Individuals’ Right Under HIPAA to Access Their Protected Health Information
When individuals have access to their protected health information, they can take control of their treatment plans and wellness. Empowering individuals to know about their health is a key element of patient-centered care.
People with access to their identifiable health information can monitor their conditions, make sure their records are accurate, lend their information to research, and track their progress.
The HIPAA Privacy Rule, located at 45 CFR Part 160 and Subparts A and E of Part 164, establishes a set of national standards for the protection of certain health information. The Privacy Rule addresses the use and disclosure of individually identifiable health information by covered entities and establishes standards for individuals to understand and control how their health information is used.
One of the key elements of the Privacy Rule is to give patients (or a personal representative) the right to see and obtain copies of their health records, including electronic health records (EHR), and medical information.
Right of Access
According to the U.S. Department of Health and Human Services (HHS), HIPAA covered entities include health plans and public healthcare providers. Subject to certain exceptions, covered entities must provide individuals with their protected health information (PHI) maintained in a designated record set upon an individual’s request for as long as the covered entity maintains it.
A designated record set is defined at 45 CFR 164.501 as records maintained by or for a covered entity, including health plan enrollment, payment, and medical management record systems information maintained by or for a health plan, the individual’s medical records and billing records maintained by or for a health care provider, and other records used by or for a covered entity to make decisions about the individual.
A covered entity is not expected to create new information that is not already in the designated record set. However, individuals making a timely request for their PHI should be able to access their medical and payment records, insurance information, lab test results, medical images, case notes, and program files.
The right of access does not include psychotherapy notes to track mental health or any information gathered in anticipation of, or for use in, a civil, criminal, or administrative action or proceeding.
Provided it gives proper notice of privacy practices, a covered entity can require individuals to request access by written request, email through a secure web portal, or via the entity’s HIPAA authorization form.
Any covered entities providing individuals with access to PHI via a web portal must set those web portals up with appropriate authentication controls. Entities must also follow the breach notification rule and take reasonable measures to verify an individual’s identity.
The Privacy Act does not require any specific form of identification to comply with a patient request. The type of verification may depend on the method used to request access.
As mentioned above, an individual’s personal representative may also request access to the individual’s PHI. A personal representative is generally defined as a person with authority under state law to make health care decisions for the individual. Notably, HIPAA does not include an attorney retained to evaluate a medical malpractice claim within the definition of a personal representative.
According to the HHS, covered entities must provide individuals with access to PHI in a designated record set in the form and format that the individual requests if the PHI is readily producible in that form and format.
A covered entity must act on a request for access to PHI no later than 30 calendar days from receipt of the request. Covered entities may impose a reasonable cost-based fee for the provision of copies of PHI.
There are circumstances where a covered entity may deny a request for all or a portion of PHI requested. If a covered entity denies an individual’s request, the covered entity must provide a written denial containing (i) the basis for the denial; (ii) if applicable, a statement of the individual’s review rights; and (iii) a description of how the individual may complain to the covered entity, including the name or title and phone number of the contact person who is responsible for receiving complaints and who can provide further information. Depending on the circumstance, the individual may or may not have a right to have the denial reviewed by a licensed health care professional who did not participate directly in the covered entity’s decision to deny.
A Florida Clinic Paid $85K for Violating the HIPAA Records Access Rule
In 2019, the Federal Office for Civil Rights announced a HIPAA Right of Access Initiative promising to vigorously enforce the rights of patients to obtain prompt access to their medical records without overcharging in the format of the patient’s choice.
The OCR announced the second settlement in this initiative on December 12, 2019. The enforcement action arose from an investigation conducted after receiving a patient complaint regarding a company named Korunda Medical LLC. The patient claimed that the Florida-based primary care and interventional pain management provider failed to provide PHI to a third party in a timely manner, failed to provide the records in the requested electronic format, and overcharged for its efforts.
The OCR gave Korunda technical assistance to fix the problem, but Korunda still failed to provide the requested records. The patient sent another complaint to the office. Now, Korunda will pay $85,000 for violating HIPAA’s right of access provisions. They will also complete a corrective action plan that includes one year of monitoring.
How are HIPAA Violations Discovered?
HIPAA violations are usually discovered as a result of HIPAA compliance audits, investigations into a data breach, or investigations into complaints about covered entities or a business associate.
The OCR may also find HIPAA violations when investigating unrelated complaints or data breaches.
A covered entity could unwittingly violate HIPAA rules for months or years before being notified. The penalty may increase the longer the violations continue. For this reason, a covered healthcare provider should have regular HIPAA compliance reviews to identify and cure violations before they get in trouble with law enforcement.
Tache Bronis provides guidance on current HIPAA rules and Florida state law. Our experienced attorneys assist with fraud detection, law enforcement, prevention, and compliance. For more information or FAQs, call us at 305-676-8808.
Disclaimer: The information in this blog post (“post”) is provided for general informational purposes only, and may not reflect the current law in your jurisdiction. No information contained in this post should be construed as legal advice from the individual author or the law firm, nor is it intended to be a substitute for legal counsel on any subject matter. No reader of this post should act or refrain from acting on the basis of any information included in, or accessible through, this post without seeking the appropriate legal or other professional advice on the particular facts and circumstances at issue from a lawyer licensed in the recipient’s state, country or other appropriate licensing jurisdiction.
Tache, Bronis, Christianson and Descalzo, P. A.
150 S.E. 2nd Avenue, Suite 600
Miami, FL 33131
Copyright © 2020 Tache, Bronis, Christianson, and Descalzo. All rights reserved.