Recently, HHS released a set of FAQs concerning an individual’s right to access health information. HIPAA requires covered entities, which include insurers and self-insured group health plans, to provide individuals with access to their protected health information (PHI), such as medical records, information related to enrollment, payment, or claims adjudication, and other records used by the covered entity to make decisions about those individuals. This right of access includes the right to obtain copies (paper or electronic) of the PHI and the right to direct the covered entity to transmit copies of the PHI to persons or entities designated by the individual. This right of access remains for as long as the covered entity maintains the PHI, and it extends to archived material too.

The new guidance clarifies details concerning this right of access. First, the guidance confirms that a covered entity can charge the requesting individual a fee for providing the PHI. However, that fee can only include the cost of the labor for creating and delivering the PHI (not for searching and retrieving, or reviewing the PHI), supplies (although this does not allow the covered entity to require the individual to purchase portable media), and postage. Covered entities cannot pass on the costs they may pay to business associates for creating or delivering the PHI, nor can they pass on costs authorized by state-authorized fees. The guidance provides several methods for calculating the fee, including an “actual costs” method, an “average costs" method, and a “flat fee" method. Covered entities must provide an estimate of the fee to the requesting individual before fulfilling their request.

Although the covered entity can impose these fees, the guidance asserts that covered entities should provide PHI to requesting individuals free of charge, especially in cases where the individual may not be able to afford the fees. The guidance also states that if the individual can access the PHI electronically via a certified electronic health record technology (CEHRT) established by the covered entity, then the covered entity should not charge a fee for that access.

The guidance also clarifies the individual’s right to send PHI directly to a third party. If an individual submits a written request to a covered entity that clearly identifies where and to whom the PHI should be sent, then the covered entity is obliged to send the PHI to that third party. The individual’s personal representative, as determined by state law, also has the right to direct a covered entity on behalf of the individual.

The covered entity may rely on the information provided in writing by the individual about the identity of the designated person and where to send the PHI for purposes of verification of the designated third party as an authorized recipient. However, they must implement reasonable safeguards in otherwise carrying out the request, such as taking reasonable steps to verify the identity of the individual making the access request and to enter the correct information into the covered entity's system, as well as safeguarding the PHI in transit to the third party.

The covered entity is obligated to notify the individual and HHS of any breach that occurs when it provides the PHI to a third party and comply with other breach notification obligations imposed by HIPAA. However, the covered entity is not responsible for breaches that occur when transmitting the PHI to a third party if it does so in an unsecured manner as directed by the individual (after being warned of the risks). The covered entity is also not responsible for any breaches that occur once the PHI is delivered to the third party.

The guidance also clarifies what information is subject to this right of access. As mentioned above, the individual has access to a large amount of data (collectively, this data is referred to as “designated record sets”). Examples of this type of information include certain quality assessment or improvement records, patient safety activity records, or business planning, development, and management records that are used for business decisions more generally rather than to make decisions about individuals. Note that individuals do not have a right to access information about the individual compiled in reasonable anticipation of, or for use in, a legal proceeding (but the individual retains the right to access the underlying PHI from the designated record set(s) about the individual used to generate the litigation information).

Covered entities may deny a request for information compiled in reasonable anticipation of, or for use in, a legal proceeding, included in psychotherapy notes, or determined by a licensed healthcare professional to be reasonably likely to endanger the physical safety of the individual or someone else if it is provided. The guidance stresses that these are very limited circumstances and that covered entities are generally obliged to provide requested information.

Finally, the guidance discusses the timelines within which a covered entity must provide the requested information. Under the HIPAA Privacy Rule, a covered entity must act on an individual's request for access no later than 30 calendar days after receipt of the request. If the covered entity is not able to act within this timeframe, the entity may have up to an additional 30 calendar days as long as it provides the individual – within that initial 30-day period – with a written statement of the reasons for the delay and the date by which the entity will complete its action on the request. The 30-day clock starts on the date that the covered entity receives a request for access. The guidance also stresses that the 30-day deadline is an outer limit and that HHS expects covered entities to provide requested information sooner than that.

Although insurers and TPAs for self-insured group health plans typically address requests regarding an individual’s access to health information, plan sponsors should be aware of this guidance.

HHS Guidance on Access to Individual Information »