HIPAA Privacy Rule and Right of Access Procedures

Under the HIPAA Privacy Rule, patients may, upon request, inspect or make copies of the information in their medical and other health records maintained by their health care providers and health plans. This right to inspect and make copies is known as the HIPAA right of access. Covered entities responding to right of access requests must follow certain procedures in doing do.

What Procedures Must Covered Entities Follow Under the HIPAA Privacy Rule?

Under the HIPAA Privacy Rule, covered entities responding to a right of access request for protected health information (PHI) must take reasonable steps to verify the identity of an individual making a request for access.

The Privacy Rule does not mandate any particular form of verification (such as obtaining a copy of a driver’s license). Rather, the type and manner of the verification, are left to the covered entity’s discretion and professional judgment. 

While verification is required, the verification processes and measures the covered entity uses may not serve to create barriers or unreasonably delay the individual from obtaining access to his or her PHI. Verification may be made in several ways. Verification may be conducted orally. Verification may also be conducted in writing. 

As a practical matter, in many instances, the type of verification may depend on how the individual is requesting and/or receiving access. Individuals request and receive access in a variety of ways, including in person, over the telephone (if the covered entity so permits), via fax, via email, or via web portal. The particular medium used should, to the extent possible, be “verification-ready.”

For example, if the covered entity requires that access requests be made on its own supplied form, the form should be “pre-populated” with questions designed to elicit basic information about the individual, that would enable the covered entity to verify that the person requesting access is in fact the subject of the information requested.

For those covered entities providing individuals with access to their PHI through web portals, those portals should already be set up with appropriate authentication controls, as required by the HIPAA Security Rule. Authentication controls ensure that the person seeking access is the individual or the individual’s personal representative.

What Measures Are Unreasonable Barriers to Obtaining Access?

While the Privacy Rule allows covered entities to require that individuals request access in writing and requires verification of the identity of the person requesting access, a covered entity may not impose unreasonable measures on an individual requesting access that serve as barriers to or unreasonably delay the individual from obtaining access. For example, a doctor may not require an individual:

  • Who wants a copy of their medical record mailed to their home address to physically come to the doctor’s office to request access and provide proof of identity in person.
  • To use a web portal for requesting access, as not all individuals will have ready access to the portal.
  • To mail an access request, as this would unreasonably delay the covered entity’s receipt of the request and thus, the individual’s access.

While a covered entity may not require individuals to request access in these manners, a covered entity may permit an individual to do so, and covered entities are encouraged to offer individuals multiple options for requesting access.