheindividualfromobtainingaccesstohis
PHI,asdescribedbelow.
Verification
ThePrivacyRulerequiresacoveredentitytotakereasonablestepstoverifytheidentityofanindividual
makingarequestforaccess.See45CFR164.514(h).TheRuledoesnotmandateanyparticularformof
verification(suchasobtainingacopyofadriverslicense),butrathergenerallyleavesthetypeand
manneroftheverificationtothediscretionandprofessionaljudgmentofthecoveredentity,providedthe
verificationprocessesandmeasuresdonotcreatebarrierstoorunreasonablydelaytheindividualfrom
obtainingaccesstoherPHI,asdescribedbelow.Verificationmaybedoneorallyorinwritingand,inmany
cases,thetypeofverificationmaydependonhowtheindividualisrequestingand/orreceivingaccess
whetherinperson,byphone(ifpermittedbythecoveredentity),byfaxingoremailingtherequestonthe
coveredentityssuppliedform,bysecurewebportal,orbyothermeans.Forexample,ifthecovered
entityrequiresthataccessrequestsbemadeonitsownsuppliedform,theformcouldaskforbasic
informationabouttheindividualthatwouldenablethecoveredentitytoverifythatthepersonrequesting
accessisthesubjectoftheinformationrequestedoristheindividualspersonalrepresentative.Forthose
coveredentitiesprovidingindividualswithaccesstotheirPHIthroughwebportals,thoseportalsshould
alreadybesetupwithappropriateauthenticationcontrols,asrequiredby45CFR164.312(d)ofthe
HIPAASecurityRule,toensurethatthepersonseekingaccessistheindividualortheindividuals
personalrepresentative.
UnreasonableMeasures
WhilethePrivacyRuleallowscoveredentitiestorequirethatindividualsrequestaccessinwritingand
requiresverificationoftheidentityofthepersonrequestingaccess,acoveredentitymaynotimpose
unreasonablemeasuresonanindividualrequestingaccessthatserveasbarrierstoorunreasonably
delaytheindividualfromobtainingaccess.Forexample,adoctormaynotrequireanindividual:
Whowantsacopyofhermedicalrecordmailedtoherhomeaddresstophysicallycometothedoctors
officetorequestaccessandprovideproofofidentityinperson.
Touseawebportalforrequestingaccess,asnotallindividualswillhavereadyaccesstotheportal.
Tomailanaccessrequest,asthiswouldunreasonablydelaythecoveredentitysreceiptoftherequest
andthus,theindividualsaccess.
Whileacoveredentitymaynotrequireindividualstorequestaccessinthesemanners,acoveredentity
maypermitanindividualtodoso,andcoveredentitiesareencouragedtoofferindividualsmultipleoptions
forrequestingaccess.
ProvidingAccess
FormandFormatandMannerofAccess
ThePrivacyRulerequiresacoveredentitytoprovidetheindividualwithaccesstothePHIintheformand
formatrequested,ifreadilyproducibleinthatformandformat,orifnot,inareadablehardcopyformor
otherformandformatasagreedtobythecoveredentityandindividual.See45CFR164.524(c)(2)(i).If
theindividualrequestselectronicaccesstoPHIthatthecoveredentitymaintainselectronically,the
coveredentitymustprovidetheindividualwithaccesstotheinformationintherequestedelectronicform
andformat,ifitisreadilyproducibleinthatformandformat,orifnot,inanagreeduponalternative,
readableelectronicformat.See45CFR164.524(c)(2)(ii).Thetermsformandformatrefertohowthe
PHIisconveyedtotheindividual(e.g.,onpaperorelectronically,typeoffile,etc.)Thus:
RequestsforPaperCopies
WhereanindividualrequestsapapercopyofPHImaintainedbythecoveredentityeither
electronicallyoronpaper,itisexpectedthatthecoveredentitywillbeabletoprovidetheindividualwith
thepapercopyrequested.
RequestsforElectronicCopies
WhereanindividualrequestsanelectroniccopyofPHIthatacoveredentitymaintainsonlyonpaper,
thecoveredentityisrequiredtoprovidetheindividualwithanelectroniccopyifitisreadilyproducible
electronically(e.g.,thecoveredentitycanreadilyscanthepaperrecordintoanelectronicformat)andin
theelectronicformatrequestedifreadilyproducibleinthatformat,orifnot,inareadablealternative
electronicformatorhardcopyformatasagreedtobythecoveredentityandtheindividual.
WhereanindividualrequestsanelectroniccopyofPHIthatacoveredentitymaintainselectronically,
thecoveredentitymustprovidetheindividualwithaccesstotheinformationintherequestedelectronic
formandformat,ifitisreadilyproducibleinthatformandformat.WhenthePHIisnotreadilyproducible
intheelectronicformandformatrequested,thenthecoveredentitymustprovideaccesstoanagreed
uponalternativereadableelectronicformat.See45CFR164.524(c)(2)(ii).Thismeansthat,whilea
coveredentityisnotrequiredtopurchasenewsoftwareorequipmentinordertoaccommodateevery
possibleindividualrequest,thecoveredentitymusthavethecapabilitytoprovidesomeformof
electroniccopyofPHImaintainedelectronically.Itisonlyiftheindividualdeclinestoacceptanyofthe
electronicformatsreadilyproduciblebythecoveredentitythatthecoveredentitymaysatisfythe
requestforaccessbyprovidingtheindividualwithareadablehardcopyofthePHI.
ThecoveredentityalsomayprovidetheindividualwithasummaryofthePHIrequested,inlieuof
providingaccesstothePHI,ormayprovideanexplanationofthePHItowhichaccesshasbeenprovided
inadditiontothatPHI,solongastheindividualinadvance:(1)choosestoreceivethesummaryor
explanation(includingintheelectronicorpaperformbeingofferedbythecoveredentity)and(2)agrees
toanyfees(asexplainedbelowintheSectiondescribingpermissibleFeesforCopies)thatmaybe
chargedbythecoveredentityforthesummaryorexplanation.See45CFR164.524(c)(2)(iii).
Acoveredentityalsomustprovideaccessinthemannerrequestedbytheindividual,whichincludes
arrangingwiththeindividualforaconvenienttimeandplacetopickupacopyofthePHIortoinspectthe
PHI(ifthatisthemannerofaccessrequestedbytheindividual),ortohaveacopyofthePHImailedore
mailed,orotherwisetransferredortransmittedtotheindividualtotheextentthecopywouldbereadily
producibleinsuchamanner.Whetheraparticularmodeoftransmissionortransferisreadilyproducible
willbebasedonthecapabilitiesofthecoveredentityandthelevelofsecurityriskthatthemodeof
transmissionortransfermayintroducetothePHIonthecoveredentityssystems(asopposedtosecurity
riskstothePHIonceithasleftthesystems).Acoveredentityisnotexpectedtotolerateunacceptable
levelsofrisktothesecurityofthePHIonitssystemsinrespondingtorequestsforaccesswhetherthe
individualsrequestedmodeoftransferortransmissionpresentssuchanunacceptablelevelofriskwill
dependonthecoveredentitysSecurityRuleriskanalysis.See45CFR164.524(c)(2)and(3),and
164.308(a)(1).However,mailandemailaregenerallyconsideredreadilyproduciblebyallcovered
entities.ItisexpectedthatallcoveredentitieshavethecapabilitytotransmitPHIbymailoremail(except
inthelimitedcasewhereemailcannotaccommodatethefilesizeofrequestedimages),andtransmitting
PHIinsuchamannerdoesnotpresentunacceptablesecurityriskstothesystemsofcoveredentities,
eventhoughtheremaybesecurityriskstothePHIwhileintransit(suchaswhereanindividualhas
requestedtoreceiveherPHIby,andacceptedtherisksassociatedwith,unencryptedemail).Thus,a
coveredentitymaynotrequirethatanindividualtraveltothecoveredentitysphysicallocationtopickupa
copyofherPHIiftheindividualrequeststhatthecopybemailedoremailed.
TimelinessinProvidingAccess
Inprovidingaccesstotheindividual,acoveredentitymustprovideaccesstothePHIrequested,inwhole,
orinpart(ifcertainaccessmaybedeniedasexplainedbelow),nolaterthan30calendardaysfrom
receivingtheindividualsrequest.See45CFR164.524(b)(2).The30calendardaysisanouterlimitand
coveredentitiesareencouragedtorespondassoonaspossible.Indeed,acoveredentitymayhavethe
capacitytoprovideindividualswithalmostinstantaneousorverypromptelectronicaccesstothePHI
requestedthroughpersonalhealthrecords,webportals,orsimilarelectronicmeans.Further,individuals
mayreasonablyexpectacoveredentitytobeabletorespondinamuchfastertimeframewhenthe
coveredentityisusinghealthinformationtechnologyinitsdaytodayoperations.
Ifacoveredentityisunabletoprovideaccesswithin30calendardaysforexample,wherethe
informationisarchivedoffsiteandnotreadilyaccessiblethecoveredentitymayextendthetimebyno
morethananadditional30days.Toextendthetime,thecoveredentitymust,withintheinitial30days,
informtheindividualinwritingofthereasonsforthedelayandthedatebywhichthecoveredentitywill
provideaccess.Onlyoneextensionispermittedperaccessrequest.
FeesforCopies
ThePrivacyRulepermitsacoveredentitytoimposeareasonable,costbasedfeeiftheindividual
requestsacopyofthePHI(oragreestoreceiveasummaryorexplanationoftheinformation).Thefee
mayincludeonlythecostof:(1)laborforcopyingthePHIrequestedbytheindividual,whetherinpaperor
electronicform(2)suppliesforcreatingthepapercopyorelectronicmedia(e.g.,CDorUSBdrive)ifthe
individualrequeststhattheelectroniccopybeprovidedonportablemedia(3)postage,whenthe
individualrequeststhatthecopy,orthesummaryorexplanation,bemailedand(4)preparationofan
explanationorsummaryofthePHI,ifagreedtobytheindividual.See45CFR164.524(c)(4).Thefee
maynotincludecostsassociatedwithverificationdocumentationsearchingforandretrievingthePHI
maintainingsystemsrecoupingcapitalfordataaccess,storage,orinfrastructureorothercostsnotlisted
aboveevenifsuchcostsareauthorizedbyStatelaw.
DenialofAccess
GroundsforDenial
Undercertainlimitedcircumstances,acoveredentitymaydenyanindividualsrequestforaccesstoallor
aportionofthePHIrequested.Insomeofthesecircumstances,anindividualhasarighttohavethe
denialreviewedbyalicensedhealthcareprofessionaldesignatedbythecoveredentitywhodidnot
participateintheoriginaldecisiontodeny.
Unreviewablegroundsfordenial(45CFR164.524(a)(2)):
Therequestisforpsychotherapynotes,orinformationcompiledinreasonableanticipationof,orforuse
in,alegalproceeding.
AninmaterequestsacopyofherPHIheldbyacoveredentitythatisacorrectionalinstitution,orhealth
careprovideractingunderthedirectionoftheinstitution,andprovidingthecopywouldjeopardizethe
health,safety,security,custody,orrehabilitationoftheinmateorotherinmates,orthesafetyof
correctionalofficers,employees,orotherpersonattheinstitutionorresponsibleforthetransportingof
theinmate.However,inthesecases,aninmateretainstherighttoinspectherPHI.
TherequestedPHIisinadesignatedrecordsetthatispartofaresearchstudythatincludestreatment
(e.g.,clinicaltrial)andisstillinprogress,providedtheindividualagreedtothetemporarysuspensionof
accesswhenconsentingtoparticipateintheresearch.Theindividualsrightofaccessisreinstated
uponcompletionoftheresearch.
TherequestedPHIisinPrivacyActprotectedrecords(i.e.,certainrecordsunderthecontrolofafederal
agency,whichmaybemaintainedbyafederalagencyoracontractortoafederalagency),ifthedenial
ofaccessisconsistentwiththerequirementsoftheAct.
TherequestedPHIwasobtainedbysomeoneotherthanahealthcareprovider(e.g.,afamilymember
oftheindividual)underapromiseofconfidentiality,andprovidingaccesstotheinformationwouldbe
reasonablylikelytorevealthesourceoftheinformation.
Reviewablegroundsfordenial(45CFR164.524(a)(3)).Alicensedhealthcareprofessionalhas
determinedintheexerciseofprofessionaljudgmentthat:
Theaccessrequestedisreasonablylikelytoendangerthelifeorphysicalsafetyoftheindividualor
anotherperson.Thisgroundfordenialdoesnotextendtoconcernsaboutpsychologicaloremotional
harm(e.g.,concernsthattheindividualwillnotbeabletounderstandtheinformationormaybeupset
byit).
Theaccessrequestedisreasonablylikelytocausesubstantialharmtoaperson(otherthanahealth
careprovider)referencedinthePHI.
Theprovisionofaccesstoapersonalrepresentativeoftheindividualthatrequestssuchaccessis
reasonablylikelytocausesubstantialharmtotheindividualoranotherperson.
Notethatacoveredentitymaynotrequireanindividualtoprovideareasonforrequestingaccess,andthe
individualsrationaleforrequestingaccess,ifvoluntarilyofferedorknownbythecoveredentityor
businessassociate,isnotapermittedreasontodenyaccess.Inaddition,acoveredentitymaynotdeny
accessbecauseabusinessassociateofthecoveredentity,ratherthanthecoveredentityitself,maintains
thePHIrequestedbytheindividual(e.g.,thePHIismaintainedbythecoveredentityselectronichealth
recordvendororismaintainedbyarecordsstoragecompanyoffsite).
CarryingOuttheDenial
Ifthecoveredentitydeniesaccess,inwholeorinpart,toPHIrequestedbytheindividual,thecovered
entitymustprovideadenialinwritingtotheindividualnolaterthanwithin30calendardaysoftherequest
(ornolaterthanwithin60calendardaysifthecoveredentitynotifiedtheindividualofanextension).See
45CFR164.524(b)(2).Thedenialmustbeinplainlanguageanddescribethebasisfordenialif
applicable,theindividualsrighttohavethedecisionreviewedandhowtorequestsuchareviewandhow
theindividualmaysubmitacomplainttothecoveredentityortheHHSOfficeforCivilRights.See45CFR
164.524(d).
Ifthecoveredentity(oroneofitsbusinessassociates)doesnotmaintainthePHIrequested,butknows
wheretheinformationismaintained,thecoveredentitymustinformtheindividualwheretodirectthe
requestforaccess.See45CFR164.524(d)(3).
Thecoveredentitymust,totheextentpossibleandwithintheabovetimeframes,providetheindividual
withaccesstoanyotherPHIrequested,afterexcludingthePHItowhichtheentityhasagroundtodeny
access.See45CFR164.524(d)(1).ComplexityinsegregatingthePHIdoesnotexcusetheobligationto
provideaccesstothePHItowhichthegroundfordenialdoesnotapply.
ReviewofDenial
Ifthedenialwasbasedonareviewablegroundfordenialandtheindividualrequestsreview,thecovered
entitymustpromptlyrefertherequesttothedesignatedreviewingofficial.Thereviewingofficialmust
determine,withinareasonableperiodoftime,whethertoreaffirmorreversethedenial.Thecovered
entitymustthenpromptlyprovidewrittennoticetotheindividualofthedeterminationofthereviewing
official,aswellastakeotheractionasnecessarytocarryoutthedetermination.See45CFR164.524(d)
(4).
IndividualsRighttoDirectthePHItoAnotherPerson
AnindividualalsohasarighttodirectthecoveredentitytotransmitthePHIabouttheindividualdirectlyto
anotherpersonorentitydesignatedbytheindividual.TheindividualsrequesttodirectthePHItoanother
personmustbeinwriting,signedbytheindividual,andclearlyidentifythedesignatedpersonandwhere
tosendthePHI.Acoveredentitymayacceptanelectroniccopyofasignedrequest(e.g.,PDF),aswell
asanelectronicallyexecutedrequest(e.g.,viaasecurewebportal)thatincludesanelectronicsignature.
ThesamerequirementsforprovidingthePHItotheindividual,suchasthefeelimitationsand
requirementsforprovidingthePHIintheformandformatandmannerrequestedbytheindividual,apply
whenanindividualdirectsthatthePHIbesenttoanotherperson.See45CFR164.524(c)(3).
StateLaws
StatelawsthatprovideindividualswithgreaterrightsofaccesstotheirPHIthanthePrivacyRule,orthat
arenotcontrarytothePrivacyRule,arenotpreemptedbyHIPAAandthusstillapply.Forexample,a
coveredentitysubjecttoaStatelawthatrequiresthataccesstoPHIbeprovidedtoanindividualina
shortertimeframethanthatrequiredinthePrivacyRulemustprovidesuchaccesswithintheshortertime
framebecausetheStatelawisnotcontrarytothePrivacyRule.
UnlessanexemptionexistsintheHIPAARules,StatelawsthatarecontrarytothePrivacyRuleaccess
provisionssuchasthosethatprohibitcertainlaboratoriesfromdisclosingtestreportsdirectlytoan
individualarepreemptedbyHIPAA.See45CFR160.203.Thus,theseStatelawsdonotapplywhen
anindividualexercisesherHIPAArightofaccess.See45CFRPart160,SubpartB.
QuestionsandAnswersAboutHIPAA'sAccessRight
FeesThatCanBeChargedtoIndividualsforCopiesoftheirPHI
MayacoveredentitychargeindividualsafeeforprovidingtheindividualswithacopyoftheirPHI?
Yes,butonlywithinspecificlimits.ThePrivacyRulepermitsacoveredentitytoimposeareasonable,
costbasedfeetoprovidetheindividual(ortheindividualspersonalrepresentative)withacopyofthe
individualsPHI,ortodirectthecopytoadesignatedthirdparty.Thefeemayincludeonlythecostof
certainlabor,supplies,andpostage:
1.LaborforcopyingthePHIrequestedbytheindividual,whetherinpaperorelectronicform.Laborfor
copyingincludesonlylaborforcreatinganddeliveringtheelectronicorpapercopyintheformand
formatrequestedoragreeduponbytheindividual,oncethePHIthatisresponsivetotherequesthas
beenidentified,retrievedorcollected,compiledand/orcollated,andisreadytobecopied.Laborfor
copyingdoesnotincludecostsassociatedwithreviewingtherequestforaccessorsearchingforand
retrievingthePHI,whichincludeslocatingandreviewingthePHIinthemedicalorotherrecord,and
segregatingorotherwisepreparingthePHIthatisresponsivetotherequestforcopying.
Whileithasalwaysbeenprohibitedtopassontoanindividuallaborcostsrelatedtosearchand
retrieval,ourexperienceinadministeringandenforcingtheHIPAAPrivacyRulehasshownthereis
confusionaboutwhatconstitutesaprohibitedsearchandretrievalcostandthisguidancefurther
clarifiesthisissue.Thisclarificationisimportanttoensurethatthefeeschargedreflectonlywhatthe
Departmentconsiderscopyingforpurposesofapplying45CFR164.524(c)(4)(i)anddonotimpede
individualsabilitytoreceiveacopyoftheirrecords.
2.Suppliesforcreatingthepapercopy(e.g.,paper,toner)orelectronicmedia(e.g.,CDorUSBdrive)if
theindividualrequeststhattheelectroniccopybeprovidedonportablemedia.However,acovered
entitymaynotrequireanindividualtopurchaseportablemediaindividualshavetherighttohavetheir
PHIemailedormailedtothemuponrequest.
3.LabortoprepareanexplanationorsummaryofthePHI,iftheindividualinadvancebothchoosesto
receiveanexplanationorsummaryandagreestothefeethatmaybecharged.
4.Postage,whentheindividualrequeststhatthecopy,orthesummaryorexplanation,bemailed.
Thus,costsassociatedwithupdatestoormaintenanceofsystemsanddata,capitalfordatastorageand
maintenance,laborassociatedwithensuringcompliancewithHIPAA(andotherapplicablelaw)infulfilling
theaccessrequest(e.g.,verification,ensuringonlyinformationaboutthecorrectindividualisincluded,
etc.)andothercostsnotincludedabove,evenifauthorizedbyStatelaw,arenotpermittedforpurposesof
calculatingthefeesthatcanbechargedtoindividuals.See45CFR164.524(c)(4).
Further,whilethePrivacyRulepermitsthelimitedfeedescribedabove,coveredentitiesshouldprovide
individualswhorequestaccesstotheirinformationwithcopiesoftheirPHIfreeofcharge.Whilecovered
entitiesshouldforgofeesforallindividuals,notchargingfeesforaccessisparticularlyvitalincaseswhere
thefinancialsituationofanindividualrequestingaccesswouldmakeitdifficultorimpossibleforthe
individualtoaffordthefee.Providingindividualswithaccesstotheirhealthinformationisanecessary
componentofdeliveringandpayingforhealthcare.Wewillcontinuetomonitorwhetherthefeesthatare
beingchargedtoindividualsarecreatingbarrierstothisaccess,willtakeenforcementactionwhere
necessary,andwillreassessasnecessarytheprovisionsinthePrivacyRulethatpermitthesefeestobe
charged.
Whatlaborcostsmayacoveredentityincludeinthefeethatmaybechargedtoindividualstoprovidethemwithacopyof
theirPHI?
Acoveredentitymayincludereasonablelaborcostsassociatedonlywiththe:(1)laborforcopyingthe
PHIrequestedbytheindividual,whetherinpaperorelectronicformand(2)labortopreparean
explanationorsummaryofthePHI,iftheindividualinadvancebothchoosestoreceiveanexplanationor
summaryandagreestothefeethatmaybecharged.
Laborforcopyingincludesonlylaborforcreatinganddeliveringtheelectronicorpapercopyintheform
andformatrequestedoragreeduponbytheindividual,oncethePHIthatisresponsivetotherequesthas
beenidentified,retrievedorcollected,compiledand/orcollated,andisreadytobecopied.Forexample,
laborforcopyingmayincludelaborassociatedwiththefollowing,asnecessarytocopyanddeliverthe
PHIintheformandformatandmannerrequestedoragreedtobytheindividual:
PhotocopyingpaperPHI.
ScanningpaperPHIintoanelectronicformat.
Convertingelectronicinformationinoneformattotheformatrequestedbyoragreedtobythe
individual.
Transferring(e.g.,uploading,downloading,attaching,burning)electronicPHIfromacoveredentitys
systemtoawebbasedportal(wherethePHIisnotalreadymaintainedinoraccessiblethroughthe
portal),portablemedia,email,app,personalhealthrecord,orothermannerofdeliveryofthePHI.
CreatingandexecutingamailingoremailwiththeresponsivePHI.
Whileweallowlaborcostsfortheselimitedactivities,wenotethatastechnologyevolvesandprocesses
forconvertingandtransferringfilesandformatsbecomemoreautomated,weexpectlaborcoststo
disappearoratleastdiminishinmanycases.
Incontrast,laborforcopyingdoesnotincludelaborcostsassociatedwith:
Reviewingtherequestforaccess.
Searchingfor,retrieving,andotherwisepreparingtheresponsiveinformationforcopying.Thisincludes
labortolocatetheappropriatedesignatedrecordsetsabouttheindividual,toreviewtherecordsto
identifythePHIthatisresponsivetotherequestandtoensuretheinformationrelatestothecorrect
individual,andtosegregate,collect,compile,andotherwisepreparetheresponsiveinformationfor
copying.
MayacoveredhealthcareproviderchargeafeeunderHIPAAforindividualstoaccessthePHIthatisavailablethroughthe
providersEHRtechnologythathasbeencertifiedasbeingcapableofmakingthePHIaccessible?
No.TheHIPAAPrivacyRuleat45CFR164.524(c)(4)permitsacoveredentitytochargeareasonable,
costbasedfeethatcoversonlycertainlimitedlabor,supply,andpostagecoststhatmayapplyinproviding
anindividualwithacopyofPHIintheformandformatrequestedoragreedtobytheindividual.Wherean
individualrequestsoragreestoaccessherPHIavailablethroughtheView,Download,andTransmit
functionalityoftheCEHRT,webelievetherearenolaborcostsandnocostsforsuppliestoenablesuch
access.Thus,acoveredhealthcareprovidercannotchargeanindividualafeewhenitfulfillsan
individualsHIPAAaccessrequestusingtheView,Download,andTransmitfunctionalityoftheproviders
CEHRT.
Mayacoveredentitythatusesabusinessassociatetoactonindividualrequestsforaccesspassonthecostsof
outsourcingthisfunctiontoindividualswhentheyrequestcopiesoftheirPHI?
No.Acoveredentitymaychargeindividualsareasonable,costbasedfeethatincludesonlylaborfor
copyingthePHI,costsforsupplies,laborforcreatingasummaryorexplanationofthePHIiftheindividual
requestsasummaryorexplanation,andpostage,ifthePHIistobemailed.See45CFR164.524(c)(4).
Administrativeandothercostsassociatedwithoutsourcingthefunctionofrespondingtoindividual
requestsforaccesscannotbethebasisforanyfeeschargedtoindividualsforprovidingthataccess.
Mustacoveredentityinformindividualsinadvanceofanyfeesthatmaybechargedwhentheindividualsrequestacopyof
theirPHI?
Yes.WhenanindividualrequestsaccesstoherPHIandthecoveredentityintendstochargethe
individualthelimitedfeepermittedbytheHIPAAPrivacyRuleforprovidingtheindividualwithacopyof
herPHI,thecoveredentitymustinformtheindividualinadvanceoftheapproximatefeethatmaybe
chargedforthecopy.AnindividualhasarighttoreceiveacopyofherPHIintheformandformatand
mannerrequested,ifreadilyproducibleinthatway,orasotherwiseagreedtobytheindividual.Sincethe
feeacoveredentityispermittedtochargewillvarybasedontheformandformatandmannerofaccess
requestedoragreedtobytheindividual,coveredentitiesmust,atthetimesuchdetailsarebeing
negotiatedorarranged,informtheindividualofanyassociatedfeesthatmayimpacttheformandformat
andmannerinwhichtheindividualrequestsoragreestoreceiveacopyofherPHI.Thefailuretoprovide
advancenoticeisanunreasonablemeasurethatmayserveasabarriertotherightofaccess.Thus,this
requirementisnecessaryfortherightofaccesstooperateconsistentwiththeHIPAAPrivacyRule.
Further,coveredentitiesshouldpostontheirwebsitesorotherwisemakeavailabletoindividualsan
approximatefeescheduleforregulartypesofaccessrequests.Inaddition,ifanindividualrequests,
coveredentitiesshouldprovidetheindividualwithabreakdownofthechargesforlabor,supplies,and
postage,ifapplicable,thatmakeupthetotalfeecharged.Wenotethatthisinformationwouldlikelybe
requestedinanyactiontakenbyOCRinenforcingtheindividualrightofaccess,soentitieswillbenefit
fromhavingthisinformationreadilyavailable.
Howcancoveredentitiescalculatethelimitedfeethatcanbechargedtoindividualstoprovidethemwithacopyoftheir
PHI?
TheHIPAAPrivacyRulepermitsacoveredentitytochargeareasonable,costbasedfeeforindividuals
(ortheirpersonalrepresentatives)toreceive(ordirecttoathirdparty)acopyoftheindividualsPHI.In
additiontobeingreasonable,thefeemayincludeonlycertainlabor,supply,andpostagecoststhatmay
applyinprovidingtheindividualwiththecopyintheformandformatandmannerrequestedoragreedto
bytheindividual.Thefollowingmethodsmaybeused,asspecifiedbelow,tocalculatethisfee.
Actualcosts.Acoveredentitymaycalculateactuallaborcoststofulfilltherequest,aslongasthelabor
includedisonlyforcopying(and/orcreatingasummaryorexplanationiftheindividualchoosesto
receiveasummaryorexplanation)andthelaborratesusedarereasonableforsuchactivity.The
coveredentitymayaddtotheactuallaborcostsanyapplicablesupply(e.g.,paper,orCDorUSBdrive)
orpostagecosts.Coveredentitiesthatchargeindividualsactualcostsbasedoneachindividualaccess
requeststillmustbepreparedtoinformindividualsinadvanceoftheapproximatefeethatmaybe
chargedforprovidingtheindividualwithacopyofherPHI.Anexampleofanactuallaborcost
calculationwouldbetotimehowlongittakesfortheworkforcememberofthecoveredentity(or
businessassociate)tomakeandsendthecopyintheformandformatandmannerrequestedor
agreedtobytheindividualandmultiplythetimebythereasonablehourlyrateofthepersoncopying
andsendingthePHI.Whatisreasonableforpurposesofanhourlyratewillvarydependingonthelevel
ofskillneededtocreateandtransmitthecopyinthemannerrequestedoragreedtobytheindividual
(e.g.,administrativelevellabortomakeandmailapapercopyversusmoretechnicalskillneededto
convertandtransmitthePHIinaparticularelectronicformat).
Averagecosts.Inlieuofcalculatinglaborcostsindividuallyforeachrequest,acoveredentitycan
developascheduleofcostsforlaborbasedonaveragelaborcoststofulfillstandardtypesofaccess
requests,aslongasthetypesoflaborcostsincludedaretheoneswhichthePrivacyRulepermitstobe
includedinafee(e.g.,laborcostsforcopyingbutnotforsearchandretrieval)andarereasonable.
Coveredentitiesmayaddtothatamountanyapplicablesupply(e.g.,paper,orCDorUSBdrive)or
postagecosts.
ThisstandardratecanbecalculatedandchargedasaperpagefeeonlyincaseswherethePHI
requestedismaintainedinpaperformandtheindividualrequestsapapercopyofthePHIorasks
thatthepaperPHIbescannedintoanelectronicformat.Perpagefeesarenotpermittedforpaperor
electroniccopiesofPHImaintainedelectronically.OCRisawarethatperpagefeesinmanycases
havebecomeaproxyforfeeschargedforalltypesofaccessrequestswhetherelectronicorpaper
andthatmanystateswithauthorizedfeestructureshavenotupdatedtheirlawstoaccountfor
efficienciesthatexistwhengeneratingcopiesofinformationmaintainedelectronically.Thispractice
hasresultedinfeesbeingchargedtoindividualsforcopiesoftheirPHIthatdonotappropriately
reflectthepermittedlaborcostsassociatedwithgeneratingcopiesfrominformationmaintainedin
electronicform.Therefore,OCRdoesnotconsiderperpagefeesforcopiesofPHImaintained
electronicallytobereasonableforpurposesof45CFR164.524(c)(4).
FlatfeeforelectroniccopiesofPHImaintainedelectronically.Acoveredentitymaychargeindividualsa
flatfeeforallrequestsforelectroniccopiesofPHImaintainedelectronically,providedthefeedoesnot
exceed$6.50,inclusiveofalllabor,supplies,andanyapplicablepostage.Chargingaflatfeenotto
exceed$6.50isthereforeanoptionforentitiesthatdonotwanttogothroughtheprocessofcalculating
actualoraverageallowablecostsforrequestsforelectroniccopiesofPHImaintainedelectronically.
Is$6.50themaximumamountthatcanbechargedtoprovideindividualswithacopyoftheirPHI?
No.Foranyrequestfromanindividual,acoveredentity(orbusinessassociateoperatingonitsbehalf)
maycalculatetheallowablefeesforprovidingindividualswithcopiesoftheirPHI:(1)bycalculatingactual
allowablecoststofulfilleachrequestor(2)byusingascheduleofcostsbasedonaverageallowable
laborcoststofulfillstandardrequests.Alternatively,inthecaseofrequestsforanelectroniccopyofPHI
maintainedelectronically,coveredentitiesmay:(3)chargeaflatfeenottoexceed$6.50(inclusiveofall
labor,supplies,andpostage).Chargingaflatfeenottoexceed$6.50perrequestisthereforeanoption
availabletoentitiesthatdonotwanttogothroughtheprocessofcalculatingactualoraverageallowable
costsforrequestsforelectroniccopiesofPHImaintainedelectronically.
Insomecaseswhereanentitychoosesgenerallytousetheaveragecostmethod,orchoosesaflatfee,
asdescribedabove,forelectroniccopiesofPHImaintainedelectronically,theentitymayreceivean
unusualoruncommontypeofrequestthatithadnotconsideredinsettingupitsfeestructure.Inthese
cases,theentitymaywishtocalculateactualcoststoprovidetherequestedcopy,anditmaydosoas
longasthecostsarereasonableandonlyofthetypepermittedbythePrivacyRule.Anentitythat
choosestocalculateactualcostsinthesecircumstancesstillmustasinothercasesinformthe
individualinadvanceoftheapproximatefeethatmaybechargedforprovidingthecopyrequested.
ArecostsauthorizedbyStatefeeschedulespermittedtobechargedtoindividualswhenprovidingthemwithacopyof
theirPHIundertheHIPAAPrivacyRule?
No,exceptincaseswheretheStateauthorizedcostsarethesametypesofcostspermittedunder45
CFR164.524(c)(4)oftheHIPAAPrivacyRule,andarereasonable.Thebottomlineisthatthecosts
authorizedbytheStatemustbethosethatarepermittedbytheHIPAAPrivacyRuleandmustbe
reasonable.TheHIPAAPrivacyRuleat45CFR164.524(c)(4)permitsacoveredentitytochargea
reasonable,costbasedfeethatcoversonlycertainlimitedlabor,supply,andpostagecoststhatmay
applyinprovidinganindividualwithacopyofPHIintheformandformatrequestedoragreedtobythe
individual.Thus,labor(e.g.,forsearchandretrieval)orothercostsnotpermittedbythePrivacyRulemay
notbechargedtoindividualsevenifauthorizedbyStatelaw.Further,acoveredentitysfeeforproviding
anindividualwithacopyofherPHImustbereasonableinadditiontocostbased,andtheremaybe
circumstanceswhereaStateauthorizedfeeisnotreasonable,eveniftheStateauthorizedfeecovers
onlypermittedlabor,supply,andpostagecosts.Forexample,aStateauthorizedfeemaybehigherthan
thecoveredentityscosttoprovidethecopyofPHI.Inaddition,manyStateswithauthorizedfee
structureshavenotupdatedtheirlawstoaccountforefficienciesthatexistwhengeneratingcopiesof
informationmaintainedelectronically.Therefore,theseStateauthorizedfeesforcopiesofPHImaintained
electronicallymaynotbereasonableforpurposesof45CFR164.524(c)(4).
AStatelawrequiresthatahealthcareprovidergiveindividualsonefreecopyoftheirmedicalrecordsbutHIPAApermits
theprovidertochargeafee.DoesHIPAAoverridetheStatelaw?
No,sothehealthcareprovidermustcomplywiththeStatelawandprovidetheonefreecopy.Incontrast
toStatelawsthatauthorizehigherordifferentfeesthanarepermittedunderHIPAA,HIPAAdoesnot
overridethoseStatelawsthatprovideindividualswithgreaterrightsofaccesstotheirhealthinformation
thantheHIPAAPrivacyRuledoes.See45CFR160.202and160.203.ThisincludesStatelawsthat:(1)
prohibitfeestobechargedtoprovideindividualswithcopiesoftheirPHIor(2)allowonlylesserfeesthan
whatthePrivacyRulewouldallowtobechargedforcopies.
WhendotheHIPAAPrivacyRulelimitationsonfeesthatcanbechargedforindividualstoaccesscopiesoftheirPHIapply
todisclosuresoftheindividualsPHItoathirdparty?
ThefeelimitsapplywhenanindividualdirectsacoveredentitytosendthePHItothethirdparty.Under
theHIPAAPrivacyRule,acoveredentityisprohibitedfromcharginganindividualwhohasrequesteda
copyofherPHImorethanareasonable,costbasedfeeforthecopythatcoversonlycertainlabor,
supply,andpostagecoststhatmayapplyinfulfillingtherequest.See45CFR164.524(c)(4).This
limitationappliesregardlessofwhethertheindividualhasrequestedthatthecopyofPHIbesentto
herself,orhasdirectedthatthecoveredentitysendthecopydirectlytoathirdpartydesignatedbythe
individual(anditdoesntmatterwhothethirdpartyis).Todirectacopytoathirdparty,theindividuals
accessrequestmustbeinwriting,signedbytheindividual,andclearlyidentifythedesignatedpersonor
entityandwheretosendthePHI.See45CFR164.524(c)(3)(ii).Thus,writtenaccessrequestsby
individualstohaveacopyoftheirPHIsenttoathirdpartythatincludetheseminimalelementsaresubject
tothesamefeelimitationsinthePrivacyRulethatapplytorequestsbyindividualstohaveacopyoftheir
PHIsenttothemselves.Thisistrueregardlessofwhethertheaccessrequestwassubmittedtothe
coveredentitybytheindividualdirectlyorforwardedtothecoveredentitybyathirdpartyonbehalfandat
thedirectionoftheindividual(suchasbyanappbeingusedbytheindividual).Further,thesesame
limitationsapplywhentheindividualspersonalrepresentative,ratherthantheindividualherself,has
madetherequesttosendacopyoftheindividualsPHItoathirdparty.
Incontrast,thirdpartiesoftenwilldirectlyrequestPHIfromacoveredentityandsubmitawrittenHIPAA
authorizationfromtheindividual(orrelyonanotherpermissioninthePrivacyRule)forthatdisclosure.
WherethethirdpartyisinitiatingarequestforPHIonitsownbehalf,withtheindividualsHIPAA
authorization(orpursuanttoanotherpermissibledisclosureprovisioninthePrivacyRule),theaccessfee
limitationsdonotapply.However,asdescribedabove,wherethethirdpartyisforwardingonbehalfand
atthedirectionoftheindividualtheindividualsaccessrequestforacoveredentitytodirectacopyofthe
individualsPHItothethirdparty,thefeelimitationsapply.
Wenotethatacoveredentity(orabusinessassociate)maynotcircumventtheaccessfeelimitationsby
treatingindividualrequestsforaccesslikeotherHIPAAdisclosuressuchasbyhavinganindividualfill
outaHIPAAauthorizationwhentheindividualrequestsaccesstoherPHI(includingtodirectacopyofthe
PHItoathirdparty).Asexplainedelsewhereintheguidance,aHIPAAauthorizationisnotrequiredfor
individualstorequestaccesstotheirPHI,includingtodirectacopytoathirdpartyandbecausea
HIPAAauthorizationrequestsmoreinformationthanisnecessaryorthatmaynotberelevantfor
individualstoexercisetheiraccessrights,requiringexecutionofaHIPAAauthorizationmaycreate
impermissibleobstaclestotheexerciseofthisright.Whereitisuncleartoacoveredentity,basedonthe
formofarequestsentbyathirdparty,whethertherequestisanaccessrequestinitiatedbytheindividual
ormerelyaHIPAAauthorizationbytheindividualtodisclosePHItothethirdparty,theentitymayclarify
withtheindividualwhethertherequestwasadirectionfromtheindividualorarequestfromthethird
party.OCRisopentoengagingwiththecommunityonwaysthattechnologycouldeasilyconveythis
information.
Finally,wenotethatdisclosurestoathirdpartymadeoutsideoftherightofaccessunderotherprovisions
ofthePrivacyRulestillmaybesubjecttotheprohibitionagainstsalesofPHI(i.e.,theprohibitionagainst
receivingremunerationforadisclosureofPHIat45CFR164.502(a)(5)(ii)).Wheretheprohibitionapplies,
acoveredentitymaychargeonlyareasonable,costbasedfeetocoverthecosttoprepareandtransmit
thePHIorafeeotherwiseexpresslypermittedbyotherlawormusthavereceivedaHIPAAauthorization
fromtheindividualthatstatesthatthedisclosurewillinvolveremunerationtothecoveredentity.
MayahealthcareproviderwithholdacopyofanindividualsPHIfromtheindividualwhorequesteditbecausethecovered
entityusedtheindividualspaymentoftheallowablefeeforthecopytoinsteadpayanoutstandingbillforhealthcare
servicesprovidedtotheindividual?
No.JustasacoveredentitymaynotwithholdordenyanindividualaccesstohisPHIonthegroundsthat
theindividualhasnotpaidthebillforhealthcareservicesthecoveredentityprovidedtotheindividual,a
coveredentitymaynotwithholdordenyaccessonthegroundsthatthecoveredentityusedthe
individualspaymentofthefeeforacopyofhisPHItooffsetorpaytheindividualsoutstandingbillfor
healthcareservices.
CananindividualbechargedafeeiftheindividualrequestsonlytoinspectherPHIatthecoveredentity(i.e.,doesnot
requestthatthecoveredentityproduceacopyofthePHI)?
No.ThefeesthatcanbechargedtoindividualsexercisingtheirrightofaccesstotheirPHIapplyonlyin
caseswheretheindividualistoreceiveacopyofthePHI,versusmerelybeingprovidedtheopportunityto
viewandinspectthePHI.TheHIPAAPrivacyRuleprovidesindividualswiththerighttoinspecttheirPHI
heldinadesignatedrecordset,eitherinadditiontoobtainingcopiesorinlieuthereof,andrequires
coveredentitiestoarrangewiththeindividualforaconvenienttimeandplacetoinspectthePHI.See45
CFR164.524(c)(1)and(c)(2).Consequently,coveredentitiesshouldhaveinplacereasonable
procedurestoenableindividualstoinspecttheirPHI,andrequestsforinspectionshouldtriggerminimal
additionaleffortbytheentity,particularlywherethePHIrequestedisofthetypeeasilyaccessedonsiteby
theentityitselfintheordinarycourseofbusiness.Forexample,coveredentitiescouldusethe
capabilitiesofCertifiedEHRTechnology(CEHRT)toenableindividualstoinspecttheirPHI,ifthe
individualsagreetotheuseofthisfunctionality.
Further,acoveredentitymaynotchargeanindividualwho,whileinspectingherPHI,takesnotes,usesa
smartphoneorotherdevicetotakepicturesofthePHI,orusesotherpersonalresourcestocapturethe
information.IftheindividualismakingthecopiesofPHIusingherownresources,thecoveredentitymay
notchargeafeeforthosecopies,asthecopyingisbeingdonebytheindividualandnottheentity.A
coveredentitymayestablishreasonablepoliciesandsafeguardsregardinganindividualsuseofherown
cameraorotherdeviceforcopyingPHItoassurethatequipmentortechnologyusedbytheindividualis
notdisruptivetotheentitysoperationsandisusedinawaythatenablestheindividualtocopyor
otherwisememorializeonlytherecordstowhichsheisentitled.Further,acoveredentityisnotrequired
toallowtheindividualtoconnectapersonaldevicetothecoveredentityssystems.
RighttoHavePHISentDirectlytoaDesignatedThirdParty
Cananindividual,throughtheHIPAArightofaccess,havehisorherhealthcareproviderorhealthplansendthe
individualsPHItoathirdparty?
Yes.Ifrequestedbyanindividual,acoveredentitymusttransmitanindividualsPHIdirectlytoanother
personorentitydesignatedbytheindividual.Theindividualsrequestmustbeinwriting,signedbythe
individual,andclearlyidentifythedesignatedpersonorentityandwheretosendthePHI.See45CFR
164.524(c)(3)(ii).Acoveredentitymayacceptanelectroniccopyofasignedrequest(e.g.,PDFor
scannedimage),anelectronicallyexecutedrequest(e.g.,viaasecurewebportal)thatincludesan
electronicsignature,orafaxedormailedcopyofasignedrequest.
ThesamerequirementsforprovidingthePHItotheindividual,suchasthetimelinessrequirements,fee
limitations,prohibitiononimposingunreasonablemeasures,andformandformatrequirements,apply
whenanindividualdirectsthatthePHIbesenttoanotherpersonorentity.Forexample,justaswhenthe
individualrequestsacopyforherself,acoveredentitycannotrequirethatanindividualmakeaseparate
inpersontriptothecoveredentitysphysicallocationforthepurposeofmakingtherequesttotransmitthe
individualsPHItoapersonorentitydesignatedbytheindividual.Inaddition,theindividualcandesignate
theformandformatofthePHIandhowthePHIistobesenttothethirdparty,andthecoveredentity
mustprovideaccessintherequestedformandformatandmannerifthePHIisreadilyproduciblein
suchaway.WhetherPHIisreadilyproducibledependsonthecapabilitiesofthecoveredentityand
whethertransmissionortransferofthePHIintherequestedmannerwouldpresentanunacceptablelevel
ofsecurityrisktothePHIonthecoveredentityssystems(basedonthecoveredentitysSecurityRulerisk
analysis).
Thefollowingarejustafewexamplesofhowtheseprovisionsapply:
Apatientrequestsinwritingthatthehospitalwheresherecentlyunderwentasurgicalprocedureuseits
CertifiedEHRTechnology(CEHRT)tosendherdischargesummarytoherprimarycarephysician,orto
herownpersonalhealthrecord,andshesuppliesthecorrespondingDirectaddress(anelectronic
addressforsecurelyexchanginghealthinformationusingtheDirecttechnicalstandard).
Apatientsendsawrittenrequesttohislongtimephysicianaskingthephysiciantodownloadacopyof
thePHIfromhiselectronicmedicalrecord,andemailitinencryptedformtoXYZResearchInstitution,
atXYZResearch@anywhere.com,soXYZResearchInstitutioncanusehishealthinformationfor
researchpurposes.
Apatientrequestsinwritingthatherobgyndigitallytransmitrecordsofherlatestprenatalvisittoa
newpregnancyselfcareappthatshehasonhermobilephone.TheobgynsEHRhastheready
capabilitytoestablishtheconnectioninamannerthatdoesnotpresentanunacceptablelevelof
securityrisktothePHIintheEHRorotheroftheobgynssystems,basedontheobgynsSecurity
Ruleriskanalysis.
Ineachofthesethreeexamples,thecoveredentityhasthecapabilitytotransferthePHIintherequested
manneranddoingsowouldnotpresentanunacceptablelevelofsecurityrisktothePHIinthecovered
entityssystems.Thus,afterreceivingthepatientswrittenrequest,thecoveredentityhas30days(or60
daysifanextensionisapplicable)tosendthePHItothedesignatedrecipientasdirectedbythe
individual.However,inmostcases,itisexpectedthattheuseoftechnologywillenablethecoveredentity
tofulfilltheindividualsrequestinfarfewerthan30days.
ArethereanylimitsorexceptionstotheindividualsrighttohavetheindividualsPHIsentdirectlytoathirdparty?
TherightofanindividualtohavePHIsentdirectlytoathirdpartyisanextensionoftheindividualsrightof
accessconsequently,alloftheprovisionsthatapplywhenanindividualobtainsaccesstoherPHIapply
whenshedirectsacoveredentitytosendthePHItoathirdparty.Asaresult:
ThisrightappliestoPHIinadesignatedrecordset
Coveredentitiesmusttakeactionwithin30daysoftherequest
CoveredentitiesmustprovidethePHIintheformandformatandmannerofaccessrequestedbythe
individualifitisreadilyproducibleinthatmannerand
Theindividualmaybechargedonlyareasonable,costbasedfeethatcomplieswith45CFR164.524(c)
(4).
Further,thesamelimitedgroundsfordenialofaccessthatapplywhentheindividualisreceivingthePHI
directlyapplyincaseswheretheindividualrequeststhatthePHIbeprovidedtoadesignatedthirdparty.
See45CFR164.524(a)(2)and(a)(3).Thus,forexample,acoveredentitymaydenyanindividuals
requesttosendPHItoadesignatedthirdpartywhentherequestisforpsychotherapynotesorPHIfor
whichalicensedhealthcareprofessionalhasdetermined,exercisingprofessionaljudgment,thatthe
accessrequestedisreasonablylikelytoendangerthelifeorphysicalsafetyoftheindividualoranother
person.TheprovisionsofthePrivacyRuleprovidingforreviewofcertaindenialsofaccessapplyinthis
circumstanceaswell.See45CFR164.524(a)(3)and(a)(4).However,acoveredentitymaynotdenyan
individualsaccessrequesttosendPHItoathirdpartyforotherpurposes.Thus,disagreementwiththe
individualabouttheworthinessofthethirdpartyasarecipientofPHI,orevenconcernsaboutwhatthe
thirdpartymightdowiththePHI(exceptfortheexpressreasonslistedinthePrivacyRule,suchasin
caseswherelifeorphysicalsafetyisthreatened),arenotacceptablereasonstodenyanindividuals
request.
Cananindividualspersonalrepresentative,throughtheHIPAArightofaccess,havetheindividualshealthcareprovider
orhealthplansendtheindividualsPHItoathirdparty?
Yes.Anindividualspersonalrepresentative(generally,apersonwithauthorityunderStatelawtomake
healthcaredecisionsfortheindividual)hastherightbothtoreceiveacopyofPHIabouttheindividualina
designatedrecordset,andtodirectthecoveredentitytotransmitacopyofthePHItoanotherpersonor
entity,uponrequest,consistentwiththescopeofsuchrepresentationandtherequirementsof45CFR
164.524.See45CFR164.502(g).Thesamerequirementsforfulfillinganindividualsrequesttosendthe
individualsPHItoathirdparty(e.g.,withrespecttotimeliness,formandformat,basesfordenial,fee
limitations,etc.)alsoapplytorequestsmadebyanindividualspersonalrepresentative.
WhatistheliabilityofacoveredentityinrespondingtoanindividualsaccessrequesttosendtheindividualsPHItoa
thirdparty?
Coveredentitiesmayrelyontheinformationprovidedinwritingbytheindividualabouttheidentityofthe
designatedpersonandwheretosendthePHIforpurposesofverificationofthedesignatedthirdpartyas
anauthorizedrecipient.However,coveredentitiesmustimplementreasonablesafeguardsinotherwise
carryingouttherequest,suchastakingreasonablestepstoverifytheidentityoftheindividualmakingthe
accessrequestandtoenterthecorrectinformationintothecoveredentityssystem.Forexample,whilea
coveredentityisnotrequiredtoconfirmthattheindividualprovidedthecorrectemailaddressofthethird
party,thecoveredentityisrequiredtohavereasonableprocedurestoensurethatitcorrectlyentersthe
providedemailaddressintothecoveredentityssystem.
Inaddition,exceptinthelimitedcircumstancedescribedbelow,coveredentitiesmustsafeguardthe
informationintransit,andareresponsibleforbreachnotificationandmaybeliableforimpermissible
disclosuresofPHIthatoccurintransit.Theonlyexceptionariseswhenanindividualhasrequestedthat
thePHIbesenttothethirdpartybyunencryptedemailorinanotherunsecuremanner,whichthe
individualhasarighttorequest.Aslongastheindividualwaswarnedofandacceptedthesecurityrisks
tothePHIassociatedwiththeunsecuretransmission,thecoveredentityisnotresponsibleforbreach
notificationorliablefordisclosuresthatoccurintransit.
Further,thecoveredentityisnotliableforwhathappenstothePHIoncethedesignatedthirdparty
receivestheinformationasdirectedbytheindividualintheaccessrequest.
WhatisacoveredentitysobligationundertheBreachNotificationRuleifittransmitsanindividualsPHItoathirdparty
designatedbytheindividualinanaccessrequest,andtheentitydiscoverstheinformationwasbreachedintransit?
IfacoveredentitydiscoversthatthePHIwasbreachedintransittothedesignatedthirdparty,andthePHI
wasunsecuredPHIasdefinedat45CFR164.402,thecoveredentitygenerallyisobligatedtonotifythe
individualandHHSofthebreachandotherwisecomplywiththeHIPAABreachNotificationRuleat45
CFR164,SubpartD.However,iftheindividualrequestedthatthecoveredentitytransmitthePHIinan
unsecuremanner(e.g.,unencrypted),and,afterbeingwarnedofthesecurityriskstothePHIassociated
withtheunsecuretransmission,maintainedherpreferencetohavethePHIsentinthatmanner,the
coveredentityisnotresponsibleforadisclosureofPHIwhileintransmissiontothedesignatedthirdparty,
includinganybreachnotificationobligationsthatwouldotherwiseberequired.Further,acoveredentityis
notliableforwhathappenstothePHIoncethedesignatedthirdpartyreceivestheinformationasdirected
bytheindividualintheaccessrequest.
WherethePHIthatwasbreachedissecuredasprovidedforintheHHSGuidanceSpecifyingthe
TechnologiesandMethodologiesthatRenderProtectedHealthInformationUnusable,Unreadable,or
IndecipherabletoUnauthorizedIndividuals(availableat
http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/index.html),thecoveredentity
doesnothavereportingobligationsundertheBreachNotificationRule.
WhydependontheindividualsrightofaccesstofacilitatethedisclosureofPHItoathirdpartywhynotjusthavethe
individualexecuteaHIPAAauthorizationtoenablethecoveredentitytomakethisdisclosure?
ThePHIthatanindividualwantstohavedisclosedtoathirdpartyundertheHIPAArightofaccessalso
couldbedisclosedbyacoveredentitypursuanttoavalidHIPAAauthorization.However,thereare
differencesbetweenthetwomethodstheprimarydifferencebeingthatoneisarequireddisclosureand
oneisapermitteddisclosurethatmaymaketherightofaccessamorefavorablechoiceformost
disclosurestheindividualisinitiatingonherownbehalf.Thesedifferencesareillustratedinthefollowing
table:
HIPAAAuthorization RightofAccess
Permits,butdoesnotrequire,acoveredentityto RequiresacoveredentitytodisclosePHI,exceptwherean
disclosePHI exceptionapplies
HIPAAAuthorization RightofAccess
Requiresanumberofelementsandstatements, Mustbeinwriting,signedbytheindividual,andclearlyidentify
whichincludeadescriptionofwhoisauthorizedto thedesignatedpersonandwheretothesendthePHI
makethedisclosureandreceivethePHI,aspecific
andmeaningfuldescriptionofthePHI,adescription
ofthepurposeofthedisclosure,anexpirationdate
orevent,signatureoftheindividualauthorizingthe
useordisclosureofherownPHIandthedate,
informationconcerningtheindividualsrightto
revoketheauthorization,andinformationaboutthe
abilityorinabilitytoconditiontreatment,payment,
enrollmentoreligibilityforbenefitsonthe
authorization.
NotimelinessrequirementfordisclosingthePHI Coveredentitymustactonrequestnolaterthan30daysafter
Reasonablesafeguardsapply(e.g.,PHImustbe therequestisreceived
sentsecurely)
Reasonablesafeguardsapply(e.g.,PHImustbe Reasonablesafeguardsapply,includingarequirementtosend
sentsecurely) securelyhowever,individualcanrequesttransmissionby
unsecuremedium
Nolimitationsonfeesthatmaybechargedtothe Feeslimitedasprovidedin45CFR164.524(c)(4)
personrequestingthePHIhowever,ifthe
disclosureconstitutesasaleofPHI,the
authorizationmustdisclosethefactofremuneration
Inaddition,thePrivacyRulepermitscoveredentitiestodisclosePHIfortreatment,paymentandhealth
careoperationswithouttheneedtofirstobtainanindividualsauthorizationorreceiveanaccessrequest
bytheindividualtohavetheindividualsPHIdirectedtoathirdpartyforsuchpurposes.See45CFR
164.506.Asaresult,ifanindividualisseekingtohaveherPHIsharedamonghertreatingproviders,the
coveredentitiescanandshoulddosotheindividualshouldnothavetofacilitatethistransmissionby
submittinganaccessrequest(andpotentiallyhavingtowaitupto30daysfortheinformationtobesent
andbechargedafee)orbyexecutingaHIPAAauthorization.SeetheFactSheetsonUnderstanding
SomeofHIPAAsPermittedUsesandDisclosuresathttp://www.hhs.gov/hipaa/for
professionals/privacy/guidance/permitteduses/index.html.
ScopeofInformationCoveredbyAccessRight
WhatpersonalhealthinformationdoindividualshavearightunderHIPAAtoaccessfromtheirhealthcareprovidersand
healthplans?
Withlimitedexceptions,theHIPAAPrivacyRulegivesindividualstherighttoaccess,uponrequest,the
medicalandhealthinformation(protectedhealthinformationorPHI)abouttheminoneormore
designatedrecordsetsmaintainedbyorfortheindividualshealthcareprovidersandhealthplans(HIPAA
coveredentities).See45CFR164.524.Designatedrecordsetsincludemedicalrecords,billingrecords,
paymentandclaimsrecords,healthplanenrollmentrecords,casemanagementrecords,aswellasother
recordsused,inwholeorinpart,byorforacoveredentitytomakedecisionsaboutindividuals.See45
CFR164.501.Thus,individualshavearighttoaccessabroadarrayofhealthinformationabout
themselves,whethermaintainedbyacoveredentityorbyabusinessassociateonthecoveredentitys
behalf,includingmedicalrecords,billingandpaymentrecords,insuranceinformation,clinicallaboratory
testreports,Xrays,wellnessanddiseasemanagementprograminformation,andnotes(suchasclinical
casenotesorSOAPnotes(amethodofmakingnotesinapatientschart)butnotincluding
psychotherapynotesasexplainedbelow),amongotherinformationgeneratedfromtreatingtheindividual
orpayingfortheindividualscareorotherwiseusedtomakedecisionsaboutindividuals.Inrespondingto
arequestforaccess,acoveredentityisnot,however,requiredtocreatenewinformation,suchas
explanatorymaterialsoranalyses,thatdoesnotalreadyexistinthedesignatedrecordset.Further,while
individualshavearighttoabroadarrayofPHIaboutthemselvesinadesignatedrecordset,acovered
entityisonlyrequiredtoprovideaccesstothePHItowhichtheindividualrequestsaccess.
IndividualsdonothavearighttoaccessPHIaboutthemthatisnotpartofadesignatedrecordset
becausethisinformationisnotusedtomakedecisionsaboutindividuals.Thismayincludecertainquality
assessmentorimprovementrecords,patientsafetyactivityrecords,orbusinessplanning,development,
andmanagementrecordsthatareusedforbusinessdecisionsmoregenerallyratherthantomake
decisionsaboutindividuals.Forexample,peerreviewfiles,practitionerorproviderperformance
evaluations,qualitycontrolrecordsusedtoimprovecustomerservice,andformularydevelopmentrecords
maybegeneratedfromandincludeanindividualsPHIbutmaynotbeinthecoveredentitysdesignated
recordset(s)towhichtheindividualhasaccess.However,theunderlyingPHIfromtheindividuals
medicalorpaymentrecordsusedtogeneratesuchinformationremainspartofthedesignatedrecordset
andsubjecttoaccessbytheindividual.Forexample,anindividualwouldnothavetherighttoaccess
internalmemosrelatedtothedevelopmentofaformularyhowever,anindividualdoeshavetherightto
accessinformationaboutprescriptiondrugsthatwereprescribedforher,andclaimsrecordsrelatedto
paymentforthosedrugs,evenifthatinformationwasreliedonin,orhelpedinform,thedevelopmentof
theformulary.
Individualsalsodonothavearighttoaccessthepsychotherapynotesthatamentalhealthprofessional
maintainsseparatelyfromtheindividualsmedicalrecordandthatdocumentoranalyzethecontentsofa
counselingsessionwiththeindividual.Inaddition,individualsdonothavearighttoaccessinformation
abouttheindividualcompiledinreasonableanticipationof,orforusein,alegalproceeding(butthe
individualretainstherighttoaccesstheunderlyingPHIfromthedesignatedrecordset(s)aboutthe
individualusedtogeneratethelitigationinformation).However,acoveredentityhasthediscretionto
sharethisinformationwiththeindividualifitchooses.See45CFR164.524(a)(1)(a)(3)foracomplete
listofexceptionstotherightofaccess.
DoesanindividualsrightunderHIPAAtoaccesstheirhealthinformationapplyonlytotheinformationahealthcare
providermaintainsabouttheindividualinanElectronicHealthRecord(EHR),orpapermedicalrecord?
No.AnindividualhasabroadrightundertheHIPAAPrivacyRuletoaccessthePHIabouttheindividual
inalldesignatedrecordsetsmaintainedbyorforacoveredentity,whetherinelectronicorpaperform,not
justthedesignatedrecordsetthatcomprisesthemedicalrecord.See45CFR164.524(a).(However,if
thesamePHIismaintainedinmorethanonedesignatedrecordset,acoveredentityneedonlyproduce
theinformationonceinresponsetoarequestforaccess.)Adesignatedrecordsetalsoincludesbilling
andpaymentrecords,claimsandinsuranceinformation,aswellasotherrecordsthatareused,inwhole
orinpart,byorforthecoveredentitytomakedecisionsaboutindividuals.Seethedefinitionof
designatedrecordsetat45CFR164.501.
DoestheindividualhavearighttoaccessPHIaboutthemselvesmaintainedbyacoveredentitythatisveryoldoris
archived?
Yes.AnindividualhasarighttoaccessPHIaboutthemselvesinamedicalrecordorotherdesignated
recordsetmaintainedbyacoveredentity,regardlessofthedatetheinformationwascreatedorwhether
theinformationismaintainedonsite,remotely,orisarchived.Thereareonlyverylimitedgroundsunder
whichacoveredentitymaydenyanindividualaccesstoPHIaboutherselfinadesignatedrecordset,
whichdonotincludetheageorlocationoftheinformation.See45CFR164.524(a)(2)(a)(3).
Doesanindividualhavearighttoaccessalloftheinformationacoveredentitymaintainsintheindividualsmedical
record?
Yes.&Exceptinverylimitedcircumstances,anindividualhasarighttoaccessallPHIabouttheindividual
thatacoveredentity(oritsbusinessassociate)maintainsinoneormoredesignatedrecordsets.A
designatedrecordsetisdefinedtoincludethemedicalrecordabouttheindividual.Thus,anindividual
generallyhasarighttoaccessalloftheinformationabouttheindividualthatacoveredentitymaintainsin
theindividualsmedicalrecord,includinginformationtheindividualprovidedtothecoveredentityherself,
aswellasPHIabouttheindividualcontributedtotherecordbyotherhealthcareprovidersorcovered
entities.See45CFR164.524(a)(2)(a)(3)forthelimitedgroundsuponwhichacoveredentitymaydeny
anindividualaccesstoPHIinadesignatedrecordset.
UnderwhatcircumstancesmayacoveredentitydenyanindividualsrequestforaccesstotheindividualsPHI?
AcoveredentitymaydenyanindividualaccesstoalloraportionofthePHIrequestedinonlyverylimited
circumstances.Forexample,acoveredentitymaydenyanindividualaccessiftheinformationrequested
isnotpartofadesignatedrecordsetmaintainedbythecoveredentity(orbyabusinessassociatefora
coveredentity),ortheinformationisexceptedfromtherightofaccessbecauseitispsychotherapynotes
orinformationcompiledinreasonableanticipationof,orforusein,alegalproceeding(buttheindividual
retainstherighttoaccesstheunderlyingPHIfromthedesignatedrecordset(s)abouttheindividualused
togeneratethisinformation).
Anotherlimitedgroundfordenialexistsifalicensedhealthcareprofessionaldeterminesintheexerciseof
professionaljudgmentthattheaccessrequestedisreasonablylikelytoendangerthelifeorphysical
safetyoftheindividualoranotherperson.Forexample,acoveredentitymaydenyasuicidalpatient
accesstoinformationthataproviderdeterminesinhisprofessionaljudgmentisreasonablylikelytolead
thepatienttotakeherownlife.However,westressthatthisgroundisnarrowlyconstruedinorderto
protectindividualsautonomyinterestsandtheirrightunderthePrivacyRuletoobtaininformationabout
themselves,whichisfundamentalinfacilitatingindividualsactiveparticipationintheirownhealthcare.
Generalconcernsaboutpsychologicaloremotionalharmarenotsufficienttodenyanindividualaccess
(e.g.,concernsthattheindividualwillnotbeabletounderstandtheinformationormaybeupsetbyit).In
addition,therequestedaccessmustbereasonablylikelytocauseharmorendangerphysicallifeor
safety.Thus,concernsbasedonthemerepossibilityofharmarenotsufficienttodenyaccess.Asa
result,weexpectthisgroundfordenialtoapplyinextremelyrarecircumstances.Further,anindividual
whoisdeniedaccessbasedonthesegroundshasarighttohavethedenialreviewedbyalicensed
healthcareprofessionaldesignatedbythecoveredentityasareviewingofficialwhodidnotparticipatein
theoriginaldecisiontodenyaccess.
Foracompletelistofthegroundsandconditionsfordenialofaccess,see45CFR164.524(a)(2)(4).
Notethatanindividualmaynotberequiredtoprovideareasonforrequestingaccess,andtheindividuals
rationaleforrequestingaccess,ifvoluntarilyofferedorknownbythecoveredentityorbusinessassociate,
isnotapermittedreasontodenyaccess.
Ifacoveredentitydeniesaccess,inwholeorinpart,toPHIrequestedbytheindividualbasedononeor
morepermittedgrounds,thecoveredentitymustprovideadenialinwritingtotheindividualnolaterthan
30calendardaysaftertherequest(ornomorethan60calendardaysifthecoveredentitynotifiedthe
individualofanextension).See45CFR164.524(b)(2).Thedenialmustbeinplainlanguageand
describethebasisfordenialifapplicable,theindividualsrighttohavethedecisionreviewedandhowto
requestsuchareviewandhowtheindividualmaysubmitacomplainttothecoveredentityortheHHS
OfficeforCivilRights.See45CFR164.524(d).
Thecoveredentitymust,totheextentpossible,providetheindividualwithaccesstoanyotherPHI
requested,afterexcludingthePHItowhichtheentityhasagroundtodenyaccess.See45CFR
164.524(d)(1).
DoesanindividualhavearightunderHIPAAtoaccessPHIabouttheindividualmaintainedbyabusinessassociateofa
coveredentity?
Yes.AnindividualsrightundertheHIPAAPrivacyRuletoaccessPHIaboutthemselvesextendstoPHI
inadesignatedrecordsetmaintainedbyabusinessassociateonbehalfofacoveredentity.Thus,ifan
individualsubmitsarequestforaccesstoPHI,thecoveredentityisresponsibleforprovidingtheindividual
withaccessnotonlytothePHIitholdsbutalsotothePHIheldbyoneormoreofitsbusinessassociates.
However,ifthesamePHIthatisthesubjectofanaccessrequestismaintainedinboththedesignated
recordsetofthecoveredentityandthedesignatedrecordsetofthebusinessassociate,thePHIneed
onlybeproducedonceinresponsetotherequestforaccess.See45CFR164.524(c)(1).
WithrespecttoPHIinadesignatedrecordsetmaintainedbyabusinessassociate,thebusiness
associateagreementbetweenthecoveredentityandthebusinessassociatewillgovernwhetherthe
businessassociatewillprovideaccessdirectlytotheindividualorwillprovidethePHIthatisthesubjectof
theindividualsaccessrequesttothecoveredentityforthecoveredentitytothenprovideaccesstothe
individual.However,regardlessofhowandtowhatextentabusinessassociatesupportsorfulfillsa
coveredentitysobligationtoprovideaccesstoanindividual,arequestforaccessstillmustbeactedupon
within30calendardays(or60calendardaysifanextensionisapplicable)ofreceiptoftherequestby
eitherthecoveredentity,orbyabusinessassociateiftherequestwasmadedirectlytothebusiness
associatebecausethecoveredentityinstructedindividualsthroughitsnoticeofprivacypractices(or
otherwise)tosubmitaccessrequestsdirectlytothebusinessassociate.Further,alloftheaccess
requirementsthatapplywithrespecttoPHIheldbythecoveredentity(e.g.,limitationsonfeesthatmay
becharged)applywithrespecttoPHIheldbythebusinessassociate.
DoesanindividualhavearightunderHIPAAtoaccessfromaclinicallaboratorythegenomicinformationthelaboratory
hasgeneratedabouttheindividual?
Yes.AnindividualhasarightundertheHIPAAPrivacyRuletoaccess,uponrequest,PHIaboutthe
individualinadesignatedrecordsetmaintainedbyorforaclinicallaboratorythatisacoveredentity.The
designatedrecordsetincludesnotonlythelaboratorytestreportsbutalsotheunderlyinginformation
generatedaspartofthetest,aswellasotherinformationconcerningtestsalaboratoryrunsonan
individual.Forexample,aclinicallaboratorythatisaHIPAAcoveredentityandthatconductsnext
generationsequencing(NGS)ofDNAonanindividualmustprovidetheindividual,upontheindividuals
requestforPHIconcerningtheNGS,withacopyofthecompletedtestreport,thefullgenevariant
informationgeneratedbythetest,aswellasanyotherinformationinthedesignatedrecordset
concerningthetest.
DoesanindividualhavearightunderHIPAAtoaccessmorethanjusttestresultsfromaclinicallaboratory?
Yes.UndertheHIPAAPrivacyRule,anindividualhasageneralrighttoaccess,uponrequest,PHIabout
theindividualinadesignatedrecordsetmaintainedbyorforaclinicallaboratorythatisacoveredentity.
Atestresultortestreportisonlypartofthedesignatedrecordsetaclinicallaboratorymayhold.Tothe
extentanindividualrequestsaccesstoallofherinformationheldbythelaboratory,thelaboratoryis
requiredtoprovideaccesstoallofthePHIabouttheindividualinitsdesignatedrecordset.Thiscould
include,forexample,completedtestreportsandtheunderlyingdatausedtogeneratethereports,test
orders,orderingproviderinformation,billinginformation,andinsuranceinformation.
TimelinesforProvidingAccess
HowtimelymustacoveredentitybeinrespondingtoindividualsrequestsforaccesstotheirPHI?
UndertheHIPAAPrivacyRule,acoveredentitymustactonanindividualsrequestforaccessnolater
than30calendardaysafterreceiptoftherequest.Ifthecoveredentityisnotabletoactwithinthis
timeframe,theentitymayhaveuptoanadditional30calendardays,aslongasitprovidestheindividual
withinthatinitial30dayperiodwithawrittenstatementofthereasonsforthedelayandthedateby
whichtheentitywillcompleteitsactionontherequest.See45CFR164.524(b)(2).
Thesetimelinesapplyregardlessofwhether:
ThePHIthatisthesubjectoftherequestismaintainedbythecoveredentityorbyabusinessassociate
onbehalfofthecoveredentity,orthecoveredentityusesabusinessassociatetofulfillindividual
requestsforaccess.The30dayclockstartsonthedatethatthecoveredentityreceivesarequestfor
access,soanydelayinobtainingthenecessaryinformationfromabusinessassociateorforwarding
therequesttothebusinessassociateforactionusesuppartoftheallottedtime.Alternatively,the30
dayclockstartswhen,insteadofthecoveredentity,abusinessassociatereceivesarequestdirectly
fromanindividualbecausethecoveredentityinstructedtheindividualthroughitsnoticeofprivacy
practices(orotherwise)tosubmittheaccessrequestdirectlytoitsbusinessassociateforprocessing.
Thecoveredentitynegotiateswiththeindividualontheformatoftheresponse.Coveredentitiesthat
spendsignificanttimebeforereachingagreementwithindividualsonformataredepletingthe30days
allottedfortheresponsebythatamountoftime.
ThePHIthatisthesubjectoftherequestisold,archived,and/ornototherwisereadilyaccessible.
Thesetimelinesareouterlimits,anditisexpectedthatmanycoveredentitiesshouldbeabletorespond
torequestsforaccesswellbeforetheseouterlimitsarereached.However,incaseswhereacovered
entityisawarethatanaccessrequestmaytakeclosetotheseoutertimelimitstofulfill,theentityis
encouragedtoprovidetherequestedinformationinpiecesasitbecomesavailable,iftheindividual
indicatesadesiretoreceivetheinformationinsuchamanner.
UndertheEHRIncentiveProgram,participatingprovidersarerequiredtoprovideindividualswithaccesstocertain
informationonmuchfastertimeframes(e.g.,adischargesummarywithin36hoursofdischarge,alabresultwithin4
businessdaysaftertheproviderhasreceivedtheresults)thanunderHIPAA.Howdotheserequirementsoperate
together?
HealthcareprovidersparticipatingintheEHRIncentiveProgrammayusethepatientengagementtools
oftheirCertifiedEHRTechnologytomakecertaininformationavailabletopatientsquicklyandsatisfytheir
EHRIncentiveProgramobjectives.Doingsoalsohastheaddedbenefitofsatisfyinganindividuals
requestforaccessunderHIPAA,wherethePHIrequestedbytheindividualisavailablethroughthe
CertifiedEHRTechnology,andtheindividualagreestoaccesstheinformationinthisway.Whilethe
PrivacyRulepermitsacoveredentitytotakeupto30calendardaysfromreceiptofarequesttoprovide
access(withoneextensionforuptoanadditional30calendardayswhennecessary),coveredentitiesare
stronglyencouragedtoprovideindividualswithaccesstotheirhealthinformationmuchsooner,andto
takeadvantageoftechnologiesthatenableindividualstohavefasterorevenimmediateaccesstothe
information.
WhydoesHIPAAgivecoveredentities30daystorespondtoindividualsrequestsforaccesstotheirPHI?Inthedigital
age,allowingcoveredentities30daystoprovideindividualswithaccesstotheirhealthinformationseemstoolong
individualsneedthisinformationpromptlytomanagetheirhealthandhealthcare.
Whilesomeindividualaccessrequestsshouldbefairlyeasytofulfill(e.g.,thosethatcanbesatisfied
throughtheuseofCertifiedEHRTechnology),theHIPAAPrivacyRulerecognizesthattheremaybeother
circumstanceswhereadditionaltimeandeffortmaybenecessarytolocateandobtainthePHIthatisthe
subjectoftherequest,ortoprovidethePHIintheformatrequestedoragreedtobytheindividual,or
otherwisetoactontherequest.ThePrivacyRuleisintendedtosettheoutertimelimitforproviding
access,notindicatethedesiredorbestresult,anditisexpectedthatmanycoveredentitiesshouldbe
abletorespondtorequestsforaccesswellbeforethe30dayouterlimit.Further,astechnologyevolves
andPHIbecomesmorereadilyavailableviaeasytousedigitaltechnologies,theabilitytoprovidevery
promptoralmostinstantaneousaccesstoindividualswillincrease.TheDepartmentwillcontinueto
monitorthesedevelopments.
Insomecases,the30daytimeframefromarequesttoprovideanindividualwithaccesstoherPHImaynotbesufficient
timeforaclinicallaboratorytocompletethetestreportthatisthesubjectoftheindividualsrequest.Whatcanaclinical
laboratorydointhesecases?
Inthoselimitedcaseswhere,duetothenatureofthetestandthetimingoftheindividualsrequest,30
calendardaysmaynotbesufficienttocompleteatestreporttowhichtheindividualhasrequested
access,thelaboratorymaynotifytheindividualinwritingwithinthe30dayperiodoftheneedandspecific
reasonforthedelayinprovidingaccesstothecompletedtestresultandthedatebywhichthelaboratory
willcompleteitsactionontherequest,inaccordancewith164.524(b)(2)(iii)oftheHIPAAPrivacyRule.
ThePrivacyRuleallowsonlyoneextensiononanaccessrequestandtheextensionmaynotexceedan
additional30calendardays.Intherarecircumstancewhere60calendardaysisnotsufficienttoprovide
theindividualwithaccesstothecompletedtestreportrequestedbytheindividual,thecoveredlaboratory
may,attheendofthe60dayperiod,satisfytheaccessrequestbyprovidingtheindividualwithaccessto
thePHIthatdoesexistatthetime(e.g.,testrequisitions,theunderlyingdatabeingusedtogeneratethe
reports,othercompletedtestreports)inthedesignatedrecordset.
However,toavoidthissituationtotheextentpossible,incaseswherethelaboratoryknowsthata
particulartestreportwilltakelongerthantheHIPAAaccesstimeframes,weexpectthelaboratoryto
explainthiscircumstancetotheindividual.Uponinformingindividualsofthissituationwhentheyrequest
access,theindividualsmaybewillingtowithdraworholdtheirrequestuntilalatertimetoensurethatthey
getaccesstowhattheywantorneed.Ifanindividualchoosesnottowithdrawhisorherrequestfor
access,theindividualwillthenhavearightonlytoobtainthePHIinthedesignatedrecordsetatthetime
therequestisfulfilled,whichmaynotincludetheparticulartestreportrequestedbecauseitisnotyet
complete.
FormandFormatandMannerofAccess
UndertheHIPAAPrivacyRule,doindividualshavetherighttoanelectroniccopyoftheirPHI?
Yes,inmostcases.IfthePHIismaintainedbyacoveredentityelectronically,anindividualhasarightto
receiveanelectroniccopyoftheinformationuponrequest(assumingthecoveredentitydoesnothavea
groundfordenialunder45CFR164.524(a)(2)or(a)(3)).Thecoveredentitymustprovidetheindividual
withaccesstothePHIintheelectronicformandformatrequestedbytheindividual,ifitisreadily
producibleinthatformandformat,orifnot,inareadablealternativeelectronicformatasagreedtobythe
individualandcoveredentity.See45CFR164.524(c)(2)(ii).WhereanindividualrequestsaccesstoPHI
thatismaintainedelectronicallybyacoveredentity,thecoveredentitymayprovidetheindividualwitha
papercopyofthePHItosatisfytherequestonlyincaseswheretheindividualdeclinestoacceptanyof
theelectronicformatsreadilyproduciblebythecoveredentity.
IftheindividualrequestsanelectroniccopyofPHIthatthecoveredentitymaintainsonlyonpaper,the
coveredentitymustprovidetheindividualwiththeelectroniccopyifthecopyisreadilyproducible
electronically(e.g.,thecoveredentitycanreadilyscanthepaperrecordintoanelectronicformat)andin
theelectronicformatrequestedifreadilyproducibleinthatformat,orifnot,inareadablealternative
electronicformatasagreedtobythecoveredentityandindividual.Ifthecopyisnotreadilyproduciblein
electronicform,ortheindividualdeclinestoaccepttheelectronicformat(s)readilyproduciblebythe
coveredentity,thenareadablehardcopyofthePHImaybeprovidedtosatisfytheaccessrequest.See
45CFR164.524(c)(2)(i).
IfanindividualrequestsanelectroniccopyoftheindividualsPHIthatthecoveredentitymaintainsonlyonpaper,isthe
coveredentityrequiredtoscanthepaperrecordstocreateanelectroniccopyofthePHIfortheindividual?
Whileacoveredentityisnotrequiredtopurchaseascannertocreateelectroniccopies,ifacoveredentity
canreadilyproduceanelectroniccopyofthePHIfortheindividualbyscanningtherecords,itmustdo
so.Inparticular,ifanindividualrequestsanelectroniccopyofPHIinaspecificformat,andacovered
entitymaintainsthatPHIonlyonpaper,thecoveredentitymustprovidetheindividualwiththeelectronic
copy,intheformatrequested,ifthecopyisreadilyproducibleelectronicallyandreadilyproducibleinthe
electronicformatrequested.Ifthecopyisreadilyproducibleelectronicallybutnotinthespecificformat
requested,thecoveredentitymayoffertheindividualthecopyinanalternativereadableelectronic
format.Ifthecopyisnotreadilyproducibleinelectronicform,ortheindividualdeclinestoacceptthe
electronicformat(s)thatarereadilyproduciblebythecoveredentity,thenthecoveredentitymayprovide
theindividualwithareadablehardcopyofthePHItosatisfytheaccessrequest.See164.524(c)(2)(i).
Forexample,acoveredentitythatmaintainstherequestedPHIonlyonpapermaybeabletoreadily
produceascannedPDFversionofthePHIbutnottherequestedWordversion.Inthiscase,thecovered
entitymayprovidetheindividualwiththePDFversioniftheindividualagreestoacceptthePDFversion.
IftheindividualdeclinestoacceptthePDFversion,orifthecoveredentityisnotabletoreadilyproducea
PDForotherelectronicversionofthePHI,thecoveredentitymayprovidetheindividualwithahardcopy,
suchasaphotocopy,ofthePHI.
WhenanindividualexercisesherHIPAArighttogetanelectroniccopyofherPHI,cantheindividualchoosetheelectronic
formatofthecopy?
Whileindividualsdonothaveanunlimitedchoiceintheformofelectroniccopyrequested,andcovered
entitiesarenotrequiredtopurchasenewsoftwareorotherequipmentinordertoaccommodateevery
possibleindividualrequest,theindividualdoeshavearighttoreceivethecopyintheformandformat
requestedbytheindividualifthecopyisreadilyproducibleinthatformandformat.Forexample,an
individualmayrequestthatanelectroniccopyofherPHIbeprovidedtoherinMicrosoft(MS)WordMS
ExcelPortableDocumentFormat(PDF)orasstructured,machinereadabledata(e.g.,adocument
followingtheConsolidatedClinicalDocumentArchitecture(CCDA)standardusingLOINC(torepresent
labtests)andRxNorm(torepresentmedications))orotherelectronicformatandthecoveredentitymust
providethecopyintherequestedformatifreadilyproducibleinthatformat.Further,ifthePHIthatisthe
subjectoftherequestismaintainedelectronicallybyacoveredentity,theentityisrequiredtohavethe
capabilitytoprovidesomeformofelectroniccopy(see78FR5633,https://www.gpo.gov/fdsys/pkg/FR
20130125/pdf/201301073.pdfPDF)andthismeansthatsomecoveredentitiesmayneedtomake
someinvestments(whichcannotbechargedtoindividuals)inordertomeetthisbaselinerequirement.If
anindividualrequestsaformofelectroniccopythatthecoveredentityisunabletoproduce,thecovered
entitymustofferotherelectronicformatsthatareavailableonitssystems.Iftheindividualdeclinesto
acceptanyoftheelectronicformatsthatarereadilyproduciblebythecoveredentity,onlythenmaythe
coveredentityprovideahardcopytofulfilltheaccessrequest.Thus,individualswhorequestelectronic
accesstoPHImaintainedelectronicallycanbedivertedtoreceivingapapercopyonlyincircumstances
whereallofthecoveredentitiesexistingcapabilitiesforreadilyproducingelectroniccopieshavebeen
presentedtotheindividualbuttheindividualhasdeterminedthatthoseformatsarenotacceptabletoher.
WhenanindividualrequestsaccesstoPHIinaparticularformorformat,thequestionforthecovered
entityiswhetherornottheentityisabletoreadilyproducethecopyinthatformatwhichisamatterof
capability,notwillingness.Thus,ifacoveredentityhasthecapabilitytoreadilyproducetherequested
format,itisnotpermissibleforthecoveredentitytodenytheindividualaccesstothatformatbecausethe
entitywouldpreferthattheindividualreceiveadifferentformat,orutilizeothercustomaryrecordaccess
processesoftheentity.
WhatistheintersectionoftheHIPAArightofaccessandtheHITECHActsMedicareandMedicaidElectronicHealth
RecordIncentiveProgramsView,Download,andTransmitprovisions?
UndertheHIPAAPrivacyRule,anindividualhastherighttoaccessPHImaintainedabouttheindividual
byacoveredentityinadesignatedrecordset.ThismaycontainelectronicornonelectronicPHI.See45
CFR164.524(a)(1).UndertheHITECHActsElectronicHealthRecord(EHR)IncentiveProgram,eligible
professionals,eligiblehospitals,andcriticalaccesshospitals(CAHs)mayreceiveincentivepayments
underMedicareandMedicaidandavoidpaymentreductionsunderMedicareforsuccessfully
demonstratingmeaningfuluseofCertifiedEHRTechnology,whichincludesprovidingpatientstheabilityto
viewonline,download,andtransmittheirhealthinformation.Itisimportanttonotethatinsomerespects
theEHRIncentiveProgramcontainsmoreexactingstandardsthanthebaselinerequirementsofthe
HIPAAPrivacyRule,whiletheHIPAAPrivacyRulecontainsmorecomprehensiverequirementsthanthe
EHRIncentiveProgram(e.g.,theHIPAAPrivacyRuleaccessrightappliestoelectronicandpaper
records,whiletheEHRIncentiveProgramappliestocertainelectronicrecords).
BelowaresomekeydistinctionsbetweentheHIPAArightofaccessandtheindividualaccess
opportunitiesthatmaybeofferedthroughtheEHRIncentiveProgram:
EHRIncentiveProgram HIPAAPrivacyRule
Professionalorhospitalproactivelymakesavailable Coveredentityrequiredbylawtoprovideindividualswith
certaininformationforthepatienttoview,download,or accessuponrequest
transmit(morethan50%ofpatientsareprovidedtimely
accessinStage2morethan80%inStage3)
Accessistoaspecificsetofdata(e.g.,recentlabtest AccessistorequestedPHIthatisinadesignatedrecord
results,currentmedicationlistandmedicationhistory, setwhichisPHIthatiseithermaintainedelectronically
problemlist)*maintainedinCertifiedEHRTechnology(for (e.g.,intheEHR)orothermedicalinformationthatisnot
Stage3,thespecificsetofdataisknownastheCommon storedintheEHR(e.g.,PHIthatisstoredonpaper,
ClinicalDataSet(CCDS),asdefinedinthe2015Edition billingrecords,andotherrecordsusedtomakedecisions
HealthITCertificationRule**) aboutindividuals)
*SeetheEHRIncentiveProgramFinalRuleat80FR
62812,
https://www.federalregister.gov/articles/2015/10/16/2015
25595/medicareandmedicaidprogramselectronic
healthrecordincentiveprogramstage3and
modifications
**See80FR62602,
https://www.federalregister.gov/articles/2015/10/16/2015
25597/2015editionhealthinformationtechnologyhealth
itcertificationcriteria2015editionbase
Accessmustbetimelyprovided(e.g.,inStage2, Promptaccessisencouragedbutcoveredentitiesmay
professionalsmustmakeinformationavailablewithin4 takenolongerthan30daysfromreceipttoactona
businessdaysofitsavailabilitytotheprofessional,and requestforaccess(andmaytakeanother30daysto
hospitalsmustmakeinformationabouthospitalstays respondiftheindividualisnotifiedinwritingofthereason
availablewithin36hoursofdischargeforStage3, fordelayduringtheinitial30dayperiod)
informationmustbeavailabletothepatientwithin48
hoursofitsavailabilitytoaprofessionaland36hoursof
itsavailabilitytoahospital)
AdministeredbytheCentersforMedicare&Medicaid AdministeredbytheHHSOfficeforCivilRights
Services(withrespecttotheEHRIncentiveProgram)and
theOfficeoftheNationalCoordinatorforHealthIT(with
respecttotheHealthITCertificationProgram)
AlthoughtheEHRIncentiveProgramandtheHIPAAPrivacyRulearedistinct,itispossibleforaprovider
orhospitaltoleverageitsCertifiedEHRTechnologytofulfillitsHIPAAPrivacyRuleobligationswith
respecttoindividualaccessincircumstanceswheretheindividualeither:(1)requestsaccesstoPHIthat
isheldintheCertifiedEHRTechnologyor(2)requestsaccesstohisPHI,thecoveredentityprofessional
orhospitalinformstheindividualthatthePHIrequestedisavailablethroughtheCertifiedEHR
Technology,andtheindividualagreestoaccesstherequestedPHIthroughtheCertifiedEHRTechnology.
Inscenario1,theindividualisawareoftheEHRIncentiveProgramandspecificallyrequestsaccessto
herPHIviathefunctionalityoftheCertifiedEHRTechnology.Forexample,inexercisingherrightof
accessundertheHIPAAPrivacyRule,anindividualcouldrequestacopyofherinformationthat
constitutestheCCDSthroughtheprovidersCertifiedEHRTechnologyportalorthatitbesentfromthe
CertifiedEHRTechnologytotheindividualsDirectaddress(anelectronicaddressforsecurely
exchanginghealthinformationusingtheDirecttechnicalstandard).IftheproviderisusingCertifiedEHR
Technology,theHIPAAPrivacyRulerequirestheprovidertograntthisrequestfromtheindividual
becausetheformandformatrequestedisreadilyproducibleusingtheprovidersCertifiedEHR
Technology.Atthesametime,theprovidershouldbeabletocountthisaccessbytheindividualfor
purposesofmeetingitsEHRIncentiveProgramobjectives,aslongastheaccesswasprovidedwithinthe
timeframesrequiredbytheEHRIncentiveProgram.BecausethePrivacyRuleprovidesupto30daysto
actonanaccessrequest,meetingthemorepromptdeadlinesoftheEHRIncentiveProgramclearly
complieswiththePrivacyRulesdeadlines.
Inscenario2,theindividualhasrequestedacopyofcertainofhisPHI,andtheproviderrecognizesthat
thePHIrequestedbytheindividualwouldbeeasilyavailablethroughtheCertifiedEHRTechnology.The
individualasksfortheinformationinPDFformattheproviderinsteadofferstosetupanaccountforthe
individualsothattheindividualcanaccessthisinformationdirectlythroughtheportalintheCertifiedEHR
Technology.Iftheindividualagreestotheportalaccess,theproviderwillbeabletosatisfytheindividuals
HIPAAaccessrequestusingtheCertifiedEHRTechnologyportal,whileatthesametimebeingableto
counttheaccessforpurposesofmeetingEHRIncentiveProgramobjectives(aslongastheaccesswas
providedwithinthetimeframesrequiredbytheEHRIncentiveProgram).Iftheindividualdeclinesthe
offerandinsteadmaintainshisrequesttoreceiveacopyofhisPHIinPDFformat,theHIPAAPrivacy
RulerequirestheprovidertoprovidetheindividualwithacopyinPDFformat,ifthePHIisreadily
producibleinthatformator,ifnot,inanalternativeelectronicformatthatisagreeabletothepatient.
Further,theindividualatalltimesretainstherighttoaccesshisPHIinadesignatedrecordsetthatisnot
partoforavailablethroughtheCertifiedEHRTechnology.
DoesanindividualhavearightunderHIPAAtoaccesshisPHIinaparticulartechnicalstandard?
Insomecircumstances,anindividualmayrequestaccesstoanelectroniccopyofhisPHIinaparticular
technicalstandardforexample,acopyoftheindividualsmedicationdatarepresentedinRxNormora
labtestrepresentedinLOINC.AnindividualmayrequestPHIinaparticularstandardinordertousethat
informationinothersoftwaretheindividualisusing.IfthecoveredentityisabletoreadilyproducethePHI
intherequestedstandardformat,thecoveredentitymustdoso(unlesstheentityhasagroundfordenial
asspecifiedinthePrivacyRuleat45CFR164.524(a).(Wenotethatindividuals,inexercisingtheirrights
ofaccessunderthePrivacyRule,arenotrequiredtostatetheirpurposeforrequestingaccess,regardless
ofwhetherornotaparticularformorformatfortherequestisspecified,andanindividualsrationalefor
requestingaccessisnotareasontodenyaccess.)
DoindividualshavearightunderHIPAAtogetcopiesoftheirxraysorotherdiagnosticimages,andifso,inwhatformat?
Yes.AnindividualhasarighttoreceivePHIabouttheindividualmaintainedbyacoveredentityina
designatedrecordset,suchasamedicalrecord.See45CFR164.524(a)(1).Thisincludesxraysor
otherimagesintherecord.AswithotherPHIinadesignatedrecordset,theindividualhasarightto
accesstheinformationintheformandformatsherequests,aslongasthecoveredentitycanreadily
produceitinthatformandformat.See45CFR164.524(c).Thelargefilesizeofsomexraysorother
imagesmayimpactthemechanismforaccess(e.g.,theformatagreeduponbytheindividualandthe
coveredentitymustaccommodatethefilesize).
DoindividualshavetherightunderHIPAAtohavecopiesoftheirPHItransferredortransmittedtotheminthemannerthey
request,eveniftherequestedmodeoftransferortransmissionisunsecure?
Yes,aslongasthePHIisreadilyproducibleinthemannerrequested,basedonthecapabilitiesofthe
coveredentityandtransmissionortransferinsuchamannerwouldnotpresentanunacceptablelevelof
securityrisktothePHIonthecoveredentityssystems,suchasrisksthatmaybepresentedby
connectinganoutsidesystem,application,ordevicedirectlytoacoveredentityssystems(asopposedto
securityriskstoPHIonceithasleftthesystems).Forexample,individualsgenerallyhavearightto
receivecopiesoftheirPHIbymailoremail,iftheyrequest.Itisexpectedthatallcoveredentitieshave
thecapabilitytotransmitPHIbymailoremailandtransmittingPHIinsuchamannerdoesnotpresent
unacceptablesecurityriskstothesystemsofcoveredentities,eventhoughtheremaybesecurityrisksto
thePHIonceithasleftthesystems.Thus,acoveredentitymaynotrequirethatanindividualtraveltothe
coveredentitysphysicallocationtopickupacopyofherPHIiftheindividualrequeststhecopybemailed
oremailed.InthelimitedcasewhereacoveredentityisunabletoemailthePHIasrequested,suchas
inthecasewherediagnosticimagesarerequestedandemailcannotaccommodatethefilesizeofthe
images,thecoveredentityshouldoffertheindividualalternativemeansofreceivingthePHI,suchason
portablemediathatcanbemailedtotheindividual.
Further,whilecoveredentitiesarerequiredbythePrivacyandSecurityRulestoimplementreasonable
safeguardstoprotectPHIwhileintransit,individualshavearighttoreceiveacopyoftheirPHIby
unencryptedemailiftheindividualrequestsaccessinthismanner.Insuchcases,thecoveredentity
mustprovideabriefwarningtotheindividualthatthereissomelevelofriskthattheindividualsPHIcould
bereadorotherwiseaccessedbyathirdpartywhileintransit,andconfirmthattheindividualstillwantsto
receiveherPHIbyunencryptedemail.Iftheindividualsaysyes,thecoveredentitymustcomplywiththe
request.Wenotethatprovidersusingthe2015editionofCertifiedEHRTechnologywillhavethe
capabilitytosendunencryptedemailtransmissionsdirectlyfromthattechnology.
WhetheranindividualhasarighttoreceiveacopyofherPHIthroughotherunsecuremodesof
transmissionortransfer(assumingtheindividualrequeststhemodeandacceptstherisk)dependsonthe
extenttowhichthemodeoftransmissionortransferiswithinthecapabilitiesofthecoveredentityandthe
modewouldnotpresentanunacceptablelevelofrisktothesecurityofthePHIonthecoveredentitys
systems(asexplainedabove),basedonthecoveredentitysSecurityRuleriskanalysis.Forexample,a
coveredentitysriskanalysismayprovidethatconnectinganoutside(foreign)device,suchasaUSB
drive,directlytotheentityssystemspresentsanunacceptablelevelofrisktothePHIonthesystems.In
thiscase,thecoveredentityisnotrequiredtoagreetoanindividualsrequesttotransferthePHIinthis
manner,buttheentitymustoffersomeothermeansofprovidingelectronicaccesstothePHI.
NotethatwhileanindividualcanreceivecopiesofherPHIbyunsecuremethodsifthatisherpreference,
asdescribedinmoredetailabove,acoveredentityisnotpermittedtorequireanindividualtoaccept
unsecuremethodsoftransmissioninordertoreceivecopiesofherhealthinformation.
IsacoveredentityresponsibleifitcomplieswithanindividualsaccessrequesttoreceivePHIinanunsecuremanner(e.g.,
unencryptedemail)andtheinformationisinterceptedwhileintransit?
No.Whilecoveredentitiesareresponsibleforadoptingreasonablesafeguardsinimplementingthe
individualsrequest(e.g.,correctlyenteringtheemailaddress),coveredentitiesarenotresponsiblefora
disclosureofPHIwhileintransmissiontotheindividualbasedontheindividualsaccessrequestto
receivethePHIinanunsecuremanner(assumingtheindividualwaswarnedofandacceptedtherisks
associatedwiththeunsecuretransmission).Thisincludesbreachnotificationobligationsandliabilityfor
disclosuresthatoccurintransit.Further,coveredentitiesarenotresponsibleforsafeguardingthe
informationoncedeliveredtotheindividual.Coveredentitiesareresponsibleforbreachnotificationfor
unsecuredtransmissionsandmaybeliableforimpermissibledisclosuresofPHIthatoccurinallcontexts
exceptwhenfulfillinganindividualsrightofaccessunder45CFR164.524toreceivehisorherPHIor
directthePHItoathirdpartyinanunsecuremanner.
DoindividualshavearightunderHIPAAtohavetheirPHIdownloadedonportablemediathattheyprovide?
WhetherPHIisreadilyproducibleforpurposesofprovidingaccesswilldependontheextenttowhich
therequestedmethodofcopying,transfer,ortransmissioniswithinthecapabilitiesofthecoveredentity
andwouldnotpresentanunacceptablelevelofrisktothesecurityofthePHIonthecoveredentitys
systems,basedonthecoveredentitysSecurityRuleriskanalysis.
Withrespecttoportablemediasuppliedbyanindividual,coveredentitiesarerequiredbytheSecurity
Ruletoperformariskanalysisrelatedtothepotentialuseofexternalportablemediaandarenotrequired
toaccepttheexternalmediaiftheydeterminethereisanunacceptablelevelofrisktothePHIontheir
systems.However,coveredentitiesarenotthenpermittedtorequireindividualstopurchaseaportable
mediadevicefromthecoveredentityiftheindividualdoesnotwishtodoso.Theindividualmayinsuch
casesopttoreceiveanalternativeformoftheelectroniccopyofthePHI,suchasthroughemail.
DoindividualshavearightunderHIPAAtohaveacoveredentityestablishadirectconnectionbetweenthecoveredentitys
systemandtheindividualsappordeviceinordertoprovidetheindividualswithaccesstotheirPHI?
WhetherPHIisreadilyproducibleforpurposesofprovidingaccesswilldependontheextenttowhich
establishingtheconnectioniswithinthecapabilitiesofthecoveredentityandwouldnotpresentan
unacceptablelevelofrisktothesecurityofthePHIonacoveredentityssystems,basedonthecovered
entitysSecurityRuleriskanalysis.
Acoveredentitymaydeterminethatithasthecapabilitytoestablishthetypeofconnectionrequestedina
mannerconsistentwiththeapplicablesecuritymeasuresimplementedinaccordancewithitssecurity
managementprocess.Inthatcase,thecoveredentitymustprovideaccessinthemannerrequestedby
theindividual.Further,wenotethatstartingin2018,underStage3oftheEHRIncentiveProgram,
eligibleprofessionals,eligiblehospitals,andcriticalaccesshospitals(CAHs)usingCertifiedEHR
Technologymustenableapplicationprogramminginterface(API)functionalitythatwouldallowpatientsto
usetheapplicationoftheirchoicetoaccesstheirdata.Inaddition,wenotethatmanyprovidersystems
arealreadyusingAPIfunctionalitytoprovidepatientswithaccesstotheirdatatodayinasecuremanner.
Weexpectthatcoveredentitieswillassessandaddressanysecurityconsiderationsassociatedwith
connectingtheirsystemswithindividualapplicationsordevices,includingthroughCertifiedEHR
Technology(whereapplicable),aspartoftheirHIPAAsecuritymanagementprocess.
DoesanindividualhavearightunderHIPAAtoaccesstheirhealthinformationinhumanreadableform?
Yes.Ingeneral,acoveredentitymustprovideanindividualwithaccesstoPHIabouttheindividualina
designatedrecordsetintheformandformatrequestedbytheindividual,ifitisreadilyproducibleinsuch
formandformat.IncaseswherethePHIisnotreadilyproducibleintherequestedformandformat,the
coveredentitymustprovidethePHIinareadablealternativeformandformatasagreedtobythecovered
entityandtheindividual.See45CFR164.524(c)(2).Thus,individualshavearightunderHIPAAto
accessPHIaboutthemselvesinhumanreadableform.Incaseswhereacoveredentityisprovidingan
individualwithanelectroniccopyofPHI,wealsoexpectthecoveredentitytoprovidethecopyinmachine
readableform(i.e.,inaformabletobeprocessedbyacomputer),totheextentpossibleandwhere
consistentwiththeindividualsrequest.
OtherQuestionsonAccessRight
Isahealthcareproviderpermittedtodenyanindividualsrequestforaccessbecausetheindividualhasnotpaidforhealth
careservicesprovidedtotheindividual?
No.AcoveredentitymaychargeanindividualthathasrequestedacopyofherPHIareasonable,cost
basedfeeforthecopy.See45CFR164.524(c)(4).However,acoveredentitymaynotwithholdordeny
anindividualaccesstoherPHIonthegroundsthattheindividualhasnotpaidthebillforhealthcare
servicesthecoveredentityprovidedtotheindividual.
Ifanindividualsphysicianordersatestfromaclinicallaboratorythatmaytakemultiplestepsoraseriesofteststo
complete,atwhatpointdoesthetestreportbecomepartofthelaboratorysdesignatedrecordsettowhichanindividual
hasarightofaccess?
ForpurposesoftheHIPAAPrivacyRule,clinicallaboratorytestreportsbecomepartofthelaboratorys
designatedrecordsetwhentheyarecomplete,whichmeansthatallresultsassociatedwithanordered
testarefinalizedandreadyforrelease.
Isaclinicallaboratoryrequiredtoprovideanindividualwithaccesstoatestreportthatisnotyetcomplete?
No.ForpurposesoftheHIPAAPrivacyRule,clinicallaboratorytestreportsbecomepartofthe
laboratorysdesignatedrecordsetwhentheyarecomplete,whichmeansthatallresultsassociatedwith
anorderedtestarefinalizedandreadyforrelease.However,otherinformationconcerningthetestmay
bepartofthedesignatedrecordsetandthus,accessibletotheindividual,evenifthetestreporthasnot
yetbeencompleted,suchastestorders,orderingproviderinformation,billinginformation,andinsurance
information.
Ifanindividualrequestsaccessfromaclinicallaboratorytoatestreportontheindividual,isthelaboratoryrequiredto
interpretthetestresultsfortheindividual?
No.ThereisnorequirementintheHIPAAPrivacyRulethatclinicallaboratoriesinterprettestresultsfor
patients.AnindividualhasarightundertheHIPAAPrivacyRulemerelytoinspectorreceiveacopy(or
directthecopytoadesignatedthirdparty),uponrequest,ofthecompletedtestreports(aswellasother
informationinthedesignatedrecordset)maintainedbyalaboratorythatisacoveredentity.Laboratories
maycontinuetoreferpatientswithquestionsaboutthetestresultsbacktotheirorderingortreating
providers.However,whilenotrequired,alaboratoryprovidingatestreporttoanindividualthathas
requestedaccesstothereportmayalsoprovideeducationalorexplanatorymaterialsregardingthetest
resultstoindividualsifitchoosestodoso.Similarly,alaboratorythatwishestoincludeadisclaimer,
caveat,orotherstatementexplainingthelimitationsofthelaboratorydatafordiagnosisortreatmentor
otherpurposesmaydoso.
OtherAccessTopics
UnderHIPAA,whencanafamilymemberofanindividualaccesstheindividualsPHIfromahealthcareproviderorhealth
plan?
TheHIPAAPrivacyRuleprovidesindividualswiththerighttoaccesstheirmedicalandotherhealth
recordsfromtheirhealthcareprovidersandhealthplans,uponrequest.ThePrivacyRulegenerallyalso
givestherighttoaccesstheindividualshealthrecordstoapersonalrepresentativeoftheindividual.
UndertheRule,anindividualspersonalrepresentativeissomeoneauthorizedunderStateorother
applicablelawtoactonbehalfoftheindividualinmakinghealthcarerelateddecisions.Withrespectto
deceasedindividuals,theindividualspersonalrepresentativeisanexecutor,administrator,orother
personwhohasauthorityunderStateorotherlawtoactonbehalfofthedeceasedindividualorthe
individualsestate.Thus,whetherafamilymemberorotherpersonisapersonalrepresentativeofthe
individual,andthereforehasarighttoaccesstheindividualsPHIunderthePrivacyRule,generally
dependsonwhetherthatpersonhasauthorityunderStatelawtoactonbehalfoftheindividual.See45
CFR164.502(g)and45CFR164.524.
Incaseswhereafamilymembermaynothavetherequisiteauthoritytobeapersonalrepresentative,an
individualstillhastheability,undertheHIPAArightofaccess,todirectacoveredentitytotransmitacopy
oftheindividualsPHItothefamilymember,andthecoveredentitymustcomplywiththerequest,except
inlimitedcircumstances.Theindividualsrequestmustbeinwriting,signedbytheindividual,andclearly
identifythedesignatedpersonandwheretosendthePHI.See45CFR164.524(c)(3)(ii).
OutsideoftheHIPAArightofaccess,otherprovisionsinthePrivacyRuleaddressdisclosurestofamily
members.Specifically,acoveredentityispermittedtoshareinformationwithafamilymemberorother
personinvolvedinanindividualscareorpaymentforcareaslongastheindividualdoesnotobject.In
caseswheretheindividualisincapacitated,acoveredentitymaysharetheindividualsinformationwith
thefamilymemberorotherpersonifthecoveredentitydetermines,basedonprofessionaljudgment,that
thedisclosureisinthebestinterestoftheindividual.Iftheindividualisdeceased,acoveredentitymay
makethedisclosureunlessdoingsoisinconsistentwithanypriorexpressedpreferenceoftheindividual.
Thesedisclosuresaregenerallylimitedtothehealthinformationthatisrelevanttothepersons
involvementintheindividualscareorpaymentforcare.See45CFR164.510(b).
Finally,acoveredentityalsoispermittedtodisclosethehealthinformationaboutanindividualtoany
person,includingafamilymember,iftheindividualprovidesapriorwrittenauthorizationforthe
disclosure.See45CFR164.508.
MayacoveredentityacceptstandingrequestsfromindividualstoaccesstheirPHIortohavetheirPHIsenttoathirdparty
oftheirchoice?
Yes,andcoveredentitiesshouldhaveprocessesinplacethatenableindividualstoreceiveaccesstotheir
PHI,includingtodirectacopyoftheirPHItoathirdpartyoftheirchoice,onastanding,regularbasis,
withoutrequiringindividualstorepeattheirrequestsforaccesseverytimeacopyoftheirPHIistobesent
orotherwisemadeaccessible.Further,coveredentitiesshouldtakeadvantageoftechnologyandtools
thatautomatesuchregularaccess.
FrequentlyAskedQuestionsforProfessionalsPleaseseetheHIPAAFAQsforadditionalguidance
onhealthinformationprivacytopics.
ContentcreatedbyHealthInformationPrivacyDivision

Individuals' Right Under HIPAA To Access Their Health Information - HHS

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Individuals' Right Under HIPAA To Access Their Health Information - HHS

Uploaded by

Copyright:

Available Formats

2/20/2017 IndividualsRightunderHIPAAtoAccesstheirHealthInformation|HHS.

You might also like