The Health Insurance Portability and Accountability Act (“HIPAA”), subject to certain exceptions, provides individuals with the right to access their personal health information (“PHI”). Recently, the Office for Civil Rights (“OCR”), the division within the Department of Health and Human Services (“HHS”) in charge of enforcing HIPAA, published guidance regarding the right of an individual to access his or her PHI in one or more designated record sets maintained by or for the covered entity (“January Guidance”). OCR suggested, in the early fall of 2015, that forthcoming guidance would clarify the definition of “designated record set” and an individual’s right to access his or her PHI. Instead, the January Guidance focuses broadly on the right of an individual to access his or her PHI, with only a passing reference to the “designated record set” definition.
The result in OCR’s change of focus is to reiterate the obligation of covered entities to provide individuals’ access to their PHI, without offering additional guidance as to the applicability of these requirements to hybrid entities. Thus, the January Guidance serves to illustrate the importance that OCR places on covered entities adequately responding to the requests of individuals to access their PHI.
Designated Record Set
Specifically, the general rule is that HIPAA covered entities must provide an individual with access to his or her information that is contained within a “designated record set” maintained by or for the covered entity within 30 calendar days of the request. “Access” is defined to include the individual’s right to inspect, copy, and/or direct that a copy be sent to a person/entity of his or her choice.
A “designated record set” is defined under HIPAA as
[a] group of records maintained by or for a covered entity that is: (i) [t]he medical records and billing records about individuals maintained by or for a covered health care provider; (ii) [t]he enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or (iii) [u]sed, in whole or in part, by or for the covered entity to make decisions about individuals.
Still unanswered by OCR is the question of what information used by covered entities “to make decisions about individuals” actually means. The January Guidance offers only the following example: “records that are used to make decisions about any individuals, whether or not the records have been used to make a decision about the particular individual requesting access.” In contrast, “certain quality assessment or improvement records, patient safety activity records, or business planning, development and management records that are used for business decisions more generally rather than to make decisions about individuals” are outside the “designated record set” definition. Stakeholders looking for more detailed guidance on the “decisions about individuals” phrase will find the January Guidance wanting for specifics, as the above example from OCR merely repeats the phrase being defined. The specific elements that would convert a piece of information from general business planning information into information used to make decisions about individuals are not clear.
Requests for Access to PHI
Additionally, the January Guidance restates the basic rules regarding a patient’s right to access his or her PHI regarding the form of the request, the form of the information, and the time period within which the covered entity must respond. The January Guidance reiterates that a covered entity may require that the patient request such PHI in writing only if the covered entity tells its patients of this requirement. Requests can also be made by patients electronically.
As noted above, OCR clarified that a person “has a right to direct the covered entity to transmit the PHI about the individual directly to another person or entity designated by the individual.” Such a request must be in writing, clearly identify the person being designated by the individual, and be signed by the individual. The requirements detailed below for covered entities to respond in a timely manner, and in particular formats, apply to a request from the individual to send the PHI to a designated person just as if the individual was requesting the information be sent to himself or herself.
Separately, a covered entity may not take any “unreasonable measures” that would prevent an individual from accessing his or her PHI. To that end, a covered entity may require a patient to request access using the covered entity’s designated form only if doing so does not “unreasonably delay” the individual’s request. The unreasonableness of the measure may also depend on the way in which the patient is requesting access. As one example, the January Guidance states that “a doctor may not require an individual who wants a copy of her medical record mailed to her home address to physically come to the doctor’s office to request access and provide proof of identity in person.”
Despite that example, a covered entity must “take reasonable steps” to verify the identity of the individual requesting the information. Thus, covered entities must develop strategies to verify individuals making phone or written requests. No specific verification method is required to be used. Rather, verification may be given orally or in writing.
Form and Format of Requested PHI
The information must be provided “in the form and format requested” by the individual if it is “readily producible in that form and format,” or, if it is not so producible, the covered entity may provide the information in “a readable hard copy form or other form” as agreed to by the patient and covered entity.
The question of “form and format” becomes more important with changes in technology. If an individual is requesting an electronic form of records that are only maintained in paper form, the covered entity must provide the records in electronic form if it “is readily producible” electronically. Later, in a question-and-answer format, OCR clarified that a covered entity is “not required to purchase a scanner to create electronic copies,” but a covered entity is required to produce the records electronically if they are readily able to do so. The implication is that if the covered entity already owns a scanner, the covered entity would be required to scan the documents in order to provide the information in an electronic format.
If the patient is requesting information electronically that the covered entity maintains electronically, then the covered entity must provide the information in the specific electronic form requested by the patient if the records are readily producible in that form. If not, the covered entity must provide the patient with electronic access to “an agreed upon alternative readable electronic format.”
Response to Requests for Access and Fee
Covered entities must respond to requests for access within 30 calendar days, and are encouraged to respond sooner where possible. OCR notes that it is “reasonable” for an individual to expect a covered entity to respond more promptly than 30 days “when the covered entity is using health information technology in its day to day operations.”
A covered entity may charge the patient a “reasonable, cost based fee” to produce the requested records. The fee charged may be based only on the following: (1) labor for producing the records; (2) supplies for creating the copy of the record requested; (3) postage, if the copies are to be mailed to the individual; and (4) the preparation of a summary of the PHI, if the individual requests and agrees to such a summary. Certain items are expressly excluded from the fee, such as the cost associated with finding the requested information, and/or verifying the information. Furthermore, any costs not permitted above, even if not expressly prohibited, are, in fact, prohibited. Such costs are prohibited even if applicable state law would have allowed for a fee to be charged.
In short, the January Guidance reiterates the requirements regarding an individual’s right to access his or her PHI. The January Guidance also encourages covered entities to better understand and follow the requirements to which they are subject.
* * *
This Client Alert was authored by Patricia M. Wagner and Lindsay Borgeson. For additional information about the issues discussed in this Client Alert, please contact one of the authors or the Epstein Becker Green attorney who regularly handles your legal matters.
 The Department of Health and Human Services, “Understanding Individuals’ Right under HIPAA to Access their Health Information,” Jan. 7, 2016, available at: http://www.hhs.gov/blog/2016/01/07/understanding-individuals-right-under-hipaa-access-their.html (last visited Feb. 26, 2016), announced the publication of the guidance. The guidance itself, titled “Individuals’ Right under HIPAA to Access their Health Information 45 C.F.R. § 164.524,” is available at: http://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html (last visited Feb. 26, 2016) (hereinafter, “January Guidance”).
 During the September 2015 NIST-OCR annual conference, it was reported that Jocelyn Samuels, the OCR Director, and Deven McGraw, the OCR Deputy Director of Health Information Privacy, indicated that such guidance was forthcoming. See Samuel C. Cohen, “Straight from the Source: OCR and NIST Provide Guidance on Safeguarding Health Information at Annual Conference,” Sep. 11, 2015, available at: http://healthcarecounselblog.com/articles/straight-source-ocr-and-nist-provide-guidance-safeguarding-health-information-annual (last visited Feb. 26, 2016).
 Please note that the January Guidance focuses on how a covered entity, or a business entity on behalf of a covered entity, is required to respond to an individual’s request for access, presuming that no exception to such access exists. As such, this Client Alert will focus on how a covered entity and/or business entity must respond to an individual’s request for his or her PHI. A full analysis of the potential exceptions that would allow a covered entity and/or business associate to deny an individual access to his or her PHI, even though such PHI is within the designated record set, is beyond the scope of this Client Alert.