The HIPAA Privacy Rule grants patients or their personal representatives the right to receive, inspect and review their health information. Covered entities, to comply with the Privacy Rule, must follow HIPAA medical records release rules, which are explained below.
What is the HIPAA Medical Records Release Rule?
The Privacy Rule right of access generally requires covered entities to provide individuals, upon request, with access to the protected health information (PHI) about them. The PHI is contained in one or more “designated record sets” maintained by or for the covered entity.
A “designated record set” is defined as a group of records maintained by or for a covered entity that comprises:
- Medical records and billing records about individuals maintained by or for a covered health care provider;
- Enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or
- Other records that are used, in whole or in part, by or for the covered entity to make decisions about individuals.
What is a Record?
The definition of the word “record” in “designated record set” is fairly broad. A “record” includes any item, collection, or grouping of information that includes PHI and is maintained, collected, used, or disseminated by or for a covered entity. Records include (but are not limited to):
- Medical records
- Billing and payment records
- Insurance information
- Clinical laboratory test results
- Medical images (such as X-rays)
- Wellness and disease management program files
- Clinical case notes
Under HIPAA medical records release rules, covered entities must respond to requests for access in a timely manner. Generally, under the HIPAA medical records release rule, covered entities must notify individuals of the covered entity’s decision on access, within 30 days of the covered entity’s receipt of the request.
According to guidance from the Department of Health and Human Services (HHS), the 30 calendar days is an outer limit and covered entities are encouraged to respond as soon as possible. Indeed, as HHS notes, a covered entity may have the capacity to provide individuals with almost instantaneous or very prompt electronic access to the PHI requested through personal health records, web portals, or similar electronic means. Further, individuals may reasonably expect a covered entity to be able to respond in a much faster timeframe when the covered entity is using health information technology in its day to day operations.
If a covered entity is unable to provide access within 30 calendar days – for example, where the information is archived offsite and not readily accessible — the covered entity may extend the time by no more than an additional 30 days. To extend the time, the covered entity must, within the initial 30 days, inform the individual in writing of the reasons for the delay and the date by which the covered entity will provide access. Only one extension is permitted per access request.