Updated June 2, 2021

A patient’s right of access to their own protected health information (PHI) is still a top enforcement priority after nineteen settlements in just the past two years. Today’s blog will summarize the legal framework of this central HIPAA requirement and provide a simple guide on how to comply, depending the circumstances. Although the Right of Access will likely be modified under a new proposed HIPAA Privacy Rule, the changes have not happened yet, and are months or a year or more away.

Under the “Right of Access Initiative” starting in 2019, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) has investigated and settled with all types of small and large covered entities, with settlements ranging from $3,500 to $200,000. In each case the provider failed to provide access to records. They delayed, created obstacles or charged unreasonable fees, all of which violate HIPAA.

But this is not a new priority – OCR has emphasized the patient Right of Access for years. In 2016, OCR wrote about the difference between “authorization” and “right of access”, because the two concepts were getting confused. Five years later there is still confusion, and the Ciox court decision last year added another layer.

Both the authorization and the right of access concepts are about disclosures of PHI. How to handle a particular disclosure depends on who is asking, who is receiving, and whether the PHI is only in an electronic format.

PHI Disclosures under HIPAA – HITECH and the Ciox Case Explained

HIPAA Privacy Rule – from the Code of Federal Regulations Sections 164.524 and 164.508

164.524 Access of Individuals to Protected Health Information

164.524 Access is an individual right and a health care provider is required to make the PHI disclosure within the time frame and cost limits set in the regulation.

164.508 Uses and Disclosures for which an Authorization is Required

164.508 Disclosure for which an Authorization is required is a permitted – not required – disclosure. No time frame limitations apply to this type of disclosure. Fees for the disclosure are set by state law of the state where the health care provider or health plan is located.

Ciox – a U. S. Court Decision – Effect of the HITECH Act

Ciox Health, LLC v. Azar, 435 F.Supp.3d 30 (2020)

The provisions in 45 C.F.R. §164.524 covering an individual’s direction that their records be delivered to a third party was challenged in court by Ciox, a company that maintains PHI records for health care providers. Ciox claimed the “third party directive” exceeded the authority of HHS to make an administrative rule established by the HITECH Act and damaged Ciox’s business.

  • On January 23, 2020, the U. S. District Court for the District of Columbia vacated the “third-party directive” set by 164.524 “…insofar as it expands the HITECH Act’s third-party directive beyond requests for a copy of an electronic health record with respect to [protected health information]  of an individual . . . in an electronic format.”

164.524 Fee Limit Applies only to Individual’s Request to Access their Own PHI

  • The fee limitation set forth at 45 C.F.R. § 164.524(c)(4) will apply only to an individual’s request for access to their own records, and does not apply to an  individual’s request to transmit records to a third party.

164.524 – HITECH – Ciox – Individual May Direct Records in EHR be sent to Third Party

  • If the individual requests their PHI maintained only in an EHR be transmitted electronically to a third party, a health care provider or Health plan must comply with the request.
  • If the individual directs their records to a third party, state regulations regarding fee structure are to be followed

164.524 Access Time Frame – Recipient is Individual or Third Party

  • A health care provider or health plan must provide the records within 30 days (unless state regulation is more stringent), and may have up to 30 additional days if necessary to provide the records if it notifies the individual in writing of the delay.

164.524 HIPAA ‘Patient Rate’

  • If an individual requests to receive their own PHI maintained in their designated record set (DRS), the ‘Patient Access Rate’ set forth in 164.524 must be followed – unless state law sets a lower rate.

Fee set by State Law – 164.524 and 164.508

  • If an individual requests their PHI maintained in an EHR be transmitted electronically to a third party, fees set by state law of the state where the health care provider or health plan is located apply. (164.524 – Right of Access, HITECH and Ciox)
  • If an individual requests their PHI maintained in an EHR be transmitted in paper form to a third party, fees set by state law of the state where the health care provider or health plan is located apply. (164.508)
  • If an individual requests PHI in their DRS maintained both electronically and in paper form be transmitted to a third party, fees set by state law of the state where the health care provider or health plan is located apply. (164.508)
  • If a third party with a valid HIPAA authorization from an individual requests the individual’s PHI be sent to the third party, fees set by state law of the state where the health care provider or health plan is located apply. (164.508)

What Procedure Should be Followed and What Fee Applies?

To determine the correct procedures including which form to use and what fee may be charged for providing the records it is only necessary to ask three questions.

Three Key Questions

  1. Who is requesting an individual’s PHI – the PHI Requestor?
  2. Who will receive the PHI – the PHI Recipient?
  3. Is the PHI located only in an EHR?

Use the following table to find the form required and the fee allowed to be charged.

HIPAA Privacy Rule Changes are Ahead

It’s worth noting that the Right of Access is one of the topics that will be modified under a new HIPAA Privacy Proposed Rule currently under review at HHS. The Proposed Rule, among other things:

  • makes it easier for individuals to exercise the right of access by directing that electronic records be sent to a third party, as long as individual’s request is clear, conspicuous, and specific, and the request may be orally or in writing (including electronically)
  • reduces the amount of time providers have to provide access from 30 days to 15 days
  • adds new definitions for “electronic health record” and “personal health application”
  • clarifies allowable fees.

Any final rule changes are many months away. We will update the blog when a Final Rule issues.

More Answers Available at The HIPAA E-Tool®

Whether you have an everyday common question or you want a more detailed answer with citations, The HIPAA E-Tool® is the best source you’ll find on HIPAA.

Free HIPAA Checklist
What best describes you?