What is the HIPAA Medical Records Release Rule?
The Privacy Rule right of access generally requires covered entities to provide individuals, upon request, with access to the protected health information (PHI) about them. The PHI is contained in one or more “designated record sets” maintained by or for the covered entity.
A “designated record set” is defined as a group of records maintained by or for a covered entity that comprises:
- Medical records and billing records about individuals maintained by or for a covered health care provider;
- Enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or
- Other records that are used, in whole or in part, by or for the covered entity to make decisions about individuals.
What is a Record?
The definition of the word “record” in “designated record set” is fairly broad. A “record” includes any item, collection, or grouping of information that includes PHI and is maintained, collected, used, or disseminated by or for a covered entity. Records include (but are not limited to):
- Medical records
- Billing and payment records
- Insurance information
- Clinical laboratory test results
- Medical images (such as X-rays)
- Wellness and disease management program files
- Clinical case notes
Under HIPAA medical records release rules, covered entities must respond to requests for access in a timely manner. Generally, under the HIPAA medical records release rule, covered entities must notify individuals of the covered entity’s decision on access, within 30 days of the covered entity’s receipt of the request.
According to guidance from the Department of Health and Human Services (HHS), the 30 calendar days is an outer limit and covered entities are encouraged to respond as soon as possible. Indeed, as HHS notes, a covered entity may have the capacity to provide individuals with almost instantaneous or very prompt electronic access to the PHI requested through personal health records, web portals, or similar electronic means. Further, individuals may reasonably expect a covered entity to be able to respond in a much faster timeframe when the covered entity is using health information technology in its day to day operations.
If a covered entity is unable to provide access within 30 calendar days – for example, where the information is archived offsite and not readily accessible — the covered entity may extend the time by no more than an additional 30 days. To extend the time, the covered entity must, within the initial 30 days, inform the individual in writing of the reasons for the delay and the date by which the covered entity will provide access. Only one extension is permitted per access request.
Need assistance with HIPAA compliance? Compliancy Group can help! They help you achieve HIPAA compliance with Compliance Coaches® guiding you through the entire process. Find out more about the HIPAA Seal of Compliance® and Compliancy Group.
Disclaimer: The views and opinions expressed in the article and on this blog post are those of the authors. These do not necessarily reflect the views, opinions, and position of the Telebehavioral Health Institute (TBHI). Any content written by the authors are their opinion and are not intended to malign any organization, company or individuals.
Your TBHI Professional Training Options
Looking for specialized legal and ethical training during COVID-19? You may be interested in the following.
- Telehealth Clinical Best Practices Workshop — Live, interactive webinar, scheduled this Saturday only, May 2nd, (w/ 4 CME or CE legal and ethical hours) to discuss preventing and handling complex clinical issues at 75% off.
To assist behavioral professionals seeking other evidence-based telehealth training to help deal with COVID-19, TBHI is honored to offer you these CME and CE-accredited programs at 50% off from the convenience of your desktop or digital device:
- Course Catalog
- Micro Certifications to give you a broader range of legal and ethical grounding