HIPAA Right to Access: Essential Compliance for Medical Records
Are you fully compliant with the HIPAA Right to Access regulations? Learn how to avoid hefty penalties, meet critical timelines, and empower your patients with seamless access to their medical records. This article provides actionable insights and real-world cases to help hospital leaders stay ahead of compliance challenges.
⏰ 6 min read
Table of Contents
Of all the headlines that HIPAA compliance garners, the attention-grabbers are often cybersecurity and data breaches. But a spate of recent civil monetary penalties that have hit hospitals and facilities, reaching into the hundreds of thousands of dollars, highlight a separate area of concern: the HIPAA Right to Access standards.
At its core, the HIPAA Right to Access provision requires that hospitals and provider groups grant timely access to the health information of individual patients and their personal representatives. The delivery of the patient’s health information also must be provided at a “reasonable cost,” according to the Office for Civil Rights (OCR). The HIPAA Right to Access standard is one of OCR’s newer enforcement initiatives aimed at delivering quality improvement in healthcare.
What is a HIPAA Right to Access?
The HIPAA Right to Access is a provision under the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule that ensures individuals can access their protected health information (PHI) held by covered entities like hospitals, clinics, and health plans.
Key components of the right to access HIPAA provision include:
- Timely Access: Records must be provided within 30 calendar days of the request.
- Reasonable Costs: Fees for copies must be limited to actual costs for labor, supplies, and postage.
- Format Options: Patients can request records in paper or electronic format, as long as the format is readily producible.
- Personal Representative Access: Authorized representatives can access or request records on a patient’s behalf.
This rule aims to empower patients to make informed decisions about their healthcare by ensuring transparency and accessibility.
Why the HIPAA Right to Access Matters
According to Office for Civil Rights (OCR) Director Melanie Fontes Rainer, the agency receives “thousands of complaints each year” pertaining to the HIPAA Right to Access rule. “Access to medical records empowers patients and their families to make decisions about their health care and improve their health overall,” Rainer said in a recent settlement announcement.
Recent penalties highlight the urgency for healthcare organizations to prioritize compliance. For instance:
- In its latest Report to Congress on HIPAA Privacy, Security and Breach Notification Rule Compliance, covering CY 2022, OCR cited more than 15 Right to Access resolution agreements and civil money penalties. That includes a $240,000 settlement with Memorial Hermann Health System, a 17-hospital system in Texas.
- Optum Medical Care settled for $160,000 in December 2023 for months-long delays in providing medical records.
The Optum Medical Care settlement marked the 46th enforcement action related to HIPAA Right to Access provisions since the OCR settled its first case in 2019, an $85,000 settlement with Bayfront Health St. Petersburg, which occurred after the agency launched its enforcement program earlier that year.
With HIPAA Right to Access provisions a key compliance focus for the OCR, hospital leaders must be fully aware of what the standard entails, how their organizations can stay in line with various regulations, and remain in compliance with the provision to achieve the OCR’s aims of attaining quality improvement in healthcare.
Key HIPAA Right to Access Provisions You Need to Know
Understand the “Designated Record Set.”
Under the Right to Access provision, patients possess general rights that hospitals and medical groups must comply with. The Privacy Rule requires that, upon request, covered entities (CE), such as health care providers and health plans, grant access to the patient’s protected health information (PHI) in the form of a “designated record set,” which has its own set of definitions. By law, as it relates to a provider CE, the designated record set consists of:
- Medical records and billing records.
- Other records that are used in the course of medical decision-making, such as clinical laboratory tests, medical images (e.g., X-rays), clinical case notes or disease management case files.
While CEs are required to be able to share the various elements that make up the designated record set, they are “not, however, required to create new information, such as explanatory materials or analyses, that does not already exist,” OCR explains.
Two broad categories are excluded from HIPAA Right to Access medical record sharing: psychotherapy notes and any information that is being used or is anticipated to be used in a civil, criminal or administrative action.
Know the Right to Access Timelines.
Many of the penalties that OCR has doled out under the HIPAA Right to Access provision in recent years have rested on the timeliness factor. OCR maintains a clear timeline: CEs must provide access to the requested PHI no later than 30 calendar days from the date of the request. Ideally, the request would be met sooner: “The 30 calendar days is an outer limit and covered entities are encouraged to respond as soon as possible,” the OCR states.
Focus on Form and Format.
CEs must defer to the form and format that the requestor identifies so long as that format is “readily producible.” If the patient (or representative) requests a paper copy of PHI, the CE is expected to provide the PHI in a paper copy format, even if the CE maintains the PHI electronically. If the patient (or representative) requests an electronic copy, OCR expects the CE to furnish an electronic copy, even if the CE maintains only paper records (again, if it is “readily producible”). If it is not readily producible, the CE may provide a hard copy format.
Fees Are OK, But They Are Limited.
CEs are permitted to charge the patient (or representative) a “reasonable, cost-based fee” but that fee is limited to specific tasks: the labor involved in copying the PHI; supplies used for creating an electronic copy; postage; and preparation of an explanation or summary, if requested. OCR permits CEs to charge a flat fee not to exceed $6.50 when sharing electronic PHI. Alternatively, CEs may charge for fees larger than that if the CE calculates costs or uses a schedule of allowable costs.
Sharing with Third Parties and Personal Representatives.
OCR allows an individual’s personal representative to request and receive PHI and also to request a transmission of the PHI to third parties. Generally speaking, the patient’s personal representation is “a person with authority under state law to make health care decisions for the individual,” according to the OCR. Under the HIPAA privacy rule, a parent is considered a child’s personal representative.
For CEs, they must comply with requests to send PHI to a third party. “The same requirements for providing the PHI to the individual, such as the timeliness requirements, fee limitations, prohibition on imposing unreasonable measures, and form and format requirements, apply when an individual directs that the PHI be sent to another person or entity,” OCR states.
Avoiding costly penalties by staying in line with HIPAA Right to Access standards is critical for hospital leaders and a key component of their mission in achieving quality in healthcare.
To learn more about the Right to Access standards, view a series of FAQs and recent clarifications to the provision.
