Written by: Joanne Byron, BS, LPN, CCA, CHA, CHCO, CHBS, CHCM, CIFHA, CMDP, COCAS, CORCM, OHCC, ICDCT-CM/PCS
The article addresses the HIPAA Privacy Rule for Covered Entities regarding time limitations to respond to an individual’s request for access of protected health information or “PHI.” This article is not all inclusive and should not be used as legal or consulting advice. Scroll down for hyperlinks to free and low-cost training related to Right of Access & ROI.
What Is HIPAA Right of Access?
The HIPAA Privacy Rule generally provides individuals with a legal, enforceable right to see and receive copies, upon request, of the information in their medical and other health records maintained by their health care providers and health plans. This right is known as the HIPAA Right of Access.
HIPAA Right of Access policies have evolved over the years to ensure that patients have equitable access to their medical records. HIPAA requires covered entities to provide patients with access to their medical records. The Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted in 2009, helped right of access policies evolve to reflect the growing use of EHR systems.
HIPAA compliance it monitored by the Health & Human Services (HHS) enforcement agency, the Office for Civil Rights (OCR). The Office for Civil Rights is responsible for enforcing the Privacy and Security Rules. Enforcement of the Privacy Rule began April 14, 2003, for most HIPAA covered entities. Since 2003, OCR's enforcement activities have obtained significant results that have improved the privacy practices of covered entities. OCR also works in conjunction with the Department of Justice (DOJ) to refer possible criminal violations of HIPAA.
In 2019, the OCR launched the HIPAA Right of Access Initiative to advocate for individuals trying to obtain their health records in a timely manner at a reasonable cost as required by covered entities in the HIPAA Privacy Rule.
Complying With the HIPAA Privacy Right of Access Rule
If your organization is not responding timely to requests for medical records, a complaint to the Office for Civil Rights can trigger an investigation resulting in fines and other consequences, such as being posted on the OCR HIPAA website and a forced Corrective Action Plan.
A dedicated government webpage lists HIPAA News Releases & Bulletins listing OCR cases after investigating organizations which includes Right of Access settlements. Click Here to access this page. https://www.hhs.gov/hipaa/newsroom/index.html
The July 15, 2022, Health & Human Services (HHS) Press Release announces the resolution of eleven investigations and the enforcement actions taken with these eleven organizations related to violations of patient’s rights under HIPAA. In this press release the OCR Director Lisa J. Pino states:
“It should not take a federal investigation before a HIPAA covered entity provides patients, or their personal representatives, with access to their medical records. Health care organizations should take note that there are now 38 enforcement actions in our Right of Access Initiative and understand that OCR is serious about upholding the law and peoples’ fundamental right to timely access to their medical records.”
So, how timely must a covered entity be in responding to individuals’ requests for access to their PHI?
This is addressed under 45 CFR 164.524(b)(2) of the HIPAA Privacy Rule regarding access of individuals to protected health information (PHI). Under the HIPAA Privacy Rule, a covered entity must act on an individual’s request for access no later than 30 calendar days after receipt of the request.
If the covered entity is not able to act within this timeframe, the entity may have up to an additional 30 calendar days as long as it provides the individual, within that initial 30-day period, a written statement of the reasons for the delay and date when the entity will complete its action on the request. The 30-day timeline applies regardless of the following circumstances:
- The PHI that is the subject of the request is maintained by the covered entity or by a business associate on behalf of the covered entity, or the covered entity uses a business associate to fulfill individual requests for access.
o The 30-day clock starts on the date that the covered entity receives a request for access, so any delay in obtaining the necessary information from a business associate or forwarding the request to the business associate for action “uses up” part of the allotted time.
o Alternatively, the 30-day clock starts when, instead of the covered entity, a business associate receives a request directly from an individual because the covered entity instructed the individual through its notice of privacy practices (or otherwise) to submit the access request directly to its business associate for processing.
- The covered entity negotiates with the individual on the format of the response. Covered entities that spend significant time before reaching agreement with individuals on format are depleting the 30 days allotted for the response by that amount of time.
- The PHI that is the subject of the request is old, archived, and/or not otherwise readily accessible.
As noted by OCR, these timelines are outer limits. The government expects that covered entities should be able to respond to requests for access well before these outer limits are reached. However, in cases where a covered entity is aware that an access request may take close to these outer time limits to fulfill, the entity is encouraged to provide the requested information in pieces as it becomes available, if the individual indicates a desire to receive the information in this manner.
Resources to Comply With ROI and Right of Access
Learn more about 45 CFR § 164.524 - Access of individuals to protected health information. Free and reasonably priced training for you and your workforce is listed below:
Right of Access Specialist - Online Course
AIHC HIPAA Compliance Training Videos Free
Legal Information Institute (Cornell Law School) Free
HIPAA Online Privacy Course (Earn 12 AIHC and AHIMA CEUs)