The Office for Civil Rights (OCR) within Health & Human Services issued a pointed blog post releasing guidance addressing the rights of individuals to access and receive copies of their health information from doctors, hospitals, and other health care providers. The new guidance provides a valuable resource for providers seeking to comply with the rules and to understand how OCR will interpret the rules during enforcement activities.
Noting that individuals have broad rights under the HIPAA Privacy Rule in order to allow individuals to better manage their own health needs, OCR criticized what it characterized as obstacles to accessing health care information. OCR further observed that “based on recent studies and our own enforcement experience, far too often individuals face obstacles to accessing their health information” and bluntly stated “[t]his must change.” To address these concerns with health care providers, OCR released a fact sheet and the first of a series of Frequently Asked Questions.
While additional guidance and other tools are expected to be released, the new guidance documents provide detailed summaries of the patient right of access under the HIPAA Privacy Rule.
General Right to Access
The new guidance reminds health care providers and organizations of the requirement to provide individuals with any requested health information maintained by the entity, regardless of how or where the information is maintained. The guidance walks through the limited exceptions to this right, and explains if an individual’s request for information is denied, he or she may appeal the denial under some of these exceptions.
Format of Information and Timing
The guidance also emphasizes that entities must give an individual their personal health information in the format requested by the individual. If the requested format is unavailable, then the entity must provide the individual with the information in an alternative format agreed upon by the individual. Entities may impose a reasonable fee for the copy of the information, to cover for the cost of labor, supplies, postage, and preparation of a summary of the information.
Requested information must generally be provided within 30 calendar days of receiving a request. If the entity cannot provide the information within 30 days, the entity can extend the time period an additional 30 days provided the individual is informed of the reasons for the delay. OCR expects that most providers will be able to provide patients with their information well in advance of the 30 day deadline as most providers are able to quickly provide patients with data electronically.
Should you or your organization have any questions regarding HIPAA compliance and patient access rights or the specific information contained in the new guidance, please contact Goodman Allen Donnelly.
This Client Advisory is for general educational purposes only. It is not intended to provide legal advice specific to any situation you may have. Individuals desiring legal advice should consult legal counsel for up to date and fact specific advice.