According to a recent study by Yale University School of Medicine, published in JAMA Network Open, covered entities are not providing to patients copies of their full medical records, many are charging excessive amounts for copies, and some hospitals are making it hard for their patients to exercise their HIPAA Privacy Rule right of access to inspect and to obtain a copy of their health records.
Although HIPAA did not change existing law that medical records are the physical property of the provider, it did establish a federal right of access—that is, to inspect and to copy—protected health information (“PHI”) maintained in a system of records by a covered entity over and above any pre-existing state right to inspect and copy.
Although not providing access to or a copy of a patient’s or a client’s record may seem insignificant compared to a major breach of confidentiality, remember the infamous Cignet Health of Prince George’s County. Failure to provide 41 patients copies of their charts resulted in a $4.3 million civil money penalty. Not surprisingly, Cignet went bankrupt. Why give the U.S. Department of Health and Human Services (“HHS”) something to sanction you for that is so easy for you as a covered entity to avoid getting sanctioned for and so easy for HHS to prosecute if it is not properly avoided?
Elements of the HIPAA Privacy Rule’s Right of Access
45 C.F.R. § 164.524 specifies an individual’s rights in this regard. The HIPAA Privacy Rule generally requires HIPAA covered entities to provide to individuals, upon request, access to PHI about them in one or more “designated record sets” maintained by or for the covered entity. This right includes the right to inspect the PHI or to obtain a copy of the PHI, or both, as well as the right to direct the covered entity to transmit a copy to a designated person or entity of the individual’s choice. Individuals have a right to access this PHI for as long as the information is maintained by a covered entity, or by a business associate on behalf of a covered entity, regardless of the date that the information was created, regardless of whether the information is maintained in paper or electronic systems onsite or remotely or is archived, and regardless of where the PHI originated, such as with the covered entity, another provider, the patient, and so forth. This latter requirement did away with the old belief that one did not have to provide so-called “third party” documents that were filed in patients’ charts, such as outside lab reports, records of other providers, and the like. Simply stated, once a document has been made a part of the record, it is treated as if the covered entity itself had created the document.
An individual’s personal representative―that is, generally, a person with authority under state law to make health care decisions for the individual―also has the right to access PHI about the individual in a designated record set, as well as to direct the covered entity to transmit a copy of the PHI to a designated person or entity of the individual’s choice.
Definition of “Designated Record Set”
A “designated record set” is defined at 45 C.F.R. § 164.501 as a group of records maintained by or for a covered entity that consists of the following:
- Medical records and billing records about individuals maintained by or for a HIPAA covered health care provider;
- Enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or
- Other records that are used, in whole or in part, by or for the covered entity to make decisions about individuals. This last category includes records that are used to make decisions about any individuals, whether or not the records have been used to make a decision about the particular individual requesting access.
Information that is not used to make decisions about individuals is not a part of a designated record set and need not be disclosed to the individual. This type of information may include certain quality assessment or improvement records, patient safety activity records, or business planning, development, and management records that are used for business decisions more generally rather than to make decisions about individuals. For example, peer review records would not be a part of a designated record set.
Records Excluded from an Individual’s Right of Access
The Privacy Rule does exclude these two categories of records from an individual’s right of access even when in a designated record set:
- Psychotherapy notes, which are the personal notes of a mental health care provider documenting or analyzing the contents of a counseling session, that are maintained separate from the rest of the patient’s medical record. See 45 C.F.R. §§ 164.524(a)(1)(i) and 164.501.
- Information compiled in reasonable anticipation of, or for use in, a civil, a criminal, or an administrative action or proceeding. See 45 C.F.R. § 164.524(a)(1)(ii).
Grounds for Denial of a Request
The Privacy Rule does permit denial of the request in certain circumstances, such as the following:
The first category is reviewable grounds for denial. In these categories, if the covered entity denies the access under 45 C.F.R. § 164.524(a)(3), the individual has a right to have the denial reviewed by a licensed health care professional designated by the covered entity who did not participate in the original decision to deny.
Reviewable Grounds for Denial
The three reviewable grounds are as follows: that a licensed health care professional has determined in the exercise of professional judgment that the access is reasonably likely to―
- Endanger the life or physical safety of the individual or another person. This ground for denial does not extend to concerns about psychological or emotional harm, such as concerns that the individual would not be able to understand the information or may be upset by it.
- Cause substantial harm to a person (other than a health care provider) referenced in the PHI.
- Cause substantial harm to the individual or another person when the provision of access is to a personal representative of the individual.
Nonreviewable Grounds for Denial
One of the nonreviewable grounds for denial is if the request is for psychotherapy notes or for information compiled in reasonable anticipation of, or for use in, a legal proceeding, such as in the following examples:
- An inmate requests a copy of her PHI held by a covered entity that is a correctional institution, or a health care provider acting under the direction of the institution, and providing the copy would jeopardize the health, safety, security, custody, or rehabilitation of the inmate or other inmates, or the safety of correctional officers, employees, or other persons at the institution or responsible for the transporting of the inmate. In these cases, an inmate still retains the right to inspect his PHI.
- The requested PHI is in a designated record set that is part of a research study that includes treatment, such as a clinical trial, and that is still in progress, provided that the individual agreed to the temporary suspension of access when consenting to participate in the research. The individual’s right of access is reinstated upon completion of the research.
- The requested PHI is in Privacy Act protected records―that is, certain records under the control of a federal agency that may be maintained by a federal agency or a contractor to a federal agency―if the denial of access is consistent with the requirements of the Act.
- The requested PHI was obtained by someone other than a health care provider, such as a family member of the individual, under a promise of confidentiality, and providing access to the information would be reasonably likely to reveal the source of the information.
Miscellaneous Right of Access Requirements
The Privacy Rule requires a covered entity to take reasonable steps to verify the identity of an individual making a request for access, 45 C.F.R. § 164.514(h), and may require that such requests be in writing, 45 C.F.R. § 164.524(b)(1).
A covered entity must provide access to the PHI requested no later than 30 calendar days from receiving the individual’s request. If a covered entity is unable to provide access within 30 calendar days—that is, for example, in cases in which the information is archived offsite and is not readily accessible—the covered entity may extend the time by no more than an additional 30 days. To extend the time, the covered entity must, within the initial 30 days, inform the individual in writing of the reasons for the delay and the date by which it will provide access.
The Privacy Rule permits a covered entity to impose a reasonable, cost-based fee if the individual requests a copy of the PHI (or agrees to receive a summary or explanation of the information). The fee may include only the cost of the following: (1) labor for copying the PHI requested by the individual, whether in paper or electronic form; (2) supplies for creating the paper copy or electronic media, such as, for example, a CD or a USB drive, if the individual requests that the electronic copy be provided on portable media; (3) postage, when the individual requests that the PHI be mailed; and (4) preparation of an explanation or a summary of the PHI, if agreed to by the individual. See 45 C.F.R. § 164.524(c)(4). The fee may not include costs associated with the following: verification; documentation; searching for and retrieving the PHI; maintaining systems; recouping capital for data access, storage, or infrastructure; or other costs not listed above even if state law authorizes such costs.
Note that a covered entity may not require an individual to provide a reason for requesting access, and the individual’s rationale for requesting access, if voluntarily offered or otherwise known by the covered entity or business associate, is not a permitted reason to deny access. In addition, a covered entity may not deny access because a business associate of the covered entity, rather than the covered entity itself, maintains the PHI requested by the individual, such as, for example, if the PHI is maintained by the covered entity’s electronic health record vendor or is maintained by a records storage company offsite.
If the covered entity denies access, in whole or in part, to PHI requested by the individual, the covered entity must provide a denial in writing to the individual no later than within 30 calendar days of the request (or no later than within 60 calendar days if the covered entity notified the individual of an extension). See 45 C.F.R. § 164.524(b)(2). The denial must be in plain language and describe the basis for denial; if applicable, explain the individual’s right to have the decision reviewed and how to request such a review; and explain how the individual may submit a complaint to the covered entity or the HHS Office for Civil Rights (“OCR”). See 45 C.F.R. § 164.524(d).
If the covered entity (or one of its business associates) does not maintain the PHI requested, but knows where the information is maintained, the covered entity must inform the individual where to direct the request for access. See 45 C.F.R. § 164.524(d)(3).
For a more complete discussion of the right to inspect and copy under the HIPAA Privacy Rule right of access, see the HHS guidance at https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html.