HHS clearly outlines HIPAA requirements for patient information access

Providers must give patients access to their protected health information (PHI) upon request in a timely manner, without requiring the patient to go through unreasonably burdensome steps to obtain it. In an effort to promote patient engagement, HHS released a fact sheet, including answers to frequently asked questions, to inform patients and providers of access rights under the Health Insurance Portability and Accountability Act (HIPAA) (P.L. 104-191). HHS intends to develop additional guidance and tools for patients on the topic, in conjunction with the Office for Civil Rights (OCR), the White House, and the HHS Office of the National Coordinator for Health Information Technology (ONC).

What information is available?

Generally, entities covered by HIPAA must provide PHI to patients upon request in designated record sets maintained by the entity. According to 45 C.F.R. sec. 164.501, designated record sets include medical and billing records from a health provider; enrollment, payment and other information maintained by a health plan; and other records that are used to make decisions about the patient. Certain information is excluded from these requirements, such as psychotherapy notes and information compiled in anticipation of court or administrative action.

Easy access

Regulations allow a provider some flexibility regarding the method of requesting access to information (45 C.F.R. sec. 164.524). A provider may require a written request, but may also allow requests to be filed electronically. Patients may also be required to use a provider’s supplied form, as long as this requirement does not create a barrier or unreasonable delay in receiving information. A covered entity must verify the identity of the person making the request through reasonable steps, but cannot require an individual to use a web portal, to physically come to the doctor’s office and provide proof of identity when requesting information mailed to a home address, or to mail an access request (which would cause an unreasonable delay).

An entity must make reasonable efforts to provide the information in the format requested. If an individual requests a paper copy of PHI, providers are expected to be able to provide it in this format even if information is maintained electronically. If a patient requests an electronic copy but the information is maintained on paper, the entity is expected to provide the PHI electronically if it is readily producible, such as scanning a paper record.