OCR Issues New Guidance on Patient Data Access

Healthcare providers should be aware that patients are permitted access to their medical records under HIPAA rules; however, not all patients are aware of their legal rights. Not only are patient data access rights under HIPAA not well understood, many patients who have attempted to access their medical records have faced problems.

There is also a misconception that HIPAA – specifically the HIPAA Privacy Rule – prevents healthcare providers from disclosing medical records. While it is true when it comes to disclosing Protected Health Information (PHI) of patients to individuals unauthorized to view that information, HIPAA does allow patients to access their own records. In fact, any healthcare provider who fails to allow patients to access their medical records could be fined.

OCR Issues Guidance on Patient Data Access Rights Under HIPAA


The Department of Health and Human Services’ Office for Civil Rights has started the year with the launch of a brand new website interface, and has now followed up on previous promises by issuing new guidance on HIPAA. This is the first in what is hoped to be a regular series of new guidance, which tackles the issue of patient data access rights under HIPAA. The guidance is aimed not at healthcare providers and health insurers, but patients.

According to OCR Director, Jocelyn Samuels, “Far too often individuals face obstacles to accessing their health information, even from entities required to comply with the HIPAA Privacy Rule…This must change.”

The guidance, which takes the form of a Q&A, clarifies what information can be obtained by patients, including information about charges that can be applied by HIPAA-covered entities for providing copies of medical data.

Patient Data Access Rights Under HIPAA


Patients are permitted to view the information that has been recorded by HIPAA-covered entities, and the HIPAA Privacy Rule allows the release of health information to patients or their nominated representative in “designated record sets.” Patients are also permitted to obtain a copy of that information.

Patients can request that their healthcare provider transmit their PHI to another person or entity, such as a nominated representative or another healthcare provider. It does not matter whether the information has been recorded electronically or is on paper or images (x-rays, for example). Copies must be provided on request. Covered entities are permitted to charge patients for providing that information, but only an amount to cover the actual costs of providing the data, not including the time it has taken to prepare copies.

New Guidance Welcomed by Patient Advocates


Patient advocates have welcomed the new OCR guidance. Get My Health Data campaign coordinator, Christine Bechtel, said “When all patients can get and use their health data electronically, they will be able to more fully engage in their health and care.” Lynne Thomas Gordon, CEO of the American Health Information Management Association, hopes that the new guidance will benefit patients in other ways, and will “encourage providers to offer the first copy of health information to the patient at minimal or no charge.”

Under current rules, healthcare providers are required to provide access to PHI (or copies) on request, but have up to 30 days in order to provide the information. Since most healthcare providers now store PHI in electronic format, it therefore should be possible for access to data to be provided rapidly. It is hoped that healthcare providers will make reasonable attempts to provide data access quickly, and will not use the 30-day maximum time limit and unnecessarily delay the provision of PHI to patients.

The new guidance can be found on the following link: http://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.