“Generally, HIPAA requires covered entities to give parents timely access to their minor children’s medical records, when the parent is the child’s personal representative. OCR’s Right of Access Initiative supports patients’ and personal representatives’ fundamental right to their health information and underscores the importance of all covered entities’ compliance with this essential right,” said Acting OCR Director Robinsue Frohboese.
To read the full resolution agreement, please click here.
What is the HIPAA Right of Access?
The HIPAA right of access standard requires healthcare organizations to meet a patient’s request to receive a copy of their medical records. These records must be provided to the patient, or their personal representative, within thirty days of the request (or within 60 days if an extension is applicable). Records must also be provided in the format the patient requests them in when it is reasonably appropriate to do so, and places limitations on the cost that can be charged for providing the records.
Under this standard, healthcare organizations must provide patients with access to all protected health information contained in their “designated record set.” There are two categories of information, however, that are expressly excluded from the right of access:
- Psychotherapy notes of a mental healthcare provider documenting or analyzing the contents of a counseling session. These notes are maintained separate from the rest of the patient’s medical record.
- Information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding.