Right to Access – sound familiar?  It should! The Office for Civil Rights (OCR)  has recently reported eleven enforcement actions against covered entities who failed to comply with the Individuals’ Right under HIPAA to Access their Health Information  (HIPAA Right to Access Rule). Providers have been slammed with COVID-19 burdens for almost a year now, but with that being said, the OCR is sending a pretty strong message. Ensuring you are following the HIPAA Right to Access Rule during the Public Health Emergency and beyond is serious business.

What is Right to Access? The Health Insurance Portability and Accountability Act of 1996 (HIPAA) protects an individual’s identifiable health information through privacy and security measures as well as sets forth an individual’s rights to health information. The HIPAA Privacy Rule provides a person “with a legal, enforceable right to see and receive copies upon request of the information in their medical and other health records maintained by their health care providers and health plans.

HIPAA Right to Access Rule states, “Providing individuals with easy access to their health information empowers them to be more in control of decisions regarding their health and well-being.” A provider may require written request from the individual. If this is the provider’s process, notification of this expectation should be provided to the individual. The provider is required “to take reasonable steps to verify the identity of an individual making a request for access.” The provider “may not impose unreasonable measures on an individual requesting access that serve as barriers to or unreasonably delay the individual from obtaining access.

The HIPAA Right to Access Rule requires the provider to give the individual access to the information in the form and format requested by the individual, if the provider is able to produce the documentation in that form and format. If the provider cannot provide the information in the requested form and format, then the provider should provide the information in a readable hard copy form or other form and format that has been agreed upon by the provider and the individual.

  • For paper copies of records, the provider is expected to provide the individual with paper copies, even if the records are electronic.
  • For electronic copies of records:
    • If the provider has paper records, the provider is required to provide the individual with an electronic copy or if unable to convert paper documentation in to an electronic version (scanning paper documentation to provide an electronic version), then provide the records in a readable alternative electronic format or hard copy that has been agreed upon by the provider and individual.
    • If the provider has electronic records, the provider must provide the individual with access as requested (form and format) if the provider is able. If the provider is unable, then the provider must provide access to an agreed upon alternative. The provider must try to accommodate every possible individual request or at least must have the ability to provide some form of electronic copy.

Meeting the time frame to the individual request for records is extremely important. Providers must provide access to the Protected Health Information (PHI) no later than thirty calendar days from the received request or provide a denial to the individual’s request. It is important to note that providers are encouraged to respond to PHI requests as soon as possible and not wait until close to the thirty day mark.When State laws are more stringent than the HIPAA Privacy Rule for individuals to access PHI, then the state laws should be followed.

The HIPAA Privacy Rule is extremely complex and requires time to thoroughly review. Failing to provide timely access to PHI or a timely denial to the request, can have significant financial implications.  Reviewing the most recent ten enforcement actions, each had to enter into a resolution agreement along with fines ranging from $3,500 at the low end to $160,000 at the high end. Mitigate your risk! Review your state specific laws, put a policy and procedure in place, and train employees on what your facility specific policy and procedure is for ensuring timely access to PHI.

Gina Elkins, Director of Compliance and Regulatory Strategy


Other Provider Resources Available: HIPAA Basics for Providers: Privacy, Security, and Breach Notification Rules: https://www.cms.gov/Outreach-and-Education/Medicare-Learning-Network-MLN/MLNProducts/Downloads/HIPAAPrivacyandSecurity.pdf

Medical Privacy of Protected Health Information: https://www.cms.gov/Outreach-and-Education/Medicare-Learning-Network-MLN/MLNProducts/downloads/SE0726FactSheet.pdf