45 CFR 164.524 is a section of the HIPAA Privacy Rule that explains the standards regarding patient access to protected health information (PHI).

PHI is any demographic information that can be used to identify a patient. Examples of PHI according to HIPAA regulation includes names, addresses, dates of birth, Social Security numbers, medical records, financial information, and full facial photographs, to name a few.

The HIPAA CFR Privacy Rule gives specific standards for the use and disclosure of PHI and patient access to records in a number of scenarios. For example, there are standards governing the content of an organization’s Notice of Privacy Practices, HIPAA forms, and patient consent forms.

45 CFR 164.524 specifically deals with the HIPAA rules governing individual access to protected health information. Below, we translate the policy from complicated legalese to give you a better understanding of what’s required for your healthcare practice to address this key element of HIPAA compliance and avoid HIPAA violations and breach fines.

Understanding 45 CFR 164.524

There are five main HIPAA standards mandated by 45 CFR 164.524. Healthcare practitioners can implement these standards within their organization to address this single component of HIPAA regulation. Note that these summaries are to clarify the intent of the HIPAA standards and provide easy reference for healthcare professionals looking to better understand their obligations under the law.

  1. Access to Protected Health Information: This standard states that patients have a right to access, inspect, and obtain a copy of their PHI from healthcare providers. The standard outlines several exceptions to the rule, which include access to psychotherapy notes and information compiled for use in a criminal, civil, or legal proceeding. Otherwise, patients do have the right to access their own PHI under this section of the HIPAA rules.
  2. Requests for Access and Timely Action: This standard outlines the process by which patients may request access, which can include submitting a request in writing. Covered entities are required to respond to requests for access to PHI within 30 days of receiving the request. The process is outlined in detail within this standard, and does allow for situations where request to access may be denied.
  3. Provision of Access: This standard details the format, timeline, fees, and provisions that govern how patients may receive access to their data. Specifically, the HIPAA rules say that covered entities may charge a “reasonable, cost-base fee” including only the cost of labor, supplies, postage, and related explanatory materials that must be prepared.
  4. Denial of Access: If it’s determined that access to the PHI will be denied, the covered entity must provide the patient with a written denial that explains the basis for denial, a patient’s rights in regards to their PHI, and a process by which they may file a complaint with the Secretary of Health and Human Services (HHS).
  5. Documentation: This standard states that the covered entity must document and retain information about the records that are subject to patient access and the titles of the individuals within their organization responsible for handling patient access requests.

How to Address 45 CFR 164.524 in your Practice

The full text of the 45 CFR 164.524 should be referenced for organizational policy drafting. Each of the standards is intricately detailed. ALL elements must be fully addressed by healthcare providers to be HIPAA compliant via documented, organization-wide HIPAA policies and procedures.

For a simpler way to take care of your HIPAA policies, choose Compliancy Group.

See How It Works