Final Rule for Standards for Privacy of Individually Identifiable Health Information. What the Rule Covers

Analysis by the AHIMA Policy and Government Relations Team

Access of Individuals to Protected Health Information

Standard: Access to PHI—Right of Access

The Rule states (§164.524) that "an individual has a right of access to inspect and obtain a copy of PHI about the individual in a designated record set, for as long as the PHI is maintained in the designated record set, except for:

  • Psychotherapy notes;
  • Information compiled in reasonable anticipation of, or for use in a civil, criminal, or administrative action or proceeding; and
  • PHI maintained by a covered entity that is subject to Clinical Laboratory Improvements Act (CLIA) amendments of 1988" to the extent that CLIA would prohibit an individuals access to the information in question.

Unreviewable Grounds for Denial
"A covered entity may deny an individual access without providing the individual an opportunity for review, in the following circumstances:"

  • The PHI is the subject of one of the items just mentioned above.

  • "The covered entity that is a correctional institution or a covered health care provider acting under the direction of the correctional institution may deny, in whole or in part, an inmate’s request to obtain a copy of PHI, if obtaining such copy would jeopardize the health, safety, security, custody, or rehabilitation of the individual or other inmates, or the safety of any officer, employee, or other person at the correctional institution or responsible for the transporting of the inmate."

  • "An individual’s access to PHI created or obtained by a covered health care provider in the course of research that includes treatment may be temporarily suspended for as long as the research is in progress, provided that the individual has agreed to the denial of access when consenting to participate in the research that includes treatment, and the covered health care provider has informed the individual that the right of access will be reinstated upon completion of the research."

  • "An individual’s access to PHI that is contained in records that are subject to the Privacy Act, 5 U.S.C. 552a, may be denied, if the denial of access under the Privacy Act would meet the requirements of that law."

  • "An individual’s access may be denied if the PHI was obtained from someone other than a health care provider under a promise of confidentiality and the access requested would be reasonably likely to reveal the source of the information."

Reviewable Grounds for Denial
"A covered entity may deny an individual access, provided that the individual is given a right to have such denial reviewed." "If access is denied on the ground[s] permitted [below] the individual has the right to have the denial reviewed by a licensed health care professional who is designated by the covered entity to act as a reviewing official and who did not participate in the original decision to deny. The covered entity must provide or deny access in accordance with the determination of this reviewing official."

A denial might occur under this part of the Rule when:

  • "A licensed health care professional has determined, in the exercise of professional judgment, that the access requested is reasonably likely to endanger the life or physical safety of the individual or another person;

  • The PHI makes reference to another person (unless such other person is a healthcare provider) and a licensed healthcare professional has determined in the exercise of professional judgement that the access requested is reasonably likely to cause substantial harm to such other person; or

  • The request for access is made by the individual’s personal representative and a licensed health care professional has determined, in the exercise of professional judgment, that the provision of access to such personal representative is reasonably likely to cause substantial harm to the individual or another person."

Specifications: Request for Access and Timely Action
The covered entity must permit an individual to request access to inspect or to obtain a copy of the PHI about the individual that is maintained in a designated record set. The covered entity may require individuals to make requests for access in writing, provided that it informs individuals of such a requirement."

There are timelines set under the Rule when a request is made. The covered entity must act on it no later than 30 days after receipt of the request . "If the request for access is for PHI that is not maintained or accessible to the covered entity on-site, the covered entity must take an action by no later than 60 days from the receipt of such a request." The Rule reiterates that there is no permission for an extension beyond the 60 days (30 days initial plus 30 days extension) and requires that the covered entity must provide the "individual with a written statement of the reasons for the delay and the date by which the covered entity will complete its action on the request; and the covered entity may have only one such extension of time for action on a request for access."

Specifications: Provision of Access
If the covered entity grants the request, in whole or in part, it must inform the individual of the acceptance of the request and provide the access requested by:

  • Providing the Access Requested—"The covered entity must provide the access requested by individuals, including inspection or obtaining a copy, or both, of the PHI about them in designated records sets. If the same PHI that is the subject of a request for access is maintained in more than one designated record set or at more than one location, the covered entity need only produce the PHI once in response to a request for access."

  • Form of Access Requested—The covered entity:
    • "Must provide the individual with access to the PHI in the form or format requested by the individual, if it is readily producible in such form or format; or, if not, in a readable hard copy form or such other form or format as agreed to by the covered entity and the individual."
    • "May provide the individual with a summary of the PHI requested, in lieu of providing access to the PHI or may provide an explanation of the PHI to which access has been provided, if: (A) The individual agrees in advance to such a summary or explanation; and (B) The individual agrees in advance to the fees imposed, if any, by the covered entity for such summary or explanation."

  • Time and Manner of Access—"the covered entity must provide the access…including arranging with the individual for a convenient time and place to inspect or obtain a copy of the PHI, or mailing the copy of the PHI at the individual’s request. The covered entity may discuss the scope, format, and other aspects of the request for access with the individual as necessary to facilitate the timely provision of access."

  • Fees—If the individual requests a copy of the PHI or agrees to a summary or explanation of such information, the covered entity may impose a reasonable cost-based fee, provided that the fee includes only the cost of:
    • Copying, including the cost of supplies for and labor of copying, the PHI requested by the individual;
    • Postage, when the individual has requested the copy, or the summary or explanation, be mailed; and
    • Preparing an explanation or summary of the PHI, if agreed to by the individual."

Specifications: Denial of Access
If the covered entity denies the request, in whole or in part, it must provide the individual with a timely written denial. "The denial must be in plain language and contain:

  • The basis for the denial;

  • If applicable, a statement of the individual’s review rights…, including a description of how the individual may exercise such review rights; and

  • A description of how the individual may complain to the covered entity pursuant to the Rules complaint procedures or to the Secretary…the description must include the name, or title, and telephone number of the contact person or office."

"If the covered entity does not maintain the PHI that is the subject of the individual’s request for access, and the covered entity knows where the requested information is maintained, the covered entity must inform the individual where to direct the request for access."

"If the individual has requested a review of a denial…the covered entity must designate a licensed health care professional, who was not directly involved in the denial to review the decision to deny access. The covered entity must promptly refer a request for review to such a designated reviewing official. The designated reviewing official must determine, within a reasonable period of time, whether or not to deny the access requested based on the standards" noted above. The covered entity must promptly provide written notice to the individual of the determination of the designated reviewing official and take other actions…as required to carry out the designated reviewing official’s determination."

"A covered entity must document the following and retain the documentation, as required:

  • The designated record sets that are subject to access by individuals; and

  • The titles of the persons or offices responsible for receiving and processing requests for access by individuals."

Go to next section, Amendment of Protected Health Information.

Go to previous section, Rights to Request Privacy Protection for Protected Health Information.

Go to document index.