HIPAA's Patient Right of Access: A Rule Whose Time Has Come

By Lynn M. Barrett, Esq., CHC, CCP, and Stephen S. Shaver, Esq., American Bar Association e-Source, September 22, 2021

Under the federal Health Insurance Portability and Accountability Act (HIPAA or the Act),¹ patients have a right to access and inspect their own protected health information (PHI).² Like many aspects of healthcare law, however, the practical application of the right of access is accomplished through a complex and evolving set of regulations and guidance. While this patient right of access has been a part of the Act since its passage, beginning in 2019 the Office for Civil Rights (OCR), the federal agency within the Department of Health and Human Services (HHS) responsible for enforcing HIPAA, announced the creation of a “Right of Access Initiative” designed to put some teeth into what healthcare providers may previously have paid little attention to. This article will examine the parameters of HIPAA’s right of access, assess OCR’s 2019 Right of Access Initiative, and provide suggestions to help avoid liability under the right of access requirements.

After Congress passed HIPAA in 1996, HHS promulgated regulations to implement the Act, one of which came to be known as the “Privacy Rule.”³ Among other things, the Privacy Rule established patients’ right to access their own PHI.  The Privacy Rule provides that where a covered entity⁴ receives a request for access, it must first take reasonable steps to verify the identity of the requestor.⁵ HHS generally leaves the determination as to what is “reasonable” to the covered entity, as long as the covered entity does not impede patient access. However, when the covered entity utilizes a web portal to facilitate patient requests, HHS provides authentication controls, such as unique usernames or passwords, to verify the identity of the person attempting to use the portal.⁶

A covered entity generally must respond to a request for access within 30 days of the request by either providing the records or denying the request in writing.⁷ However, a single 30-day extension is available where the covered entity provides the patient a written statement of the reasons for the delay.⁸

Within this timeframe, the covered entity must determine whether the requested information is subject to disclosure. That is, the right of access does not extend to all PHI that is in the possession of the covered entity. First, the right of access extends only to PHI in designated record sets.⁹ A designated record set generally includes only medical, billing, and claims records or other records used to make decisions regarding the patient.¹⁰ It generally does not include records of business planning, performance evaluations, or other information that may be included in a patient’s PHI but is not used to make decisions regarding the patient.¹¹ Further, the covered entity may deny a patient’s request to access psychotherapy notes, as well as any information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding, even where such information is included in a designated record set.¹² There are also grounds for denial for corrections institutions, research studies, and where the PHI was obtained under the premise of confidentiality of the source.¹³ There is no right for a patient to request a review of the covered entity’s decision where a covered entity denies a request on these grounds; however, the covered entity is still required to issue a written denial within 30 days.¹⁴

There are situations, however, where a covered entity’s denial of access is required to be reviewed by a second licensed healthcare professional designated by the covered entity.¹⁵ These situations include, without limitation, where a licensed healthcare professional has determined that access is reasonably likely to endanger the life or physical safety of the individual or another person; where the PHI refers to another person and a licensed healthcare professional has determined that access is reasonably likely to cause substantial harm to the other person; or where the request is made by the patient’s personal representative and a licensed healthcare professional has determined that access to the representative is reasonably likely to cause substantial harm to the patient or other person.¹⁶

When a covered entity provides PHI to the patient, pursuant to HIPAA’s Privacy Rule the covered entity must provide the PHI in the form requested by the patient if it is readily producible in that form.¹⁷ If it is not readily producible in that form, then it must be provided in hard copy or in any other form as agreed by the patient and covered entity.¹⁸ If the patient requests that the PHI be sent directly to a designated third party, the covered entity must provide the PHI to such party.¹⁹

When the Privacy Rule was promulgated, it set forth the permissible types of fees that could be charged to patients for accessing their own PHI. In order to ensure that patients would not be deterred from seeking such access due to cost considerations, a covered entity could only charge patients the “Patient Rate,” which consisted of the reasonable cost of copying and associated labor costs, postage, and reasonable costs associated with preparing an explanation or summary of the PHI.²⁰ The Patient Rate did not include other costs typically associated with maintaining and producing PHI, such as the costs of data storage and document retrieval. Importantly, the Patient Rate did not apply to third-party requests. That is, if a third party requested a patient’s PHI, a covered entity was not limited to charging such third party the Patient Rate.

Subsequently, in response to the increase in digital record-keeping systems, Congress in 2009 passed the Health Information Technology for Economic and Clinical Health Act (HITECH Act).²¹ With respect to patients’ right of access, the HITECH Act established a new process to deliver PHI stored in electronic form to third parties, a new concept known as the “third-party directive.” Pursuant to the third-party directive, a patient may direct a covered entity to deliver to third persons the patient’s PHI which is stored in electronic form. The HITECH Act also placed a statutory cap on the fees that a covered entity may charge patients for delivering PHI that is in electronic form. Such cap was limited to an amount that could not exceed a covered entity’s labor costs in responding to the request for the PHI.

This third-party directive was expanded in HHS’s 2013 final rule entitled “Modifications to the HIPAA Privacy, Security, and Enforcement Rules Under the Health Information Technology for Economic and Clinical Health Act, and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules” (Omnibus Rule).²²  Pursuant to the Omnibus Rule, the third-party directive was broadened to apply not only to requests for PHI that was contained in electronic form, but to PHI contained in any format. Further, in January and February 2016, HHS released guidance regarding the patient access rules in the form of a Fact Sheet and a series of FAQs (collectively, “2016 Guidance”).²³ The 2016 Guidance appeared to have been released due to concerns with covered entities’ failure to provide appropriate access.  Then-OCR Director Jocelyn Samuels wrote in a blog post that “. . . based on recent studies and our own enforcement experience, far too often individuals face obstacles to accessing their health information, even from entities required to comply with the HIPAA Privacy Rule.”²⁴  She further stated that “ . . .  HIPAA’s right of access is critical to enabling individuals to take ownership of their health and well-being – but this core right is rendered meaningless when individuals cannot afford to pay the fees.”²⁵ Thus, the 2016 Guidance reiterated that individuals can be charged only a reasonable, cost-based fee for the labor and supplies associated with making the copy, whether on paper or in electronic form.

A lawsuit filed in federal court in 2018, Ciox Health, LLC v. Azar, et al.,²⁶ challenged HHS’s expansion of the HITECH Act with respect to certain aspects of the patient access rules. The Ciox case involved a specialized medical-records provider, Ciox Health, LLC, which was a business associate of and contracted with covered entities on a national basis to maintain, retrieve, and produce individuals’ PHI, including in response to patient requests. HHS had imposed a penalty against a hospital serviced by Ciox for the failure to provide records at the Patient Rate to a patient who directed that the records be sent to her lawyer.  Ciox argued that HHS’s 2016 Guidance was invalid on procedural grounds (i.e., that the guidance failed to follow the Administrative Procedure Act)²⁷ and that the limitation of fees chargeable by third parties caused Ciox and other medical records companies to lose millions of dollars in revenue. Although by the time the Ciox case was filed, HHS had announced that it would not enforce fee limitations against business associates (although it would enforce the fee limitations against covered entities), this appears to have been too little, too late.²⁸ In 2020, the court agreed with Ciox and vacated the application of the third-party directive to PHI contained in any format.  The court also limited the Patient Rate to a patient’s request for access to his or her own records and stated that it does not apply to patient requests to transmit records to a third party.

As a result of this ever-changing landscape, which may or may not change again, the fee a covered entity may charge a patient to access his or her PHI is generally limited to the Patient Rate, which, in turn, is limited to a reasonable, cost-based fee that includes only the costs of the labor, supplies such as paper or USB drives, and postage associated with transmitting the PHI, as well as the cost of creating any summary of the records, as agreed to by the patient.²⁹ This notably does not include costs for electronic data storage or server infrastructure because HHS has taken the position that some electronic storage and access of PHI will generate no costs that can be billed to the patient.³⁰ HHS has advised that there are three ways to calculate the costs that can be assessed to each patient: the actual costs of access, the average costs of fulfilling certain types of requests, or a flat fee not to exceed $6.50 for electronic copies of PHI maintained electronically.³¹ Entities that use an average cost or a flat fee may adjust their fee for unusual requests, so long as that fee reflects only the costs allowed under the Privacy Rule.³² Of note, these fee caps do not apply where the patient directs the covered entity to provide the PHI to a third party.³³

In early 2019, then-OCR Director Roger Severino announced a new HIPAA enforcement initiative focusing on entities’ compliance with patients’ rights to access their own health information in a timely manner and at a reasonable cost. Throughout the year, Severino spoke about the difficulty patients were continuing to have in accessing their PHI.³⁴ As a result, Severino stated that the time had come “for serious enforcement” of these patient rights³⁵ and the “Right of Access Initiative” had begun.

Not long thereafter, in September 2019, OCR settled its first enforcement action under its Right of Access Initiative. The settlement was with Bayfront Health in St. Petersburg, Florida, which paid $85,000 to settle allegations that it failed to provide a mother timely access to the fetal monitoring records of her unborn child. OCR investigated the complaint filed by the mother and found that Bayfront provided the mother with the requested records nine months after her initial request.³⁶ In addition to paying the noted amount, Bayfront entered into a corrective action plan which requires, among other things, that Bayfront revise its HIPAA policies and procedures and provide training to each of its workforce members and relevant business associates.

To date, 19 enforcement actions regarding alleged violations of the right to access have been settled and publicly announced. The vast majority of these alleged violations stem from untimely responses to requests for access. The most recent and most costly of these occurred in January 2021 and involved Banner Health, an Arizona health system. According to OCR, Banner Health agreed to take a number of corrective actions pursuant to a corrective action plan which involves two years of monitoring and pay $200,000 to settle allegations that it had taken approximately five months for two different patients to receive their requested records.³⁷ In announcing this enforcement action, then-OCR Director Severino stated that "[T]his first resolution of the year signals that our Right of Access Initiative is still going strong and that providers of all sizes need to respect the right of patients to have timely access to their medical records."³⁸ Interestingly, 11 of the patient access settlements occurred during 2020, notwithstanding the existence of the COVID-19 global pandemic. Of note, some covered entities could have denied requests based on statutory grounds that the requested PHI was not subject to disclosure but faced sanctions because they did not timely issue a written denial of the request.³⁹ Settlement amounts have ranged from a few thousand dollars to a few hundred thousand dollars, and likely depend on the size of the allegedly offending covered entity as well as the severity of the alleged violation. Notably, all settlements required the entities to be subject to a corrective action plan, generally with one to two years of monitoring.

As a result of OCR’s Right of Access Initiative and in light of the numerous settlements discussed above, entities should take a proactive approach to reduce the likelihood that they may become subject to patient access complaints that ultimately result in an OCR investigation, settlement, and corrective action plan. A first step in this process should be for the covered entity to review and revise its right of access policies and procedures, particularly considering the number of changes that have occurred with respect to third-party directives. Once the policies and procedures have been reviewed and revised, everyone involved in responding to and fulfilling patient and third-party requests – whether internal or external to the organization – should be properly trained, with new workforce members and business associates being trained upon hire or engagement. “Refresher” training should also occur periodically, and individuals should have the ability to ask questions of the covered entity’s Privacy Officer, Compliance Officer, or other qualified personnel, as appropriate.  A tracking mechanism should also be created and implemented to track each request, how it was handled and by whom, what fees were charged (if any) and if and when the information was either provided or declined to be provided. Human Resources should be contacted if any workforce member fails to comply with the covered entity’s policies and procedures and appropriate corrective action should be taken. To the extent a business associate or third-party vendor responds to requests for patient records on a covered entity’s behalf, the contract with such business associate or vendor should incorporate the covered entity’s policies and procedures and contain monetary or other penalties for violating them. Covered entities should also consider indemnification provisions in these agreements.

Finally, as if the regulatory changes noted herein were not enough, in January 2021, HHS proposed several changes to the Privacy Rule and the patient right of access.⁴⁰ HHS proposed reducing covered entities’ response time from 30 days to 15 days; clarifying the PHI request format; requiring covered entities to notify patients that they still have a right to obtain full PHI if only a summary is offered; specifying when electronic PHI must be provided to the patient for free; and requiring entities to post fee schedules on their websites for PHI requests.⁴¹ The public comment period has closed, but as of this writing no final rule has been released. 

While the regulations surrounding the Privacy Rule and patients’ right to access their own medical records continue to evolve, it is clear that these regulations and their enforcement are a government priority. Covered entities should be familiar with the requirements of the Privacy Rule and their compliance obligations.

¹ Pub. L. 104-191 (1996).

² Protected health information is individually identifiable health information that is transmitted or maintained in electronic or other media. 45 C.F.R. § 160.103.

³ 65 Fed. Reg. 82462, et. al. (Dec. 28, 2000). The regulations governing the patient right of access under the Privacy Rule can be found at 45 C.F.R. § 164.524.

⁴ Covered entity means a health plan, a health clearinghouse, or a healthcare provider that transmits any health information in electronic form in connection with a transaction covered by the HIPAA Privacy Rule.

⁵ 45 C.F.R. § 160.103. 4 45 C.F.R. § 164.514(h).

⁶ Individuals’ Right under HIPAA to Access their Health Information 45 CFR § 164.524, Dept. Health & Human Serv., (content last reviewed Jan. 31, 2020) (last accessed Jul. 27, 2021); 45 C.F.R. § 164.312(d). https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html

⁷ 45 C.F.R. § 164.524(b).

⁸ Id. at § 164.524(b)(2)(ii).

⁹ 45 C.F.R. § 164.524(a)(1).

¹⁰ 45 C.F.R. § 164.501.

¹¹ Individuals’ Right under HIPAA to Access their Health Information 45 CFR § 164.524, supra n. 6.

¹² 45 C.F.R. § 164.524(a)(1)(i) - (ii).

¹³ Id. at § 164.524(a)(2).

¹⁴ Id. at § 164.524(b)(2)(i)(B).

¹⁵ Id.

¹⁶ Id. at § 164.524(a)(3).

¹⁷ 45 C.F.R. § 164.524(c)(2). Where a covered entity issues a reviewable denial of access regarding PHI stored in an electronic form, it must also comply with the new “information blocking” rules, 42 U.S.C. § 300jj-52; 45 C.F.R. § 171, et al. These new rules add a wrinkle of complexity; however, they do not completely align with the Privacy Rule. Broadly speaking, the information blocking rules prohibit certain practices that interfere with access, exchange, or use of electronic health information. There are many exceptions to the information blocking rules, such as exceptions for privacy, security, or to prevent harm, that were intended to align with the grounds to deny access described under the Privacy Rule. These exceptions, however, do not always track the Privacy Rule exactly. For example, the right of access under the Privacy Rule does not apply where a licensed healthcare professional has determined, in the exercise of professional judgment, that the access requested is reasonably likely to endanger the life or physical safety of the individual or another person.  45 C.F.R. § 164.524(a)(3)(i). Under the similar exception to the information blocking rule, this risk of harm can be determined either by the professional judgement of a licensed healthcare professional or it may arise from data that is known or reasonably suspected to be misidentified or mismatched, corrupt due to technical failure, or erroneous for another reason.  45 C.F.R. § 171.201(c). These new rules may impact the right to access initiative in the future.

¹⁸ 45 C.F.R. § 164.524(c)(2).

¹⁹ Id. at § 164.524(c)(3)(ii). Contrast a request made by a patient that requests that the records be sent to a third party with a request that is made by the patient’s personal representative.

²⁰ Id. at § 164.524(c)(4)(i)–(iii).

²¹ Pub. L. 111-5 (2009).

²² 78 Fed. Reg. 5566 (Jan. 25, 2013).

²³ See supra n. 6. The Fact Sheet and an initial set of FAQs was released in January 2016 and a second set of FAQs was released in February 2016.

²⁴ Id.

²⁵ New HIPAA guidance reiterates patients’ right to access health information and clarifies appropriate fees for copies, Dept. Health & Human Serv., https://wayback.archive- it.org/8315/20170119040015/https://www.hhs.gov/blog/2016/02/25/new-hipaa-guidance-accessing-health￾information-fees-copies.html (Feb. 25, 2016) (last accessed Aug. 6, 2021).

²⁶ 435 F.Supp.3d 30 (D.D.C. 2020).

²⁷ The Administrative Procedure Act generally requires that, to become effective, a legislative rule must go through notice-and-comment rulemaking, a lengthy process in which the public is given an opportunity to comment on a proposed version of the rule and the agency responds to the comments. 5 U.S.C. § 553.

²⁸ Direct Liability of Business Associates, Dept. Health & Human Serv., https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/business-associates/factsheet/index.html (content last reviewed July 16, 2021) (last accessed Aug. 6, 2021).

²⁹ Id. at § 164.524(c)(4); Individuals’ Right under HIPAA to Access their Health Information, 45 CFR § 164.524, supra n. 6.

³⁰ Individuals’ Right under HIPAA to Access their Health Information, 45 CFR § 164.524, supra n. 6.

³¹ Id.

³² Id.

³³ Ciox, 435 F.Supp.3d 30.

³⁴ See, e.g., “Roger Severino Provides Update on OCR HIPAA Enforcement Priorities,” HIPAAnswers.com https://www.hipaanswers.com/roger-severino-provides-update-on-ocr-hipaa-enforcement-priorities/ (Oct. 29, 2019) (last accessed Aug. 6, 2021).

³⁵ Id.

³⁶ Press Release, “OCR Settles First Case in HIPAA Right of Access Initiative,” Dept. Health and Human Serv., https://public3.pagefreezer.com/browse/HHS.gov/31-12- 2020T08:51/https://www.hhs.gov/about/news/2019/09/09/ocr-settles-first-case-hipaa-right-access￾initiative.html (Sept. 9, 2019) (last accessed Aug. 6, 2021).

³⁷ OCR Settles Fourteenth Investigation in HIPAA Right of Access Initiative, Dept. of Health and Human Serv., https://www.hhs.gov/about/news/2021/01/12/ocr-settles-fourteenth-investigation-in-hipaa-right-of-access-initiative.html (content last reviewed Jan. 12, 2021) (last accessed Aug. 5, 2021).

³⁸ Id.

³⁹ For example, a California psychiatry practice asserted that the Privacy Rule did not apply to a request that it had received because the request included psychotherapy notes, which are not subject to disclosure ENTIT Y: HEALTH LAW SECTION TOPIC: HEALTH The material in all ABA publications is copyrighted and may be reprinted by permission only. Request reprint permission here. American Bar Association | /content/aba-cms-dotorg/en/groups/health_law/publications/aba_health_esource/2021-2022/september-2021/hip-pat under the Privacy Rule. However, OCR asserted a violation and secured a settlement because the practice had not issued a response in order to deny the request. OCR Settles Tenth Investigation in HIPAA Right of Access Initiative, Dept. of Health and Human Serv.,  (Nov. 6, 2020) (last accessed Aug. 24, 2021). https://web.archive.org/web/20210306022941/https://www.hhs.gov/about/news/2020/11/06/ocr-settlestenth-investigation-hipaa-right-access-initiative.html

⁴⁰ 86 Fed. Reg. 6446-01 (Jan. 21, 2021).

⁴¹ Id.Proclamation on Declaring a National Emergency Concerning the Novel Coronavirus Disease (COVID- 19) Outbreak – The White House (archives.gov)

⁴² https://mhealthintelligence.com/news/what-will-happen-with-telehealth-when-the-emergency-is-over

⁴³ H.R.6074 – Coronavirus Preparedness and Response Supplemental Appropriations Act, 2020.