The HIPAA Privacy Rule grants patients or their personal representatives the right to receive, inspect and review their health information. Covered entities, to comply with the Privacy Rule, must follow HIPAA medical records release rules, when providing a response to a request to receive, inspect, or review their protected health information (PHI). This article discusses what is required for a HIPAA compliant medical records request response.
The first step in providing a HIPAA compliant medical records request response, is to determine that the request for medical records is properly made.
Under HIPAA, an individual is permitted to inspect or obtain a copy of his or her PHI that is maintained in a designated record set. The covered entity must permit an individual to request access to inspect or to obtain a copy of the protected health information about the individual that is maintained in a designated record set .
A “designated record set” is defined at 45 CFR 164.501 as a group of records maintained by or for a covered entity that comprises the:
As part of the process of making a HIPAA Compliant medical records request response, the covered entity may require individuals to make requests for access in writing, provided that it informs individuals of such a requirement. In addition, a covered entity may require individuals to use the entity’s own supplied form , provided the use of the form does not create a barrier to or unreasonably delay the individual from obtaining access to his or her PHI.
In addition, as part of a HIPAA Compliant medical records request response, the Privacy Rule requires a covered entity to take reasonable steps to verify the identity of an individual making a request for access. The type and manner of the verification is left to the covered entity’s professional judgment. Verification may be done orally or in writing and, in many cases, the type of verification may depend on how the individual is requesting and/or receiving access – whether in person, by phone (if permitted by the covered entity), by faxing or emailing the request on the covered entity’s supplied form, by secure web portal, or by other means.
For example, if the covered entity requires that access requests be made on its own supplied form, the form could ask for basic information about the individual that would enable the covered entity to verify that the person requesting access is the subject of the information requested or is the individual’s personal representative. For those covered entities providing individuals with access to their PHI through web portals, those portals should already be set up with appropriate authentication controls, as required by the HIPAA Security Rule, to ensure that the person seeking access is the individual or the individual’s personal representative.
As part of a HIPAA Compliant medical records request response, covered entities must respond to requests for access in a timely manner. Generally, under the HIPAA medical records release rule, covered entities must notify individuals of the covered entity’s decision on access, within 30 days of the covered entity’s receipt of the request.
According to guidance from the Department of Health and Human Services , the 30 calendar days is an outer limit and covered entities are encouraged to respond as soon as possible. Indeed, as HHS notes, a covered entity may have the capacity to provide individuals with almost instantaneous or very prompt electronic access to the PHI requested through personal health records, web portals , or similar electronic means. Further, individuals may reasonably expect a covered entity to be able to respond in a much faster timeframe when the covered entity is using health information technology in its day to day operations.
If a covered entity is unable to provide access within 30 calendar days – for example, where the information is archived offsite and not readily accessible — the covered entity may extend the time by no more than an additional 30 days. To extend the time, the covered entity must, within the initial 30 days, inform the individual in writing of the reasons for the delay and the date by which the covered entity will provide the information.
These timelines for medical record compliance apply regardless of whether: