HIPAA Right of Access & OCR Enforcement: What Physicians Should Know

Last Updated: Jan 27, 2020

Medical-records-roomIn addition to establishing a series of rules and protections that safeguard the privacy and security of protected health information (PHI), the Health Insurance Portability and Accountability Act (HIPAA) and its accompanying regulations also set forth an array of individual rights with respect to PHI. 

The Pennsylvania Medical Society (PAMED) often receives questions from members regarding HIPAA requirements. One of the most common inquires that PAMED receives is in respect to the right of access provisions of the HIPAA Privacy Rule.

What Is Right of Access under HIPAA?

The HIPAA Privacy Rule generally requires covered entities to allow patients, upon request, access to inspect and obtain copies of their PHI maintained in a designated record set. HIPAA right of access can also extend to personal representatives of the individual as well. Note that most physicians and other health care providers are considered covered entities for HIPAA purposes.

Under HIPAA, patient access must be timely and generally in the form or format requested by the patient. Health care providers may require that requests be in writing, provided that patients are informed of this requirement beforehand. No unreasonable measures, that serve as barriers to or unreasonably delay access, may be imposed on the individual requesting access.

Non-compliance with HIPAA provisions can result in monetary fines as well as other potential penalties for covered entities.

Note that this article only examines the right of individuals to access their own records personally and does not discuss requests by individuals to transmit their records to any third parties.

What Does HIPAA Right of Access Apply To?

Subject to limited exceptions, HIPAA right to access applies to PHI maintained in a designated record set. A “designated record set” is defined in HIPAA as a group of records, maintained by or for a covered entity, consisting of:

  • Medical records and billing records maintained by or for a covered health care provider;
  • Enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or
  • Other records that are used, in whole or in part, by or for the covered entity to make decisions about individuals.

The following information, see 45 CFR §164.524(a), is explicitly excluded from the HIPAA Privacy Rule’s right of access:

  • Psychotherapy notes, which are the personal notes, recorded in any medium, of a mental health professional documenting or analyzing the contents of a discussion or counseling session, that are maintained separate from the rest of the patient’s medical record.
  • Information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding.

How Timely And in What Form Must Access Be Granted?

HIPAA requires that covered entities act on an individual’s request for access no later than 30 calendar days from receipt of a request. If the entity is unable to meet the request within 30-days, this time period may be extended by no more than an additional 30-days. However, within the initial 30-day period, the covered entity must inform the individual in writing of the reasons for the delay and the date by which the entity will provide access. Only one extension is allowed per access request. 

Covered entities must provide individuals access to their PHI in the form and format requested by the individual, if the information is readily producible in such form and format or, if not, in a readable hard copy form or such other form and format as agreed to by the covered entity and the individual. If the covered entity uses or maintains an electronic health record with respect to PHI, an individual has a right to obtain from the entity a copy of such information in an electronic format.

Can Individuals Be Charged a Fee for Copies of Their PHI?

HIPAA permits that individuals be charged only a reasonable, cost-based fee for obtaining copies of their medical records. Note that physicians are not required to charge patients for copies of their medical records and many often waive any charge that otherwise would be allowed, especially when providing a copy to the patient or another physician for treatment purposes.

This fee can only include the cost of labor for copying the record, supplies for creating the copy, postage, and the cost of preparing an explanation or providing a summary of the requested PHI. Patients may not be charged any search or retrieval fees.

The Pennsylvania Department of Health (DOH) annually publishes guidelines and maximum fees that a health care provider or facility may charge in response to requests for production of medical charts or records. PAMED members can access a convenient chart with 2020 copying fees here.

Are There State Requirements Related to Right of Access?

Both the Pennsylvania State Boards of Medicine and Osteopathic Medicine have regulations enforcing a patient’s right to access their health information.

Under State Board of Medicine regulations, failure to make medical records available upon written request of a patient may result in professional discipline, subject to limited exceptions. These regulations also prohibit making payment for medical care a condition of providing the patient with a copy of the requested records related to such care.

Similarly, the State Board of Osteopathic Medicine requires licensees to provide a patient, upon the patient’s request, with a complete copy of the patient’s medical record within a reasonable time of the request made.

Recent Federal Actions Concerning Patient Right of Access

The Office of Civil Rights (OCR) within the United States Department of Health and Human Services (HHS) is responsible for enforcing HIPAA’s privacy, security, and breach notification rules. OCR has recently undertaken a nationwide initiative to enforce patient right of access. This initiative has included the following actions:

  • A Florida hospital, Bayfront Health St. Petersburg, paid $85,000 to OCR and adopted a corrective action plan after not providing a mother with requested access to prenatal records about her child until more than nine months after the initial request. Click here for additional information on the case.
  • Korunda Medical, another Florida health care provider, also paid $85,000 to OCR and adopted a corrective action plan after failing to timely forward, per a patient’s request, medical records to a third party in the requested electronic format. This settlement occurred after two OCR interventions in the case. For more information on this case, click here.

A recent federal district court order vacated certain HHS provisions regarding third-party directives and what fees covered entities may charge when a patient requests that their PHI be sent directly to a third party. In response to this order, OCR issued an Important Notice Regarding Individuals’ Right of Access to Health Records, which can be accessed here. This notice acknowledges the provisions restricted by the court order and reaffirms OCR’s commitment to enforcing the rights of individuals to access their own PHI. PAMED will continue to monitor for additional developments and update members accordingly.

Where Can I Find Additional Information?

Both HHS and OCR have a number of resources regarding HIPAA compliance including a fact page on  right to access and general HIPAA FAQs for health care professionals.

PAMED members with questions can also contact our Knowledge Center at 855-PAMED4U (855-726-3348) or KnowledgeCenter@pamedsoc.org.

Login to be able to comment

Leave a comment

Return to the art of medicine - MACRA

Norcal Mutual

Learn More