On January 7, 2015, HHS issued new guidance (Guidance) regarding an individual’s right to access his or her health information under HIPAA’s Privacy Rule. The Guidance emphasizes that HIPAA, while protecting the privacy and confidentiality of individuals’ health information, also recognizes the importance of providing individuals with access to their health information.
The Guidance reviews the applicable provisions of the Privacy Rule that establish an individual’s general right to access protected health information (PHI) maintained about the individual by or for a covered entity in a designated record set (found at 45 C.F.R. §164.524). The Guidance notes in part that:
- Individuals may be required (at the covered entity’s option) to make a written or electronic request for access to PHI;
- Covered entities must take reasonable steps to verify the identity of an individual making a request for access to PHI;
- Access to PHI must be provided in the form and format requested (i.e. paper or electronic), if readily producible in that form and format, or if not, in a readable hard copy form or other form and format as agreed to by the covered entity and individual;
- Access must be provided within 30 calendar days of an individual’s request (which time period may be extended once by 30 days upon notification to the individual);
- Access may only be denied in limited circumstances set forth by the Privacy Rule, certain of which are subject to review;
- An individual may also direct a covered entity to transmit PHI about the individual directly to another person or entity; and
- A covered entity may impose a reasonable, cost-based fee, for providing a copy of PHI or a summary or explanation of such information; provided that such fee may only include the cost of labor for copying the PHI, supplies for creating a paper copy or electronic media, postage, and the preparation of an explanation or summary (other costs permitted under state law may not be included).
The Guidance is accompanied by FAQs regarding the scope of information covered by an individual’s right of access, the type of records or other information covered, and the circumstances under which a covered entity may deny an individual’s request for access to PHI.
In a press release accompanying the release of the Guidance, Jocelyn Samuels – director of the Office for Civil Rights (OCR) – indicated that the Guidance is intended to remove barriers for individuals to accessing their health information. The Guidance appears to be one piece of a broader HHS initiative intended to ensure that individuals understand and are able to exercise their rights under HIPAA. HIPAA-covered entities and individuals will therefore want to continue monitoring HHS and OCR for the release of additional guidance and related tools concerning HIPAA and health information privacy.