The U.S Department of Health and Human Services is trying to change the perception of what HIPAA does for patients. HIPAA is commonly thought of as a rule that requires health organizations to secure patients’ protected health information (PHI). While that remains true, HHS wants more people to be aware that HIPAA also affords them the right to freely access their own patient health information.
Jocelyn Samuels, director of the HHS Office for Civil Rights (OCR), authored a blog post that accompanied a frequently asked questions (FAQ) section and fact sheet detailing the information which patients must be allowed to receive. Patients are entitled to a “designated record set”, a collection of the patient’s PHI, which contains the following:
- Medical and billing records maintained by a covered healthcare provider
- Enrollment, payment and claims adjudication records
- Any other records used by providers to make a decision about an individual patient
In her blog, Samuels promised OCR and HHS “will continue to develop additional guidance and other tools as necessary to ensure that individuals understand and can exercise their right to access their health information.”
Patients can ask for a copy of their PHI, either in an electronic or paper format. If the record is not “readily producible” in the patient’s preferred format, the covered entity and individual must agree on an alternative format. A patient must be given access to their information within 30 days of their request, unless there is a delay in processing. If that occurs, the HIPAA covered entity has an additional 30 days to grant the patient’s request.
There are still limits to the information that patients can obtain, however. The HHS fact sheet specified psychotherapy notes, information to be used in a criminal or civil legal proceeding, and patient safety activity records as examples of information that is excluded from designated record sets, meaning that this information doesn’t have to be offered up to patients.
In the FAQ portion of its update, HHS addressed whether an individual’s ability to access old patient health information ever expires, if patients can be denied certain health information and whether PHI held by a covered entity’s business associate must also be disclosed to inquiring individuals. The answers to all of the questions are tilted in favor of patient access.