The Department of Health and Human Services (HHS) and its Office for Civil Rights (OCR) this past week published guidance on individuals’ right to their protected health information (PHI) under the Privacy Rule provision of the Health Insurance Portability and Accountability Act (HIPAA).

The guidance was issued in response to complaints the agencies have received over the years about consumer requests for PHI and other medical-related information going unanswered or even being charged for.

“Unfortunately, based on recent studies and our own enforcement experience, far too often individuals face obstacles to accessing their health information, even from entities required to comply with the HIPAA Privacy Rule,” Jocelyn Samuels, HHS director of the Office for Civil Rights, wrote. “This must change.”

The guidance says, in part:

The Privacy Rule generally requires HIPAA covered entities (health plans and most health care providers) to provide individuals, upon request, with access to the protected health information (PHI) about them in one or more “designated record sets” maintained by or for the covered entity.  This includes the right to inspect or obtain a copy, or both, of the PHI, as well as to direct the covered entity to transmit a copy to a designated person or entity of the individual’s choice.  Individuals have a right to access this PHI for as long as the information is maintained by a covered entity, or by a business associate on behalf of a covered entity, regardless of the date the information was created; whether the information is maintained in paper or electronic systems onsite, remotely, or is archived; or where the PHI originated (e.g., whether the covered entity, another provider, the patient, etc.).

Individuals have a right to access PHI in a “designated record set.”  A “designated record set” is defined at 45 CFR 164.501 as a group of records maintained by or for a covered entity that comprises the:

  • Medical records and billing records about individuals maintained by or for a covered health care provider;
  • Enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or
  • Other records that are used, in whole or in part, by or for the covered entity to make decisions about individuals.  This last category includes records that are used to make decisions about any individuals, whether or not the records have been used to make a decision about the particular individual requesting access.

The term “record” means any item, collection, or grouping of information that includes PHI and is maintained, collected, used, or disseminated by or for a covered entity.

The full guidance, along with FAQs, can be accessed here, “Individuals’ Right Under HIPAA.”