Patient Access: Seven Lessons About Patient Release of Information Requests

With more and more health information being stored and transmitted electronically, the demand for easier access to protected health information (PHI) has grown dramatically of late. At the same time, the need to protect that PHI from compromise and breach has also increased.

A recent MRO white paper explored the latest regulatory initiatives from the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR), including the HIPAA Audit Program and Guidance on Patient Access, and offered tips for healthcare organizations to stay compliant.

This article provides additional detail regarding the OCR’s Guidance on Patient Access, released in early 2016 to educate patients about their rights and to guide healthcare organizations on providing patients with timely access to PHI.

Here are seven things to remember about patient requests:

1)  Patient requests do not need to contain all the core elements and required statements necessary for authorizations under HIPAA.

Covered entities (CEs) can require that patient requests be made in writing and that patients use their own supplied forms; however, under HIPAA and the OCR FAQs, all a patient needs to provide in their request for access is enough information to verify the patient’s identity, what PHI is being requested, and where that PHI should be sent. Additionally, patients do not need to provide a purpose for their request. While asking a patient for a reason is not prohibited, denying access based on their answer is.

Access policies cannot create barriers or unreasonably delay patients from accessing their PHI.

CEs cannot require patients or their personal representatives to come on-site to the facility to request access to PHI in person, nor can they require patients to submit their requests via a Web portal or through the mail. 

2)  Patients’ personal representatives have the same access rights as patients.

Patients’ personal representatives have all the same rights to accessing PHI as the patients themselves, provided that the personal representative can supply information regarding their authority to act on behalf of the patient. Examples of personal representatives include healthcare powers of attorney and the parents/guardians of minors. Healthcare providers should make sure policies do not hinder personal representative access.

3)  Patients and their personal representatives may designate a third party to receive copies of PHI on their behalf. 

If a patient or personal representative wishes to send copies of requested PHI to a third party, providers must oblige, granted the request is in writing, signed by the patient or personal representative, and clearly identifies the designated recipient and where to send the PHI.

4)  Healthcare organizations need to provide access to designated record sets to patients who request access. 

HIPAA entitles patients to access their “designated record sets,” which consist of a broad array of health information, including medical and billing records, insurance information, clinical laboratory test results, medical imaging, wellness and disease management program files, and clinical case notes.

5)  Providers need to provide copies of PHI in patients’ preferred formats.

Patients are entitled to copies of their PHI in the form and format they request. However, providers are not required to purchase new software or equipment in order to accommodate every possible individual request; rather, healthcare providers must have the capability to distribute some form of electronic PHI (ePHI). Therefore, if the requested format is not feasible, PHI must be provided in a readable format agreed upon by both the provider and the patient. 

Additionally, healthcare providers are not required to take on an unreasonable level of risk to accommodate patient requests for copies of PHI in unsecure formats. If a patient asks for copies of his or her PHI in a format that poses an unacceptable level of risk to the provider’s information technology infrastructure – such as uploading PHI to the patient’s personal USB thumb drive – the healthcare provider is not required to oblige. Instead, the provider must deliver the PHI in another readable electronic format that is agreeable to the patient. Only if the patient does not agree to accept copies of the PHI in the electronic format proposed by the healthcare provider can copies be provided on paper.

However, the OCR has stated that the transmission of PHI via unencrypted email does not pose an unacceptable risk. Thus, if a patient requests access to PHI via unencrypted email, healthcare providers must comply, granted that the provider has warned the patient of the risks associated with unsecure transmission and the patient has accepted those risks.

6)  Access to PHI must be provided within 30 days or less.

Providers must grant patients and personal representative access to PHI without unreasonable delay, usually within 30 days of receipt of request. If a long turnaround is unavoidable, the provider must notify the patient of the delay, explain why the delay has occurred, and provide an expected date of arrival for the patient’s PHI. 

7)  Ensure that accounting of disclosure database is up to date for easy extraction of key data.

Part of the patient’s right of access under HIPAA is to obtain a copy of an accounting of disclosures (AOD) for their PHI. Therefore, healthcare providers should ensure that they maintain accurate AODs for all release of information (ROI) requests. AODs should include the name and address for the person or entity requesting the patient’s PHI, the date of request, what PHI was requested, what PHI was disclosed, and the date of disclosure. Additionally, it is recommended that facilities include information regarding turnaround times and delivery methods in their AODs.

Keeping these matters in mind will ensure that healthcare providers remain HIPAA-compliant, and in line with the OCR’s Guidance on Patient Access.

MRO White Paper

Increasing Enforcement of Protected Health Information Breaches and Patient Access Requires Healthcare Organizations to Scrutinize Process and Risk

Facebook
Twitter
LinkedIn

Michael Rosen, Esq.

Michael Rosen brings more than 20 years of experience in founding and leading service-oriented businesses. He co-founded Background America, Inc., which was acquired by Kroll Inc. He was promoted to president of the Background Screening Division, which employed 1,000 people in seven countries. He is now the co-founder of ProviderTrust, Inc. a national healthcare compliance service that helps facilities stay in compliance. He has received numerous accolades, including the Inc. Magazine 500 Award, Nashville Chamber of Commerce Small Business of the Year award, and the Music City Future 50 Award.

Related Stories

Leave a Reply

Please log in to your account to comment on this article.

Featured Webcasts

2026 IPPS Masterclass 3: Master MS-DRG Shifts and NTAPs

2026 IPPS Masterclass Day 3: MS-DRG Shifts and NTAPs

This third session in our 2026 IPPS Masterclass will feature a review of FY26 changes to the MS-DRG methodology and new technology add-on payments (NTAPs), presented by nationally recognized ICD-10 coding expert Christine Geiger, MA, RHIA, CCS, CRC, with bonus insights and analysis from Dr. James Kennedy.

August 14, 2025
2026 IPPS Masterclass Day 2: Master ICD-10-PCS Changes

2026 IPPS Masterclass Day 2: Master ICD-10-PCS Changes

This second session in our 2026 IPPS Masterclass will feature a review the FY26 changes to ICD-10-PCS codes. This information will be presented by nationally recognized ICD-10 coding expert Christine Geiger, MA, RHIA, CCS, CRC, with bonus insights and analysis from Dr. James Kennedy.

August 13, 2025
2026 IPPS Masterclass 1: Master ICD-10-CM Changes

2026 IPPS Masterclass Day 1: Master ICD-10-CM Changes

This first session in our 2026 IPPS Masterclass will feature an in-depth explanation of FY26 changes to ICD-10-CM codes and guidelines, CCs/MCCs, and revisions to the MCE, presented by presented by nationally recognized ICD-10 coding expert Christine Geiger, MA, RHIA, CCS, CRC, with bonus insights and analysis from Dr. James Kennedy.

August 12, 2025

Trending News

Featured Webcasts

The Two-Midnight Rule: New Challenges, Proven Strategies

The Two-Midnight Rule: New Challenges, Proven Strategies

RACmonitor is proud to welcome back Dr. Ronald Hirsch, one of his most requested webcasts. In this highly anticipated session, Dr. Hirsch will break down the complex Two Midnight Rule Medicare regulations, translating them into clear, actionable guidance. He’ll walk you through the basics of the rule, offer expert interpretation, and apply the rule to real-world clinical scenarios—so you leave with greater clarity, confidence, and the tools to ensure compliance.

June 19, 2025
Open Door Forum Webcast Series

Open Door Forum Webcast Series

Bring your questions and join the conversation during this open forum series, live every Wednesday at 10 a.m. EST from June 11–July 30. Hosted by Chuck Buck, these fast-paced 30-minute sessions connect you directly with top healthcare experts tackling today’s most urgent compliance and policy issues.

June 11, 2025
Open Door Forum: The Changing Face of Addiction: Coding, Compliance & Care

Open Door Forum: The Changing Face of Addiction: Coding, Compliance & Care

Substance abuse is everywhere. It’s a complicated diagnosis with wide-ranging implications well beyond acute care. The face of addiction continues to change so it’s important to remember not just the addict but the spectrum of extended victims and the other social determinants and legal ramifications. Join John K. Hall, MD, JD, MBA, FCLM, FRCPC, for a critical Q&A on navigating substance abuse in 2025.  Register today and be a part of the conversation!

July 16, 2025

Trending News

Happy National Doctor’s Day! Learn how to get a complimentary webcast on ‘Decoding Social Admissions’ as a token of our heartfelt appreciation! Click here to learn more →

CYBER WEEK IS HERE! Don’t miss your chance to get 20% off now until Dec. 2 with code CYBER24