HIPAA Medical Records Release
The HIPAA Privacy Rule grants patients or their personal representatives the right to receive, inspect and review their health information. Covered entities, to comply with the Privacy Rule, must follow HIPAA medical records release rules, which are explained below.
What is the HIPAA Medical Records Release Rule?
The Privacy Rule right of access generally requires covered entities to provide individuals, upon request, with access to the protected health information (PHI) about them. The PHI is contained in one or more “designated record sets” maintained by or for the covered entity.
A “designated record set” is defined as a group of records maintained by or for a covered entity that comprises:
- Medical records and billing records about individuals maintained by or for a covered health care provider;
- Enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or
- Other records that are used, in whole or in part, by or for the covered entity to make decisions about individuals.
What is a Record?
The definition of the word “record” in “designated record set” is fairly broad. A “record” includes any item, collection, or grouping of information that includes PHI and is maintained, collected, used, or disseminated by or for a covered entity. Records include (but are not limited to):
- Medical records
- Billing and payment records
- Insurance information
- Clinical laboratory test results
- Medical images (such as X-rays)
- Wellness and disease management program files
- Clinical case notes
Under HIPAA medical records release rules, covered entities must respond to requests for access in a timely manner. Generally, under the HIPAA medical records release rule, covered entities must notify individuals of the covered entity’s decision on access, within 30 days of the covered entity’s receipt of the request.
According to guidance from the Department of Health and Human Services (HHS), the 30 calendar days is an outer limit and covered entities are encouraged to respond as soon as possible. Indeed, as HHS notes, a covered entity may have the capacity to provide individuals with almost instantaneous or very prompt electronic access to the PHI requested through personal health records, web portals, or similar electronic means. Further, individuals may reasonably expect a covered entity to be able to respond in a much faster timeframe when the covered entity is using health information technology in its day to day operations.
If a covered entity is unable to provide access within 30 calendar days – for example, where the information is archived offsite and not readily accessible — the covered entity may extend the time by no more than an additional 30 days. To extend the time, the covered entity must, within the initial 30 days, inform the individual in writing of the reasons for the delay and the date by which the covered entity will provide access. Only one extension is permitted per access request.
Need assistance with HIPAA compliance? Compliancy Group can help! They help you achieve HIPAA compliance with Compliance Coaches® guiding you through the entire process. Find out more about the HIPAA Seal of Compliance® and Compliancy Group. Get HIPAA compliant today!
Disclaimer: The views and opinions expressed in the article and on this blog post are those of the authors. These do not necessarily reflect the views, opinions, and position of the Telebehavioral Health Institute (TBHI). Any content written by the authors are their opinion and are not intended to malign any organization, company or individuals.
Your TBHI Professional Training Options
TBHI specializes in teaching you how to relax when delivering telehealth. It offers you a step-by-step learning path of online training that helps you be legally and ethically compliant, clinically proficient, and able to handle even the most difficult of clinical scenarios. Take advantage of COVID discount pricing to learn how to sit back and enjoy your telehealth experiences, rather than struggling with ZOOM fatigue and clinical uncertainty. All courses are evidence-based, available 24/7 through any device and most count toward legal and ethical requirements for licensure. Two micro certifications are also available.
- Telehealth Group Therapy — Exciting, highly interactive telehealth learning experience designed to get answers to your questions about legally and ethically managing telehealth group therapy. Digital class will allow you to connect with colleagues ahead of time to ask questions and share answers. Distinguished faculty will lead you through telehealth group therapy theory and exercises.
- Telehealth Clinical Best Practices Workshop — Live, interactive webinar, w/ 4 CME or CE hours to discuss preventing and handling complex clinical issues.
- Course Catalog
- Micro Certifications to give you a broader range of legal and ethical grounding, and allow you to distinguish yourself as a TBHI-credentialed professional on your websites, in social media, directories and other areas.