Avoiding HIPAA Right of Access Fines and Penalties - Essential Basics of the HIPAA Right of Access Rule

Over the last year, the Office of Civil Rights (“OCR”) at the U.S. Department of Health and Human Services ("US DHHS") has filed and settled multiple actions against physician practices and hospitals to “send a message” about the importance of providing patients prompt access to their medical records and other health information, as required by the Health Insurance Portability and Accountability Act (“HIPAA”) Privacy Rule.¹ Practices that are small, rural, or unaffiliated with a hospital or health system are not immune to these investigations, as OCR is taking action against entities of all sizes, specialties, types, and affiliations. To avoid violations that can trigger hefty penalties, physicians and their practices must understand and comply with the HIPAA Privacy Rule access requirements.² The basic mandates include:

• • Upon request, a patient or patient’s “personal representative,” as defined in the Privacy Rule,³ has a broad right to access the patient’s protected health information (“PHI”) maintained by the practice, whether in electronic or paper form.
    
    
  • PHI includes medical records, billing and payment records, claims and insurance information, and other information used to make decisions about the patient’s care.
    
    
  • A patient or “personal representative”⁴ can request to view the PHI, or request an electronic or paper copy of the PHI be sent to the patient, the patient’s representative, or a third party.
     
  • In Arizona, the patient or personal representative must submit the request in writing.⁵
    
  • In Utah, the patient or personal representative may submit the request either orally or in writing, but the practice may require a written request provided it advises patients of this requirement.⁶
•  
  • If the request directs that PHI be sent to a third party, it must be a written request signed by the patient or “personal representative.”⁷    
     
  • The HIPAA Privacy Rule simply requires that the practice take “reasonable steps” to verify the identity of the requestor. Verification may be completed orally or in writing, via fax or e-mail, in-person, or through a secure web portal.
    
    
  • A practice must provide the PHI requested or a written denial of the request within 30 days of receipt of the request. A practice is entitled to one 30 day extension, provided it notifies the requestor in writing of the reasons for the delay and specifies a date within the 30 day extension period by which it will respond.
    
    
  • A practice may deny requests for the following categories of information, without an opportunity for review: 1) psychotherapy notes; 2) information compiled in reasonable anticipation of legal proceedings; 3) information obtained from someone other than a health care provider under a promise of confidentiality, and access is reasonably likely to reveal the source of the information; 4) information in records controlled by a Federal agency and protected by the Privacy Act; or 5) information created or obtained in the course of research that includes treatment, provided the patient agreed to the denial of access at the outset of the study. Access is suspended temporarily while the research is in progress and reinstated upon completion.
    
    
  • A practice may deny the request, but must offer an opportunity for review, if: 1) A licensed health care professional has determined in the exercise of professional judgment that access is reasonably likely to endanger the physical safety or life of the patient or another person; 2) The information refers to a person other than a health care professional (i.e. family member, caregiver, etc.), and a licensed health care professional has determined in the exercise of professional judgment that access is reasonably likely to cause substantial harm to that other person; or 3) Where the requestor is the personal representative, a licensed health care professional has determined in the exercise of professional judgment that access is reasonably likely to cause substantial harm to the patient or another person.
    
    
  • The denial must state the basis in plain language and, where applicable as discussed below, explain how the patient can request review. The denial also must be noted in the medical record. Denials also must tell the requestor how to complain to the practice⁸ or US DHHS⁹, and provide the name or title and phone number of the practice member¹⁰ designated to receive complaints. Where the request seeks some information for which there is no basis for denial, that information must be segregated and provided.¹¹
    
    
  • If a patient requests review, the practice must promptly refer the review to an individual designated by the practice who is a licensed health care professional who did not participate in the initial denial decision.¹² The reviewer must issue a determination within a reasonable period of time, and the practice must abide by the reviewer’s decision.
    
    
  • When the practice grants the request for access in whole or in part, the practice must provide the PHI in the form and format and manner of access requested, if the practice is capable¹³ of producing the information in this way and if it does not present an unacceptable level of risk to the security of other PHI on the practice’s system.¹⁴
•  
  • The practice may charge a reasonable, cost-based fee that complies with the statute.¹

¹ See MICA's Avoiding HIPAA Right of Access Fines and Penalties - Enforcement Actions are Closer Than You Think. 

² See 45 C.F.R. § 164.524.

³ With some exceptions, HIPAA requires that practices treat a patient’s personal representative as they would treat the patient for purposes of access to PHI. In general, a personal representative is a person with authority under State law to make health care decisions for the patient. See 45 C.F.R. § 164.502(g); see also https://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/personalreps.html.

⁴ See 45 C.F.R. § 164.502(g); see also footnote 3 and https://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/personalreps.html.

⁵ Although HIPAA permits patients and representatives to submit requests either orally or in writing, Arizona law is more stringent and requires a written request. See A.R.S. § 12-2293(A).

⁶ Utah Code adopts the HIPAA provision which allows patients and representatives to submit either oral or written requests, but permits practices to require a written request provided they inform patients. See 45 C.F.R. § 164.524(b)(1) & Utah Code § 78B-5-618.

⁷ See 45 C.F.R. § 164.502(g); see also footnote 3 and https://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/personalreps.html.

⁸ 45 C.F.R. § 164.530(d) sets forth Complaint procedures.

⁹ 45 C.F.R. § 160.306 sets forth Complaint procedures.

¹⁰ This person must be designated by the practice as required by 45 C.F.R. § 164.530(a)(1)(ii).

¹¹ OCR cautions that complexity in segregating the information is not a valid reason for a practice to withhold that part of the information to which it has granted access.   

¹² In a solo practitioner’s office, this may be a nurse or physician assistant.

¹³ When an individual requests access to PHI in a particular form or format, the question is whether the practice is capable of readily producing the copy in that format. Willingness does not factor into the determination. Thus, if the practice is capable, the practice may not deny access in the format requested because it finds production in a different format more convenient.

¹⁴ An example of unacceptable risk may be where the patient supplies portable media for downloading the PHI, but based on a security risk analysis the practice determines that using the portable media could jeopardize the security of other information on the computer system. In this scenario, the practice must offer an alternative manner of electronic access.

¹⁵ See 45 C.F.R. § 164.524(c)(4). 

The content of this publication or presentation is intended for educational purposes only; is not an official position statement of Mutual Insurance Company of Arizona (MICA); and should not be considered or relied upon as professional, medical, or legal advice or as a substitute for your professional judgment. Consult your attorney about your individual situation and the applicable laws. The authors, presenters, and editors made a reasonable effort to ensure the accuracy of the information at the time of publication or presentation but do not warrant or guarantee accuracy, completeness, or currency of such information. As medical and legal information is constantly changing and evolving, check for updated information and consult your attorney before making decisions.