HIPAA Guidance – What You Need To Know About Access

April showers bring May flowers. I hope you’re enjoying the Spring and the renewal it brings. The seventh annual National Long-Term Care Defense was an awesome experience, and we enjoyed spending time with industry thought-leaders April 3-4, 2019 in Memphis. Stay tuned for details about next year’s event in New York City.

Every day in my law firm and nearly every day in the media, we are encountering issues related to the Health Insurance Portability and Accountability Act of 1996 (HIPAA), including access, security and breach. A frequent HIPAA issue that arises in health care litigation is the individual’s right to access health information and the associated legal and regulatory considerations. As a defense attorney and for risk mitigation, my duty is to evaluate a request for health information for our provider clients, determine who is legally authorized to receive information and what information should be produced. This month, we’ll explore the HIPAA Privacy Rule which provides individuals with a legal, enforceable right to see and receive copies upon request of the information in their medical and other health records maintained by their health care providers and health plans and note some answers to frequently asked questions we receive. A valuable resource for HIPAA guidance is HHS.gov.


The Privacy Rule generally requires HIPAA covered entities (health plans and most health care providers) to provide individuals, upon request, with access to the protected health information (PHI) about them in one or more “designated record sets” maintained by or for the covered entity. This includes the right to inspect or obtain a copy, or both, of the PHI, as well as to direct the covered entity to transmit a copy to a designated person or entity of the individual’s choice.


Individuals have a right to access PHI in a “designated record set.” A “designated record set” is defined as a group of records maintained by or for a covered entity that comprises the:

  • Medical records and billing records;

  • Enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or

  • Other records that are used, in whole or in part, by or for the covered entity to make decisions about individuals.

NOTE: Individuals have a right to a broad array of health information, including: medical records; billing and payment records; insurance information; clinical laboratory test results; medical images, such as X-rays; wellness and disease management program files; and clinical case notes; among other information used to make decisions about individuals. In responding to a request for access, a covered entity is not, however, required to create new information, such as explanatory materials or analyses that do not already exist in the designated record set.


An individual does not have a right to access PHI that is not part of a designated record set because the information is not used to make decisions about individuals. This may include certain quality assessment or improvement records, patient safety activity records, or business planning, development, and management records that are used for business decisions more generally rather than to make decisions about individuals.

NOTE: For example, a nursing home or hospital’s peer review files or practitioner or provider performance evaluations, or a health plan’s quality control records that are used to improve customer service or formulary development records, may be generated from and include an individual’s PHI but might not be in the covered entity’s designated record set and subject to access by the individual.

NOTE ALSO: In addition, two categories of information are expressly excluded from the right of access:

Psychotherapy notes, which are the personal notes of a mental health care provider documenting or analyzing the contents of a counseling session, that are maintained separate from the rest of the patient’s medical record.

Information compiled in reasonable anticipation of, or for use in, a civil, criminal or administrative action or proceeding.


An individual’s personal representative (generally, a person with authority under State law to make health care decisions for the individual – Power of Attorney, Power of Attorney for Healthcare, Conservator, Surrogate) also has the right to access PHI about the individual in a designated record set.


A covered entity may require individuals to request access in writing, provided the covered entity informs individuals of this requirement. Covered entities also may offer individuals the option of using electronic means (e.g., e-mail, secure web portal) to make requests for access.


The Privacy Rule requires a covered entity to take reasonable steps to verify the identity of an individual making a request for access.

NOTE: For example, if the covered entity requires that access requests be made on its own supplied form, the form could ask for basic information about the individual that would enable the covered entity to verify that the person requesting access is the subject of the information requested or is the individual’s personal representative.


A covered entity may not impose unreasonable measures on an individual requesting access that serve as barriers to or unreasonably delay the individual from obtaining access.

NOTE: For example, a doctor may not require an individual:

  • Who wants a copy of her medical record mailed to her home address to physically come to the doctor’s office to request access and provide proof of identity in person.

  • To use a web portal for requesting access, as not all individuals will have ready access to the portal.

  • To mail an access request, as this would unreasonably delay the covered entity’s receipt of the request and thus, the individual’s access.


The Privacy Rule requires a covered entity to provide the individual with access to the PHI in the form and format requested, if readily producible in that form and format, or if not, in a readable hard copy form or other form and format as agreed to by the covered entity and individual

NOTE: If the individual requests electronic access to PHI that the covered entity maintains electronically, the covered entity must provide the individual with access to the information in the requested electronic form and format, if it is readily producible in that form and format, or if not, in an agreed upon alternative, readable electronic format.

NOTE ALSO: The covered entity also may provide the individual with a summary of the PHI requested, in lieu of providing access to the PHI, or may provide an explanation of the PHI to which access has been provided in addition to that PHI, so long as the individual in advance: (1) chooses to receive the summary or explanation (including in the electronic or paper form being offered by the covered entity); and (2) agrees to any fees (as explained below in the Section describing permissible Fees for Copies) that may be charged by the covered entity for the summary or explanation.


In providing access to the individual, a covered entity must provide access to the PHI requested no later than 30 calendar days from receiving the individual’s request.

NOTE: The 30 calendar days is an outer limit and covered entities are encouraged to respond as soon as possible. Indeed, a covered entity may have the capacity to provide individuals with almost instantaneous or very prompt electronic access to the PHI requested through personal health records, web portals or similar electronic means. Further, individuals may reasonably expect a covered entity to be able to respond in a much faster timeframe when the covered entity is using health information technology in its day to day operations.

NOTE ALSO: If a covered entity is unable to provide access within 30 calendar days -- for example, where the information is archived offsite and not readily accessible -- the covered entity may extend the time by no more than an additional 30 days. To extend the time, the covered entity must, within the initial 30 days, inform the individual in writing of the reasons for the delay and the date by which the covered entity will provide access. Only one extension is permitted per access request.


This issues of fees arises on a frequent basis in our firm. The Privacy Rule permits a covered entity to impose a reasonable, cost-based fee if the individual requests a copy of the PHI.

NOTE: The fee may include only the cost of: (1) labor for copying; (2) the supplies for creating the paper copy or electronic media (e.g., CD or USB drive); (3) postage; and (4) preparation of an explanation or summary of the PHI, if agreed to by the individual.

NOTE ALSO: The fee may not include costs associated with verification; documentation; searching for and retrieving the PHI; maintaining systems; recouping capital for data access, storage, or infrastructure; or other costs not listed above even if such costs are authorized by State law.


An individual also has a right to direct the covered entity to transmit the PHI about the individual directly to another person or entity designated by the individual.

NOTE: The individual’s request to direct the PHI to another person must be in writing, signed by the individual, and clearly identify the designated person and where to send the PHI. A covered entity may accept an electronic copy of a signed request (e.g., PDF), as well as an electronically executed request (e.g., via a secure web portal) that includes an electronic signature.


State laws that provide individuals with greater rights of access to their PHI than the Privacy Rule, or that are not contrary to the Privacy Rule, are not preempted by HIPAA and thus still apply.

NOTE: For example, a covered entity subject to a State law that requires that access to PHI be provided to an individual in a shorter time frame than that required in the Privacy Rule must provide such access within the shorter time frame because the State law is not contrary to the Privacy Rule. Compliance, Breach Notification and Enforcement are beyond the scope of this Privacy Rules article, however, understanding the essentials of HIPAA and access to PHI is the first step to compliance and risk avoidance.


Last month, I reported on the March 6, 2019 Senate Finance Committee (chaired by Senator Charles Grassley (R-Iowa)), hearing titled Not Forgotten: Protecting Americans From Abuse and Neglect in Nursing Homes. On Monday, April 15, 2019, CMS Administrator Seema Verma stated that she has directed the agency to undertake a “comprehensive review” of its regulations, guidelines and processes related to skilled nursing facilities. In her blog post, Ms. Verma wrote that along with the comprehensive review, CMS is working to increase oversight of State Survey Agencies, which have been known to deliver uneven findings and enforcement around the country. Some states have frequently identified serious issues in SNFs while others have not rooted out concerns with the same “seriousness or severity,” she wrote. Her blog post also said that CMS is considering changing its organizational structure to enhance collaboration across regional staff.

Her 5 point plan is:

  1. Strengthen oversight: CMS is intensifying its supervision of how State Survey Agencies perform and taking a close look at how surveyors identify safety issues. It plans to set clear timelines for SSAs to review allegations and change the Washington agency’s organizational structure to allow for more collaboration with states.

  2. Enhance enforcement: This includes strengthening policies to “hold nursing homes accountable for the care they provide.” CMS has shared staffing data with state surveyors, who are [as has been previously announced] conducting unannounced, after-hours and weekend visits to focus on staffing issues, Verma wrote.

  3. Increase transparency: By publicizing instances in which CMS terminates agreements with nursing homes due to poor quality and making survey findings more readily accessible and digestible by the public.

  4. Improve quality: Officials are eyeing further measures to address “serious quality issues,” she said, such as healthcare-associated infections and exploring ways to better spend Civil Money Penalty dollars on the most critical quality issues.

  5. Put patients over paperwork: CMS also wants to ensure that it is not overburdening providers with any changes. “We will continue to think about how we can streamline processes and eliminate obsolete, unnecessary or duplicative provisions, and we are interested in hearing from all stakeholders on ways to improve our programs,” Verma concluded, drawing on one of the themes providers have actually liked during this administration.

The timing is complicated for CMS given the Senate probe by Sen. Grassley who questioned whether CMS was aggressively tracking nursing home quality and enforcing standards.

In a related development on the same day, the U.S. Government Accountability Office called on CMS to step up oversight of nursing home abuse investigations. The GAO found that abuse investigations and reporting in Oregon lapsed for at least 15 years.

The call for action is for our health care leaders to emphasize how skilled nursing care operators and quality of care have improved, and we need to create a force against regulatory overhaul and the changes that Ms. Verma have outlined.