The HIPAA Privacy Rule generally provides individuals with a right, upon request, to see and receive copies of the information in their medical and other health records that is maintained by covered entities (i.e., health care providers and health plans). This right is known as the HIPAA right of access. The HIPAA right of access rules provide for circumstances under which the right of access can be denied.

To What Information is an Individual Entitled Under the HIPAA Right of Access?

The HIPAA Privacy Rule right of access generally requires covered entities to provide individuals, upon request, with access to the protected health information (PHI) about them. The PHI is contained in one or more “designated record sets” maintained by or for the covered entity. Records to which individuals may receive access under the HIPAA right of access include:

• Medical records and billing records about individuals maintained by or for a covered health care provider; 
• Enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or
• Other records that are used, in whole or in part, by or for the covered entity to make decisions about individuals. 

Examples of specific records to which individuals may receive access, under the HIPAA right of access rule, include:

• Treatment records
• Insurance information
• Clinical laboratory test results
• Medical images (such as X-rays)
• Wellness and disease management program files
• Clinical case notes

What are Grounds for Denial of Access?

Under certain limited circumstances, a covered entity may, under the HIPAA right of access rule, deny an individual’s request for access to all or a portion of the PHI requested. 

 In some of these circumstances, an individual has a right to have the denial reviewed by a licensed healthcare professional designated by the covered entity who did not participate in the original decision to deny. In other circumstances, however, the right to renewal is unreviewable. 

Unreviewable grounds for denial of a request to access PHI under the HIPAA right of access rule include:

• The request is for psychotherapy notes.
• The request is for information compiled in reasonable anticipation of litigation.
  • Note that the request must be for information compiled in “reasonable anticipation” of litigation, not mere “anticipation of litigation.” Providers cannot deny requests for PHI simply because there is a possibility of a lawsuit involving PHI. “Reasonable anticipation” of litigation arises when a covered entity is on notice of a credible probability that it will become involved in litigation, seriously contemplates initiating litigation, or when it takes specific actions to commence litigation.
• The request is for information compiled for or for use in a legal proceeding.
• An inmate requests a copy of her PHI held by a covered entity that is a correctional institution, or health care provider acting under the direction of the institution, and providing the copy would:
  • Jeopardize the health, safety, security, custody, or rehabilitation of the inmate or other inmates, or the safety of correctional officers, employees, or other persons at the institution, or responsible for the transporting of the inmate. 
  • Note, however, that in the above instances, the inmate still retains the right to inspect his or her PHI. The inmate is not entitled to exercise the other portion of the right of access – that is, the right to, upon request, receive copies of the PHI. 
• The requested PHI is in a designated record set that is part of a research study that includes treatment (e.g., clinical trial) and is still in progress
  • For access to be denied, the individual must have agreed to the temporary suspension of access when consenting to participate in the research.  The individual’s right of access is reinstated upon completion of the research.
• The requested PHI is in federal Privacy Act-protected-records (i.e., certain records under the control of a federal agency, which may be maintained by a federal agency or a contractor to a federal agency), and denial of access is consistent with the requirements of the Act.
• The requested PHI was obtained by someone other than a healthcare provider (e.g., a family member of the individual) under a promise of confidentiality, and providing access to the information would be reasonably likely to reveal the source of the information.   

Several grounds for denial are reviewable under the HIPAA right of access rules.  Under these grounds, a covered entity may deny an individual access, provided that the individual is given a right to have such denials reviewed. These grounds include:  

• The access requested is reasonably likely to endanger the life or physical safety of the individual or another person.  
  • This ground for denial does not extend to concerns about psychological or emotional harm (e.g., concerns that the individual will not be able to understand the information or may be upset by it).
• The access requested is reasonably likely to cause substantial harm to a person (other than a healthcare provider) referenced in the PHI.
• The provision of access to a personal representative of the individual that requests such access is reasonably likely to cause substantial harm to the individual or another person.

Under the HIPAA right of access rules, the review of the denial of right of access must be conducted by the designated health care professional in the exercise of his or her professional judgment. 

Compliancy Group Simplifies HIPAA Compliance

Compliancy Group was founded to help simplify the HIPAA compliance challenge. We give health care organizations everything they need to address the full extent of the HIPAA regulations.

Our ongoing support and web-based compliance app, The Guard™, gives healthcare organizations the tools to address the law so they can get back to confidently running their business.

Find out how Compliancy Group has helped thousands of organizations like yours Achieve, Illustrate, and MaintainTM their HIPAA compliance!