Providing individuals access to their health information empowers them to be more in control of decisions regarding their health and increases their engagement in their own healthcare. The HIPAA Privacy Rule provides individuals or their personal representatives with a legal right of access to their protected health information maintained by HIPAA-covered entities that is used, in whole or in part, to make decisions about individuals.
The right of access established by the Privacy Rule includes the right to inspect or obtain a copy, or both, of one’s health information or to direct the HIPAA-covered entity to transmit a copy to a designated person or entity of the individual’s choice, such as a family member or mobile app. An individual’s request to direct his health information to another person must be in writing, signed by the individual, and clearly identify the designated person and where to send the information.
The Privacy Rule requires a covered entity to take reasonable steps to verify the identity of an individual making a request for access but does not mandate a particular form of verification. Unreasonable measures may not be imposed that would serve as barriers to or unreasonably delay the individual’s access to his health information. For example, requiring an individual who wants a copy of his medical record to come to the provider’s location to request access and provide proof of identity in person would be considered an unreasonable requirement.
The information requested must be provided in the format requested if it is readily producible in such format. For example, if the covered entity maintains health information electronically and the individual requests an electronic copy, the covered entity must accommodate this request, if possible. If the information is not available in the form or format requested, an easily readable hard copy of the information or another form or format to which the individual and covered entity can agree must be produced. Individuals must be provided access to their protected health information for as long as the information is maintained by the covered entity.
Access to the requested health information must be provided no later than 30 calendar days after receiving the individual’s or personal representative’s request. If the covered entity is unable to provide access within this time frame, the covered entity may extend the deadline for up to 30 days.
A reasonable, cost-based fee may be charged for an individual’s request for a copy of his health information. No fee may be charged for retrieving or handling the information or for processing the request. Although the Privacy Rule permits reasonable fees, the Office of Civil Rights recommends that covered entities provide individuals who request access to their health information with a copy free of charge.
Under limited circumstances, a covered entity may deny an individual’s request for access to his health information. For example, an individual may be denied access to health information if the covered entity obtained the requested information from someone other than a healthcare provider under a promise of confidentiality. Also, individuals do not have a right of access to psychotherapy notes or information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding, though covered entities may provide access. Individuals have the right to request a review of some types of denials by a licensed healthcare professional who did not participate in the original denial decision.
A covered entity may require individuals to request access to their protected health information in writing or using the entity’s own form as long as use of this form does not create a barrier or unreasonably delay the individual from obtaining access to his information. HIPAA authorization is not required for individuals to request access to their health information, even to direct a copy to a third party. Since an authorization form requests more information than is necessary, requiring the use of a HIPAA authorization form may create impermissible obstacles to the exercise of an individual’s access rights.
The American Health Information Management Association (AHIMA) has developed a model form covered entities may wish to use as a template for requests for access to a patient’s health information by the patient or his personal representative. AHIMA’s Patient Request for Health Information Model Form (www.ahima.org/modelform) is intended to provide patients with a standardized mechanism to access their health information from a provider or healthcare organization and streamline the request process for patients to obtain their information. It is solely for requests for access to the patient’s health information by the patient or his designated representative.
- U.S. Department of Health and Human Services, Final Rule, “Standards for Privacy of Individually Identifiable Health Information,” Federal Register 65, No. 250 (Dec. 28, 2000): 82554-82558. https://www.gpo.gov/fdsys/pkg/FR-2000-12-28/pdf/00-32678.pdf
- U.S. Department of Health and Human Services, Office of Civil Rights, Individuals’ Right under HIPAA to Access their Health Information 45 CFR § 164.524.