HIPAA Right to Access: Essential Compliance for Medical Records

Are you fully compliant with the HIPAA Right to Access regulations? Learn how to avoid hefty penalties, meet critical timelines, and empower your patients with seamless access to their medical records. This article provides actionable insights and real-world cases to help hospital leaders stay ahead of compliance challenges.

6 min read

Table of Contents

Of all the headlines that HIPAA compliance garners, the attention-grabbers are often cybersecurity and data breaches. But a spate of recent civil monetary penalties that have hit hospitals and facilities, reaching into the hundreds of thousands of dollars, highlight a separate area of concern: the HIPAA Right to Access standards.

At its core, the HIPAA Right to Access provision requires that hospitals and provider groups grant timely access to the health information of individual patients and their personal representatives. The delivery of the patient’s health information also must be provided at a “reasonable cost,” according to the Office for Civil Rights (OCR). The HIPAA Right to Access standard is one of OCR’s newer enforcement initiatives aimed at delivering quality improvement in healthcare.

Why the HIPAA Right to Access Matters

According to Office for Civil Rights (OCR) Director Melanie Fontes Rainer, the agency receives “thousands of complaints each year” pertaining to the HIPAA Right to Access rule. “Access to medical records empowers patients and their families to make decisions about their health care and improve their health overall,” Rainer said in a recent settlement announcement.

Recent penalties highlight the urgency for healthcare organizations to prioritize compliance. For instance:

The Optum Medical Care settlement marked the 46th enforcement action related to HIPAA Right to Access provisions since the OCR settled its first case in 2019, an $85,000 settlement with Bayfront Health St. Petersburg, which occurred after the agency launched its enforcement program earlier that year.

With HIPAA Right to Access provisions a key compliance focus for the OCR, hospital leaders must be fully aware of what the standard entails, how their organizations can stay in line with various regulations, and remain in compliance with the provision to achieve the OCR’s aims of attaining quality improvement in healthcare.

Key HIPAA Right to Access Provisions You Need to Know

Understand the “Designated Record Set.”

Under the Right to Access provision, patients possess general rights that hospitals and medical groups must comply with. The Privacy Rule requires that, upon request, covered entities (CE), such as health care providers and health plans, grant access to the patient’s protected health information (PHI) in the form of a “designated record set,” which has its own set of definitions. By law, as it relates to a provider CE, the designated record set consists of:

  • Medical records and billing records.
  • Other records that are used in the course of medical decision-making, such as clinical laboratory tests, medical images (e.g., X-rays), clinical case notes or disease management case files.

While CEs are required to be able to share the various elements that make up the designated record set, they are “not, however, required to create new information, such as explanatory materials or analyses, that does not already exist,” OCR explains.

Two broad categories are excluded from HIPAA Right to Access medical record sharing: psychotherapy notes and any information that is being used or is anticipated to be used in a civil, criminal or administrative action.

Know the Right to Access Timelines.

Many of the penalties that OCR has doled out under the HIPAA Right to Access provision in recent years have rested on the timeliness factor. OCR maintains a clear timeline: CEs must provide access to the requested PHI no later than 30 calendar days from the date of the request. Ideally, the request would be met sooner: “The 30 calendar days is an outer limit and covered entities are encouraged to respond as soon as possible,” the OCR states.

Focus on Form and Format.

CEs must defer to the form and format that the requestor identifies so long as that format is “readily producible.” If the patient (or representative) requests a paper copy of PHI, the CE is expected to provide the PHI in a paper copy format, even if the CE maintains the PHI electronically. If the patient (or representative) requests an electronic copy, OCR expects the CE to furnish an electronic copy, even if the CE maintains only paper records (again, if it is “readily producible”). If it is not readily producible, the CE may provide a hard copy format.

Fees Are OK, But They Are Limited.

CEs are permitted to charge the patient (or representative) a “reasonable, cost-based fee” but that fee is limited to specific tasks: the labor involved in copying the PHI; supplies used for creating an electronic copy; postage; and preparation of an explanation or summary, if requested. OCR permits CEs to charge a flat fee not to exceed $6.50 when sharing electronic PHI. Alternatively, CEs may charge for fees larger than that if the CE calculates costs or uses a schedule of allowable costs.

Sharing with Third Parties and Personal Representatives.

OCR allows an individual’s personal representative to request and receive PHI and also to request a transmission of the PHI to third parties. Generally speaking, the patient’s personal representation is “a person with authority under state law to make health care decisions for the individual,” according to the OCR. Under the HIPAA privacy rule, a parent is considered a child’s personal representative.

For CEs, they must comply with requests to send PHI to a third party. “The same requirements for providing the PHI to the individual, such as the timeliness requirements, fee limitations, prohibition on imposing unreasonable measures, and form and format requirements, apply when an individual directs that the PHI be sent to another person or entity,” OCR states.

Avoiding costly penalties by staying in line with HIPAA Right to Access standards is critical for hospital leaders and a key component of their mission in achieving quality in healthcare.

To learn more about the Right to Access standards, view a series of FAQs and recent clarifications to the provision.