HHS Clarifies Patient Rights to Medical Records

BNA’s Health Care Daily Report™ sets the standard for reliable, high-intensity coverage of breaking health care news, covering all major legal, policy, industry, and consumer developments in a...

By James Swann

Jan. 7 — The government Jan. 7 released guidance clarifying patients' rights to access their medical records under the Health Insurance Portability and Accountability Act's Privacy Rule, including what records an individual is entitled to and what can be excluded from a patient request.

Patients have the right to access a designated record set that includes medical and billing records, plan enrollment information and payment and claims adjudication data, according to the guidance from the Department of Health and Human Services Office for Civil Rights.

However, the OCR said in the guidance that psychotherapy notes and any information concerning potential civil or criminal actions are excluded from the designated record set.

OCR Director Jocelyn Samuels said patients often face barriers when attempting to access their medical records. She said the guidance would help educate them about their rights.

The HIPAA Privacy Rule requires covered entities to give patients access to their protected health information (PHI), if access is requested.

Frequently Asked Questions

The guidance included frequently asked questions regarding patient access to medical records, including whether patients have the right to access all their medical records maintained by a covered entity.

According to the FAQs, patients do have the right to access most information maintained by a covered entity, with limited exceptions, and they also have the right to access PHI that is old or archived.

In addition, the FAQs clarified that patients have the right to request PHI held by a covered entity's business associate, as well as genomic information held by a clinical laboratory.

There are limited circumstances in which a covered entity may reject patients' requests for access to their medical records, the guidance said, such as if the information requested is not part of a designated record set.

A covered entity can also deny a records request if the entity determines that releasing the records could endanger the life of the patient. In this scenario, if the covered entity believed the release of the records could lead to a patient suicide, it could reject the request.

A request for medical records must be met by a covered entity within 30 days of receipt, though an additional 30-day period can be granted as long as the entity provides a written statement to the individual explaining the delay.

To contact the reporter on this story: James Swann in Washington at jswann1@bna.com

To contact the editor responsible for this story: Brent Bierman at bbierman@bna.com