HIPAA Privacy Regulations: Access of Individuals to Protected Health Information: Requests for Access and Timely Action - § 164.524(b)

As Contained in the HHS HIPAA Privacy Rules

HHS Guidance: Individual's Right to Access Health Information

 

HHS Regulations as Amended January 2013
Access of Individuals to Protected Health Information: Requests for Access and Timely Action - § 164.524(b)

 

(b) Implementation specifications: Requests for access and timely action—(1) Individual's request for access. The covered entity must permit an individual to request access to inspect or to obtain a copy of the protected health information about the individual that is maintained in a designated record set. The covered entity may require individuals to make requests for access in writing, provided that it informs individuals of such a requirement.

(2) Timely action by the covered entity. (i) Except as provided in paragraph (b)(2)(ii) of this section, the covered entity must act on a request for access no later than 30 days after receipt of the request as follows.

(A) If the covered entity grants the request, in whole or in part, it must inform the individual of the acceptance of the request and provide the access requested, in accordance with paragraph (c) of this section.

(B) If the covered entity denies the request, in whole or in part, it must provide the individual with a written denial, in accordance with paragraph (d) of this section.

(ii) If the covered entity is unable to take an action required by paragraph (b)(2)(i)(A) or (B) of this section within the time required by paragraph (b)(2)(i) of this section, as applicable, the covered entity may extend the time for such actions by no more than 30 days, provided that:

(A) The covered entity, within the time limit set by paragraph (b)(2)(i) of this section, as applicable, provides the individual with a written statement of the reasons for the delay and the date by which the covered entity will complete its action on the request; and

(B) The covered entity may have only one such extension of time for action on a request for access.

 

HHS Description and Commentary From the January 2013 Amendments
Access of Individuals to Protected Health Information: Requests for Access and Timely Action

 

Timeliness

Proposed Rule

We requested comment on one aspect of the right to access and obtain a copy of protected health information which the HITECH Act did not amend. In particular, the HITECH Act did not change the timeliness requirements for provision of access at § 164.524(b). Under the current requirements, a request for access must be approved or denied, and if approved, access or a copy of the information provided, within 30 days of the request. In cases where the records requested are only accessible from an off-site location, the covered entity has an additional 30 days to respond to the request. In extenuating circumstances where access cannot be provided within these timeframes, the covered entity may have a one-time 30-day extension if the individual is notified of the need for the extension within the original timeframes.

With regard to the timeliness of the provision of access, we recognized that with the advance of EHRs, there is an increasing expectation and capacity to provide individuals with almost instantaneous electronic access to the protected health information in those records through personal health records or similar electronic means.

On the other hand, we did not propose to limit the right to electronic access of protected health information to certified EHRs, and the variety of electronic systems that are subject to this proposed requirement would not all be able to comply with a timeliness standard based on personal health record capabilities. It was our assumption that a single timeliness standard that would address a variety of electronic systems, rather than having a multitude of standards based on system capacity, would be the preferred approach to avoid workability issues for covered entities. Even under a single standard, nothing would prevent users of EHR systems from exceeding the Privacy Rule’s timeliness requirements for providing access to individuals. Additionally, the Medicare and Medicaid EHR Incentive Programs (the “meaningful use” programs) require users of Certified EHR Technology to provide individuals with expedited access to information.

Based on the assumption that a single standard would be the preferred approach under the Privacy Rule, we requested public comment on an appropriate, common timeliness standard for the provision of access by covered entities with electronic designated record sets generally. We specifically requested comment on aspects of existing systems that would create efficiencies in processing of requests for electronic information, as well as those aspects of electronic systems that would provide little change from the time required for processing a paper record. Alternatively, we requested comment on whether the current standard could be altered for all systems, paper and electronic, such that all requests for access should be responded to without unreasonable delay and not later than 30 days.

We also requested public comment on whether, contrary to our assumption, a variety of timeliness standards based on the type of electronic designated record set is the preferred approach and if so, how such an approach should be implemented. Finally, we requested comment on the time necessary for covered entities to review access requests and make necessary determinations, such as whether the granting of access would endanger the individual or other persons so as to better understand how the time needed for these reviews relates to the overall time needed to provide the individual with access. Further, we requested comment generally on whether the provision which allows a covered entity an additional 30 days to provide access to the individual if the protected health information is maintained off-site should be eliminated altogether for both paper and electronic records, or at least for protected health information maintained or archived electronically because the physical location of electronic data storage is not relevant to its accessibility.

Overview of Public Comments

Commenters generally supported maintaining the same timeframe for response for both paper and electronic records and not modifying the existing timeframes for response. Commenters espoused many rationales for maintaining a single standard and the existing response standards, including that off-site electronic storage with back-up tapes will require time to obtain the electronic media, multiple electronic systems may need to be accessed, some systems may not have data stored in useable formats requiring time to convert data, and time may be required to obtain data from business associates and subcontractors.

Some commenters acknowledged that electronic records may be easier to access, but review of records and verification processes would still require time that cannot be shortcut because a record is electronic. One commenter acknowledged that shorter times may be achievable when specific data set standards are established and covered entities have electronic records in place. One commenter believed that electronic records could be furnished in a much shorter timeframe, such as two business days.

Several commenters suggested responses be done in much shorter timeframes, such as instantly, within one day or three days. One commenter noted that meaningful use standards required access within three days for 50 percent of patients. These commenters suggested alternative timeframes for adoption, such as allowing 60 days for response due to off-site storage issues and potential for multiple requests. One commenter suggested 30 and 60 day times were unworkable and another commenter suggested eliminating the 30 day extension for off-site record storage. One commenter suggested 30 days may be longer than is necessary, but cautioned against mandates that would unreasonably divert provider resources (e.g., five days would be unreasonable when a provider must take time to include explanatory notes).

Final Rule

The final rule modifies the timeliness requirements for right to access and to obtain a copy of protected health information at § 164.524(b). We remove the provision at § 164.524(b)(2)(ii) that permits 60 days for timely action when protected health information for access is not maintained or accessible to the covered entity on-site. We retain and renumber as necessary the provision at § 164.524(b)(2)(iii) that permits a covered entity a one-time extension of 30 days to respond to the individual’s request (with written notice to the individual of the reasons for delay and the expected date by which the entity will complete action on the request).

We believe the 30 day timeframe for access is appropriate and achievable by covered entities given the increasing expectation and capacity to provide individuals with almost instantaneous electronic access to the protected health information in those records through personal health records or similar electronic means. While a covered entity is permitted 30 days to provide access (with a 30-day extension when necessary), we encourage covered entities to provide individuals with access to their information sooner, and to take advantage of technologies that provide individuals with immediate access to their health information. Nevertheless, for covered entities that continue to make use of off-site storage or have additional time constraints to providing access, the 30 day extension remains available for a covered entity to exercise. This means, for example, that a covered entity must provide an individual with access to off-site records within 30 days of the individual’s request when possible, with a 30-day extension available (for a total of 60 days, in contrast to the current law that permits up to 90 days to provide the individual with access to such records).

We decline to establish separate timeframes for timely access based upon whether the protected health information to be accessed is paper or electronic. Commenters generally supported adoption of a single standard rather than differing standards based upon whether a record is paper or electronic and no comments provided compelling reasons to establish differing standards.

Response to Other Public Comments

Comment: One commenter asked for clarification as to when the time period for responding to a response begins if the parties spend significant time attempting to reach agreement on the format of the electronic copy.

Response: We confirm that the time period for responding to a request for access begins on the date of the request. Covered entities that spend significant time before reaching agreement on the electronic format for a response are using part of the 30 days permitted for response.

 

HHS Description From the Original Rulemaking
Access of Individuals to Protected Health Information: Requests for Access and Timely Action

 

In the NPRM, we proposed to require covered health care providers and health plans to provide a means for individuals to request access to protected health information about them. We proposed to require covered health care providers and health plans to take action on a request for access as soon as possible, but not later than 30 days following the request.

As in the proposed rule, the final rule requires covered entities to permit an individual to request access to inspect or to obtain a copy of the protected health information about the individual that is maintained in a designated record set. We additionally permit covered entities to require individuals to make requests for access in writing, if the individual is informed of this requirement.

In the final rule, we eliminate the requirement for the covered entity to act on a request as soon as possible. We recognize that circumstances may arise in which an individual will request access on an expedited basis. We encourage covered entities to have procedures in place for handling such requests. The time limitation is intended to be an outside deadline, rather than an expectation.

In the final rule, covered entities must act on a request for access within 30 days of receiving the request if the information is maintained or accessible on-site. Covered entities must act on a request for access within 60 days of receiving the request if the information is not maintained or accessible on-site. If the covered entity is unable to act on a request within the applicable deadline, it may extend the deadline by no more than 30 days by providing the individual with a written statement of the reasons for the delay and the date by which the covered entity will complete its action on the request. This written statement describing the extension must be provided within the standard deadline. A covered entity may only extend the deadline once per request for access. This provision permits a covered entity to take a total of up to 60 days to act on a request for access to information maintained on-site and up to 90 days to act on a request for access to information maintained off-site.

The requirements for a covered entity to comply with or deny a request for access, in whole or in part, are described below.

 

HHS Response to Comments Received From the Original Rulemaking
Access of Individuals to Protected Health Information: Requests for Access and Timely Action

 

Note: The HHS Response to Comments Received is the same as in § 164.524(a)

Comment: Some commenters recommended that there be no access to disease registries.

Response: Most entities that maintain disease registries are not covered entities under this regulation; examples of such non-covered entities are public health agencies and pharmaceutical companies. If, however, a disease registry is maintained by a covered entity and is used to make decisions about individuals, this rule requires the covered entity to provide access to information about a requesting individual unless one of the rule’s conditions for denial of access is met. We found no persuasive reasons why disease registries should be given special treatment compared with other information that may be used to make decisions about an individual.

Comment: Some commenters stated that covered entities should be held accountable for access to information held by business partners so that individuals would not have the burden of tracking down their protected health information from a business partner. Many commenters, including insurers and academic medical centers, recommended that, to reduce burden and duplication, only the provider who created the protected health information should be required to provide individuals access to the information. Commenters also asked that other entities, including business associates, the Medicare program, and pharmacy benefit managers, not be required to provide access, in part because they do not know what information the covered entity already has and they may not have all the information requested. A few commenters also argued that billing companies should not have to provide access because they have a fiduciary responsibility to their physician clients to maintain the confidentiality of records.

Response: A general principle in responding to all of these points is that a covered entity is required to provide access to protected health information in accordance with the rule regardless of whether the covered entity created such information or not. Thus, we agree with the first point: in order to meet its requirements for providing access, a covered entity must not only provide access to such protected health information it holds, but must also provide access to such information in a designated record set of its business associate, pursuant to its business associate contract, unless the information is the same as information maintained directly by the covered entity. We require this because an individual may not be aware of business associate relationships. Requiring an individual to track down protected health information held by a business associate would significantly limit access. In addition, we do not permit a covered entity to limit its duty to provide access by giving protected health information to a business associate.

We disagree with the second point: if the individual directs an access request to a covered entity that has the protected health information requested, the covered entity must provide access (unless it may deny access in accordance with this rule). In order to assure that an individual can exercise his or her access rights, we do not require the individual to make a separate request to each originating provider. The originating provider may no longer be in business or may no longer have the information, or the non-originating provider may have the information in a modified or enhanced form.

We disagree with the third point: other entities must provide access only if they are covered entities or business associates of covered entities, and they must provide access only to protected health information that they maintain (or that their business associates maintain). It would not be efficient to require a covered entity to compare another entity’s information with that of the entity to which the request was addressed. (See the discussion regarding covered entities for information about whether a pharmacy benefit manager is a covered entity.)

We disagree with the fourth point: a billing company will be required by its business associate contract only to provide the requested protected health information to its physician client. This action will not violate any fiduciary responsibility. The physician client would in turn be required by the rule to provide access to the individual.

Comment: Some commenters asked for clarification that the clearinghouse function of turning non-standardized data into standardized data does not create non-duplicative data and that “duplicate” does not mean “identical.” A few commenters suggested that duplicated information in a covered entity’s designated record set be supplied only once per request.

Response: We consider as duplicative information the same information in different formats, media, or presentations, or which have been standardized. Business associates who have materially altered protected health information are obligated to provide individuals access to it. Summary information and reports, including those of lab results, are not the same as the underlying information on which the summaries or reports were based. A clean document is not a duplicate of the same document with notations. If the same information is kept in more than one location, the covered entity has to produce the information only once per request for access.

Comment: A few commenters suggested requiring covered entities to disclose to third parties without exception at the requests of individuals. It was argued that this would facilitate disability determinations when third parties need information to evaluate individuals’ entitlement to benefits. Commenters argued that since covered entities may deny access to individuals under certain circumstances, individuals must have another method of providing third parties with their protected health information.

Response: We allow covered entities to forward protected health information about an individual to a third party, pursuant to the individual’s authorization under § 164.508. We do not require covered entities to disclose information pursuant to such authorizations because the focus of the rule is privacy of protected health information. Requiring disclosures in all circumstances would be counter to this goal. In addition, a requirement of disclosing protected health information to a third party is not a necessary substitute for the right of access to individuals, because we allow denial of access to individuals under rare circumstances. However, if the third party is a personal representative of the individual in accordance with § 164.502(g) and there is no concern regarding abuse or harm to the individual or another person, we require the covered entity to provide access to that third party on the individual’s behalf, subject to specific limitations. We note that a personal representative may obtain access on the individual’s behalf in some cases where covered entity may deny access to the individual. For example, an inmate may be denied a copy of protected health information, but a personal representative may be able to obtain a copy on the individual’s behalf. See § 164.502(g) and the corresponding preamble discussion regarding the ability of a personal representative to act on an individual’s behalf.

Comment: The majority of commenters supported granting individuals the right to access protected health information for as long as the covered entity maintains the protected health information; commenters argued that to do otherwise would interfere with existing record retention laws. Some commenters advocated for limiting the right to information that is less than one or two years old. A few commenters explained that frequent changes in technology makes it more difficult to access stored data. The commenters noted that the information obtained prior to the effective date of the rule should not be required to be accessible.

Response: We agree with the majority of commenters and retain the proposal to require covered entities to provide access for as long as the entity maintains the protected health information. We do not agree that information created prior to the effective date of the rule should not be accessible. The reasons for granting individuals access to information about them do not vary with the date the information was created.

Comment: A few commenters argued that there should be no grounds for denying access, stating that individuals should always have the right to inspect and copy their protected health information.

Response: While we agree that in the vast majority of instances individuals should have access to information about them, we cannot agree that a blanket rule would be appropriate. For example, where a professional familiar with the particular circumstances believes that providing such access is likely to endanger a person’s life or physical safety, or where granting such access would violate the privacy of other individuals, the benefits of allowing access may not outweigh the harm. Similarly, we allow denial of access where disclosure would reveal the source of confidential information because we do not want to interfere with a covered entity’s ability to maintain implicit or explicit promises of confidence.

We create narrow exceptions to the rule of open access, and we expect covered entities to employ these exceptions rarely, if at all. Moreover, we require covered entities to provide access to any protected health information requested after excluding only the information that is subject to a denial. The categories of permissible denials are not mandatory, but are a means of preserving the flexibility and judgment of covered entities under appropriate circumstances.

Comment: Many commenters supported our proposal to allow covered entities to deny an individual access to protected health information if a professional determines either that such access is likely to endanger the life or physical safety of a person or, if the information is about another person, access is reasonably likely to cause substantial harm to such person.

Some commenters requested that the rule also permit covered entities to deny a request if access might be reasonably likely to cause psychological or mental harm, or emotional distress. Other commenters, however, were particularly concerned about access to mental health information, stating that the lack of access creates resentment and distrust in patients.

Response: We disagree with the comments suggesting that we expand the grounds for denial of access to an individual to include a likelihood of psychological or mental harm of the individual. We did not find persuasive evidence that this is a problem sufficient to outweigh the reasons for providing open access. We do allow a denial for access based on a likelihood of substantial psychological or mental harm, but only if the protected health information includes information about another person and the harm may be inflicted on such other person or if the person requesting the access is a personal representative of the individual and the harm may be inflicted on the individual or another person.

We generally agree with the commenters concerns that denying access specifically to mental health records could create distrust. To balance this concern with other commenters’ concerns about the potential for psychological harm, however, we exclude psychotherapy notes from the right of access. This is the only distinction we make between mental health information and other types of protected health information in the access provisions of this rule. Unlike other types of protected health information, these notes are not widely disseminated through the health care system. We believe that the individual’s privacy interests in having access to these notes, therefore, are outweighed by the potential harm caused by such access. We encourage covered entities that maintain psychotherapy notes, however, to provide individuals access to these notes when they believe it is appropriate to do so.

Comment: Some commenters believed that there is a potential for abuse of the provision allowing denial of access because of likely harm to self. They questioned whether there is any experience from the Privacy Act of 1974 to suggest that patients who requested and received their records have ever endangered themselves as a result.

Response: We are unaware of such problems from access to records that have been provided under the Privacy Act but, since these are private matters, such problems might not come to our attention. We believe it is more prudent to preserve the flexibility and judgment of health care professionals familiar with the individuals and facts surrounding a request for records than to impose the blanket rule suggested by these commenters.

Comment: Commenters asserted that the NPRM did not adequately protect vulnerable individuals who depend on others to exercise their rights under the rule. They requested that the rule permit a covered entity to deny access when the information is requested by someone other than the subject of the information and, in the opinion of a licensed health care professional, access to the information could harm the individual or another person.

Response: We agree with the commenters that such protection is warranted and add a provision in § 164.524(a)(3), which permits a covered health care provider to deny access if a personal representative of the individual is making the request for access and a licensed health care professional has determined, in the exercise of professional judgment, that providing access to such personal representative could result in substantial harm to the individual or another person. Access can be denied even if the potential harm may be inflicted by someone other than the personal representative.

This provision is designed to strike a balance between the competing interests of ensuring access to protected health information and protecting the individual or others from harm. The “substantial harm” standard will ensure that a covered entity cannot deny access in cases where the harm is de minimus.

The amount of discretion that a covered entity has to deny access to a personal representative is generally greater than the amount of discretion that a covered entity has to deny access to an individual. Under the final rule, a covered entity may deny access to an individual if a licensed health care professional determines that the access requested is reasonably likely to endanger the life or physical safety of the individual or another person. In this case, concerns about psychological or emotional harm would not be sufficient to justify denial of access. We establish a relatively high threshold because we want to assure that individuals have broad access to health information about them, and due to the potential harm that comes from denial of access, we believe denials should be permitted only in limited circumstances.

The final rule grants covered entities greater discretion to deny access to a personal representative than to an individual in order to provide protection to those vulnerable people who depend on others to exercise their rights under the rule and who may be subjected to abuse or neglect. This provision applies to personal representatives of minors as well as other individuals. The same standard for denial of access on the basis of potential harm that applies to personal representatives also applies when an individual is seeking access to his or her protected health information, and the information makes reference to another person. Under these circumstances, a covered entity may deny a request for access if such access is reasonably likely to cause substantial harm to such other person. The standard for this provision and for the provision regarding access by personal representatives is the same because both circumstances involve one person obtaining information about another person, and in both cases the covered entity is balancing the right of access of one person against the right of a second person not to be harmed by the disclosure.

Under any of these grounds for denial of access to protected health information, the covered entity is not required to deny access to a personal representative under these circumstances, but has the discretion to do so.

In addition to denial of access rights, we also address the concerns raised by abusive or potentially abusive situations in the section regarding personal representatives by giving covered entities discretion to not recognize a person as a personal representative of an individual if the covered entity has a reasonable belief that the individual has been subjected to domestic violence, abuse, or neglect by or would be in danger from a person seeking to act as the personal representative. (See § 164.502(g))

Comment: A number of commenters were concerned that this provision would lead to liability for covered entities if the release of information results in harm to individuals. Commenters requested a “good faith” standard in this provision to relieve covered entities of liability if individuals suffer harm as a result of seeing their protected health information or if the information is found to be erroneous. A few commenters suggested requiring providers (when applicable) to include with any disclosure to a third party a statement that, in the provider’s opinion, the information should not be disclosed to the patient.

Response: We do not intend to create a new duty to withhold information nor to affect other laws on this issue. Some state laws include policies similar to this rule, and we are not aware of liability arising as a result.

Comment: Some commenters suggested that both the individual’s health care professional and a second professional in the relevant field of medicine should review each request. Many commenters suggested that individuals have a right to have an independent review of any denial of access, e.g., review by a health care professional of the individual’s choice.

Response: We agree with the commenters who suggest that denial on grounds of harm to self or others should be determined by a health professional, and retain this requirement in the final rule. We disagree, however, that all denials should be reviewed by a professional of the individual’s choice. We are concerned that the burden such a requirement would place on covered entities would be significantly greater than any benefits to the individual. We believe that any health professional, not just one of the individual’s choice, will exercise appropriate professional judgment. To address some of these concerns, however, we add a provision for the review of denials requiring the exercise of professional judgment. If a covered entity denies access based on harm to self or others, the individual has the right to have the denial reviewed by another health care professional who did not participate in the original decision to deny access.

Comment: A few commenters objected to the proposal to allow covered entities to deny a request for access to health information if the information was obtained from a confidential source that may be revealed upon the individual’s access. They argued that this could be subject to abuse and the information could be inherently less reliable, making the patient’s access to it even more important.

Response: While we acknowledge that information provided by confidential sources could be inaccurate, we are concerned that allowing unfettered access to such information could undermine the trust between a health care provider and patients other than the individual. We retain the proposed policy because we do not want to interfere with a covered entity’s ability to obtain important information that can assist in the provision of health care or to maintain implicit or explicit promises of confidence, which may be necessary to obtain such information. We believe the concerns raised about abuse are mitigated by the fact that the provision does not apply to promises of confidentiality made to a health care provider. We note that a covered entity may provide access to such information.

Comment: Some commenters were concerned that the NPRM did not allow access to information unrelated to treatment, and thus did not permit access to research information.

Response: In the final rule, we eliminate the proposed special provision for “research information unrelated to treatment.” The only restriction on access to research information in this rule applies where the individual agrees in advance to denial of access when consenting to participate in research that includes treatment. In this circumstance, the individual's right of access to protected health information created in the course of the research may be suspended for as long as the research is in progress, but access rights resume after such time. In other instances, we make no distinction between research information and other information in the access provisions in this rule.

Comment: A few commenters supported the proposed provision temporarily denying access to information obtained during a clinical trial if participants agreed to the denial of access when consenting to participate in the trial. Some commenters believed there should be no access to any research information. Other commenters believed denial should occur only if the trial would be compromised. Several recommended conditioning the provision. Some recommended that access expires upon completion of the trial unless there is a health risk. A few commenters suggested that access should be allowed only if it is included in the informed consent and that the informed consent should note that some information may not be released to the individual, particularly research information that has not yet been validated. Other commenters believed that there should be access if the research is not subject to IRB or privacy board review or if the information can be disclosed to third parties.

Response: We agree with the commenters that support temporary denial of access to information from research that includes treatment if the subject has agreed in advance, and with those who suggested that the denial of access expire upon completion of the research, and retain these provisions in the final rule. We disagree with the commenters who advocate for further denial of this information. These comments did not explain why an individual’s interest in access to health information used to make decisions about them is less compelling with respect to research information. Under this rule, all protected health information for research is subject either to privacy board or IRB review unless a specific authorization to use protected health information for research is obtained from the individual. Thus, this is not a criterion we can use to determine access rights.

Comment: A few commenters believed that it would be “extremely disruptive of and dangerous” to patients to have access to records regarding their current care and that state law provides sufficient protection of patients’ rights in this regard.

Response: We do not agree. Information about current care has immediate and direct impact on individuals. Where a health care professional familiar with the circumstances believes that it is reasonably likely that access to records would endanger the life or physical safety of the individual or another person, the regulation allows the professional to withhold access.

Comment: Several commenters requested clarification that a patient not be denied access to protected health information because of failure to pay a bill. A few commenters requested clarification that entities may not deny requests simply because producing the information would be too burdensome.

Response: We agree with these comments, and confirm that neither failure to pay a bill nor burden are lawful reasons to deny access under this rule. Covered entities may deny access only for the reasons provided in the rule.

Comment: Some commenters requested that the final rule not include detailed procedural requirements about how to respond to requests for access. Others made specific recommendations on the procedures for providing access, including requiring written requests, requiring specific requests instead of blanket requests, and limiting the frequency of requests. Commenters generally argued against requiring covered entities to acknowledge requests, except under certain circumstances, because of the potential burden on entities.

Response: We intend to provide sufficient procedural guidelines to ensure that individuals have access to their protected health information, while maintaining the flexibility for covered entities to implement policies and procedures that are appropriate to their needs and capabilities. We believe that a limit on the frequency of requests individuals may make would arbitrarily infringe on the individual’s right of access and have, therefore, not included such a limitation. To limit covered entities’ burden, we do not require covered entities to acknowledge receipt of the individuals’ requests, other than to notify the individual once a decision on the request has been made. We also permit a covered entity to require an individual to make a request for access in writing and to discuss a request with an individual to clarify which information the individual is actually requesting. If individuals agree, covered entities may provide access to a subset of information rather than all protected health information in a designated record set. We believe these changes provide covered entities with greater flexibility without compromising individuals’ access rights.

Comment: Commenters offered varying suggestions for required response time, ranging from 48 hours because of the convenience of electronic records to 60 days because of the potential burden. Others argued against a finite time period, suggesting the response time be based on mutual convenience of covered entities and individuals, reasonableness, and exigencies. Commenters also varied on suggested extension periods, from one 30-day extension to three 30- day extensions to one 90-day extension, with special provisions for off-site records.

Response: We are imposing a time limit because individuals are entitled to know when to expect a response. Timely access to protected health information is important because such information may be necessary for the individual to obtain additional health care services, insurance coverage, or disability benefits, and the covered entity may be the only source for such information. To provide additional flexibility, we eliminate the requirement that access be provided as soon as possible and we lengthen the deadline for access to off-site records. For on-site records, covered entities must act on a request within 30 days of receipt of the request. For off-site records, entities must complete action within 60 days. We also permit covered entities to extend the deadline by up to 30 days if they are unable to complete action on the request within the standard deadline. These time limits are intended to be an outside deadline rather than an expectation. We expect covered entities to be attentive to the circumstances surrounding each request and respond in an appropriate time frame.

Comment: A few commenters suggested that, upon individuals’ requests, covered entities should be required to provide protected health information in a format that would be understandable to a patient, including explanations of codes or abbreviations. The commenters suggested that covered entities be permitted to provide summaries of pertinent information instead of full copies of records; for example, a summary may be more helpful for the patient’s purpose than a series of indecipherable billing codes.

Response: We agree with these commenters’ point that some health information is difficult to interpret. We clarify, therefore, that the covered entity may provide summary information in lieu of the underlying records. A summary may only be provided if the covered entity and the individual agree, in advance, to the summary and to any fees imposed by the covered entity for providing such summary. We similarly permit a covered entity to provide an explanation of the information. If the covered entity charges a fee for providing an explanation, it must obtain the individual’s agreement to the fee in advance.

Comment: Though there were recommendations that fees be limited to the costs of copying, the majority of commenters on this topic requested that covered entities be able to charge a reasonable, cost-based fee. Commenters suggested that calculation of access costs involve factors such as labor costs for verification of requests, labor and software costs for logging of requests, labor costs for retrieval, labor costs for copying, expense costs for copying, capital cost for copying, expense costs for mailing, postal costs for mailing, billing and bad-debt expenses, and labor costs for refiling. Several commenters recommended specific fee structures.

Response: We agree that covered entities should be able to recoup their reasonable costs for copying of protected health information, and include such provision in the regulation. We are not specifying a set fee because copying costs could vary significantly depending on the size of the covered entity and the form of such copy (e.g., paper, electronic, film). Rather, covered entities are permitted to charge a reasonable, cost-based fee for copying (including the costs of supplies and labor), postage, and summary or explanation (if requested and agreed to by the individual) of information supplied. The rule limits the types of costs that may be imposed for providing access to protected health information, but does not preempt applicable state laws regarding specific allowable fees for such costs. The inclusion of a copying fee is not intended to impede the ability of individuals to copy their records.

Comment: Many commenters stated that if a covered entity denies a request for access because the entity does not hold the protected health information requested, the covered entity should provide, if known, the name and address of the entity that holds the information. Some of these commenters additionally noted that the Uniform Insurance Information and Patient Protection Act, adopted by 16 states, already imposes this notification requirement on insurance entities. Some commenters also suggested requiring providers who leave practice or move offices to inform individuals of that fact and of how to obtain their records.

Response: We agree that, when covered entities deny requests for access because they do not hold the protected health information requested, they should inform individuals of the holder of the information, if known; we include this provision in the final rule. We do not require health care providers to notify all patients when they move or leave practice, because the volume of such notifications would be unduly burdensome.

 

Jump to Page

Necessary Cookies

Necessary cookies enable core functionality such as security, network management, and accessibility. You may disable these by changing your browser settings, but this may affect how the website functions.

Analytical Cookies

Analytical cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.