OCR Clarifies Patients’ Access Rights to PHI and Allowable Charges

The Health Insurance Portability and Accountability Act’s Privacy Rule gives healthcare patients the right to obtain a copy of their personal health information from their healthcare providers. (45 CFR § 164.524)

While HIPAA-covered entities should be aware of this aspect of the Privacy Rule, many patients have experienced difficulty obtaining a copy of their records. In some cases, patients have obtained a copy of their records but felt that they have not been provided with all information contained in their records. Some feel they have been unfairly charged for exercising their access rights.

To address these and other issues, the Department of Health and Human Services’ Office for Civil Rights produced a fact sheet in January to clarify the responsibilities of HIPAA covered entities to comply with this aspect of the Privacy Rule.

The new guidance explained the general right of patients to obtain a copy of their health records, to inspect their records, or have a copy of those records sent to a nominated individual of their choosing.

Provided that the healthcare provider maintains the records, a copy should be provided on request even if the records were not actually created by the covered entity or one of its business associates. The guidance explained that health information should be provided in a designated record set within 30 days of the request being made.

The guidance also explained that covered entities were permitted to ask for requests in writing, provided patients had previously been notified of this requirement, and that the covered entity must take reasonable steps to verify the identity of the individual requesting the information. It was also explained when it was allowable to deny requests, the types of information that should not be provided.

Last week, OCR augmented January’s guidance by adding a new set of FAQs. The guidance issued in January was intended to help remove some of the obstacles that are preventing individuals from exercising their right to access their health records. February’s additions are intended “to make this HIPAA right more of a reality.”

Allowable Charges for Providing Copies of PHI Explained by OCR


The new FAQs explain in detail, the allowable fees that can be charged for providing a copy of health records to patients.

OCR confirmed that patients are only permitted to be charged “a reasonable, cost-based fee for the labor and supplies associated with making the copy, whether on paper or in electronic form.”  Patients cannot be charged for the time it takes covered entities to locate records, or for retrieving records out of storage.

There has been some confusion over exactly what can be charged, and the definition of labor costs. OCR has confirmed that labor costs can only be charged for “creating and delivering the electronic or paper copy in the form and format requested or agreed upon by the individual, once the PHI that is responsive to the request has been identified, retrieved or collected, compiled and/or collated, and is ready to be copied.”

However, labor costs can be included if a healthcare provider is required to prepare a summary of PHI; however, only if the patient chooses to have a PHI summary, has been advised of the cost of providing that summary, and has agreed to cover that cost in advance.

OCR Confirms Right to Have A Copy of PHI Sent to A Third Party


OCR has also clarified that patients have the right to have a copy of their PHI sent to a third party of their choosing. Various different scenarios are discussed in the new FAQs, including where liability lies in the event that PHI is accidentally exposed in transit when covered entities are complying with a request to provide a patient with a copy of his or her PHI.

If a covered entity has been requested to send PHI to a patient via an unsecure channel such as unencrypted email, the covered entity would not be liable if those data were intercepted in transit. Also, once health information has been provided to a patient, the covered entity is no longer responsible if the copy of PHI is exposed or obtained by a third party.

While the new FAQs clearly explain the requirements of covered entities and individuals’ right under HIPAA to access their health information, the guidance has been written for healthcare providers. OCR will be working on producing more consumer-friendly and easily accessible resources for patients.

The full guidance can be accessed on the following link: http://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html

The newly released FAQs can be accessed here.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.