With more and more health information being stored and transmitted electronically, the demand for easier access to protected health information (PHI) has grown dramatically of late. At the same time, the need to protect that PHI from compromise and breach has also increased.
A recent MRO white paper explored the latest regulatory initiatives from the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR), including the HIPAA Audit Program and Guidance on Patient Access, and offered tips for healthcare organizations to stay compliant.
This article provides additional detail regarding the OCR’s Guidance on Patient Access, released in early 2016 to educate patients about their rights and to guide healthcare organizations on providing patients with timely access to PHI.
Here are seven things to remember about patient requests:
1) Patient requests do not need to contain all the core elements and required statements necessary for authorizations under HIPAA.
Covered entities (CEs) can require that patient requests be made in writing and that patients use their own supplied forms; however, under HIPAA and the OCR FAQs, all a patient needs to provide in their request for access is enough information to verify the patient’s identity, what PHI is being requested, and where that PHI should be sent. Additionally, patients do not need to provide a purpose for their request. While asking a patient for a reason is not prohibited, denying access based on their answer is.
Access policies cannot create barriers or unreasonably delay patients from accessing their PHI.
CEs cannot require patients or their personal representatives to come on-site to the facility to request access to PHI in person, nor can they require patients to submit their requests via a Web portal or through the mail.
2) Patients’ personal representatives have the same access rights as patients.
Patients’ personal representatives have all the same rights to accessing PHI as the patients themselves, provided that the personal representative can supply information regarding their authority to act on behalf of the patient. Examples of personal representatives include healthcare powers of attorney and the parents/guardians of minors. Healthcare providers should make sure policies do not hinder personal representative access.
3) Patients and their personal representatives may designate a third party to receive copies of PHI on their behalf.
If a patient or personal representative wishes to send copies of requested PHI to a third party, providers must oblige, granted the request is in writing, signed by the patient or personal representative, and clearly identifies the designated recipient and where to send the PHI.
4) Healthcare organizations need to provide access to designated record sets to patients who request access.
HIPAA entitles patients to access their “designated record sets,” which consist of a broad array of health information, including medical and billing records, insurance information, clinical laboratory test results, medical imaging, wellness and disease management program files, and clinical case notes.
5) Providers need to provide copies of PHI in patients’ preferred formats.
Patients are entitled to copies of their PHI in the form and format they request. However, providers are not required to purchase new software or equipment in order to accommodate every possible individual request; rather, healthcare providers must have the capability to distribute some form of electronic PHI (ePHI). Therefore, if the requested format is not feasible, PHI must be provided in a readable format agreed upon by both the provider and the patient.
Additionally, healthcare providers are not required to take on an unreasonable level of risk to accommodate patient requests for copies of PHI in unsecure formats. If a patient asks for copies of his or her PHI in a format that poses an unacceptable level of risk to the provider’s information technology infrastructure – such as uploading PHI to the patient’s personal USB thumb drive – the healthcare provider is not required to oblige. Instead, the provider must deliver the PHI in another readable electronic format that is agreeable to the patient. Only if the patient does not agree to accept copies of the PHI in the electronic format proposed by the healthcare provider can copies be provided on paper.
However, the OCR has stated that the transmission of PHI via unencrypted email does not pose an unacceptable risk. Thus, if a patient requests access to PHI via unencrypted email, healthcare providers must comply, granted that the provider has warned the patient of the risks associated with unsecure transmission and the patient has accepted those risks.
6) Access to PHI must be provided within 30 days or less.
Providers must grant patients and personal representative access to PHI without unreasonable delay, usually within 30 days of receipt of request. If a long turnaround is unavoidable, the provider must notify the patient of the delay, explain why the delay has occurred, and provide an expected date of arrival for the patient’s PHI.
7) Ensure that accounting of disclosure database is up to date for easy extraction of key data.
Part of the patient’s right of access under HIPAA is to obtain a copy of an accounting of disclosures (AOD) for their PHI. Therefore, healthcare providers should ensure that they maintain accurate AODs for all release of information (ROI) requests. AODs should include the name and address for the person or entity requesting the patient’s PHI, the date of request, what PHI was requested, what PHI was disclosed, and the date of disclosure. Additionally, it is recommended that facilities include information regarding turnaround times and delivery methods in their AODs.
Keeping these matters in mind will ensure that healthcare providers remain HIPAA-compliant, and in line with the OCR’s Guidance on Patient Access.
MRO White Paper
My Dear Esteemed Colleague… You and I are very much aware of the work being accomplished everyday by a team of dedicated healthcare professionals. We
Custodial or social hospitalizations have been a long-standing issue within acute care hospitals. These patients generally arrive to the Emergency Department (ED) with vague or
Please log in to your account to comment on this article.
Struggling with ICD-10-CM coding for diabetes and complications? This expert-led webcast clarifies complex combination codes, documentation gaps, and sequencing rules to reduce denials and ensure compliance. Dr. Angela Comfort will provide actionable strategies to accurately link diabetes to complications, improve provider documentation, and optimize reimbursement—helping coders, CDI specialists, and HIM leaders minimize audit risks and strengthen revenue integrity. Don’t miss this chance to master diabetes coding with real-world case studies, key takeaways, and live Q&A!
Uncover critical guidance. Kay Piper provides an interactive review on coding guidelines and more in the AHA’s fourth quarter 2025 ICD-10-CM/PCS Coding Clinic in an easy to access on-demand webcast.
Uncover critical guidance. Kay Piper provides an interactive review on coding guidelines and more in the AHA’s third quarter 2025 ICD-10-CM/PCS Coding Clinic in an easy to access on-demand webcast.
Uncover critical guidance. Kay Piper provides an interactive review on coding guidelines and more in the AHA’s second quarter 2025 ICD-10-CM/PCS Coding Clinic in an easy to access on-demand webcast.
Struggling with CMS’s 3-Day Payment Window? Join compliance expert Michael G. Calahan, PA, MBA, CCO, to master billing restrictions for pre-admission and inter-facility services. Learn how to avoid audit risks, optimize revenue cycle workflows, and ensure compliance across departments. Critical for C-suite leaders, providers, coders, revenue cycle teams, and compliance teams—this webcast delivers actionable strategies to protect reimbursements and meet federal regulations.
Providers face increasing Medicare audits when using skin substitute grafts, leaving many unprepared for claim denials and financial liabilities. Join veteran healthcare attorney Andrew B. Wachler, Esq., in this essential webcast and master the Medicare audit process, learn best practices for compliant billing and documentation, and mitigate fraud and abuse risks. With actionable insights and a live Q&A session, you’ll gain the tools to defend your practice and ensure compliance in this rapidly evolving landscape.
Dr. Ronald Hirsch dives into the basics of Medicare for clinicians to be successful as utilization review professionals. He’ll break down what Medicare does and doesn’t pay for, what services it provides and how hospitals get paid for providing those services – including both inpatient and outpatient. Learn how claims are prepared and how much patients must pay for their care. By attending our webcast, you will gain a new understanding of these issues and be better equipped to talk to patients, to their medical staff, and to their administrative team.
Hospitals face growing challenges in measuring observation metrics due to inconsistencies in classification, payer policies, and benchmarking practices. Join Tiffany Ferguson, LMSW, CMAC, ACM, and Anuja Mohla, DO, FACP, MBA, ACPA-C, CHCQM-PHYADV as they provide critical insights into refining observation metrics. This webcast will address key issues affecting observation data integrity and offer strategies for improving consistency in reporting. You will learn how to define meaningful metrics, clarify commonly misinterpreted terms, and apply best practices for benchmarking, and gain actionable strategies to enhance observation data reliability, mitigate financial risk, and drive better decision-making.
Copyright © 2025 ICD10monitor. Powered by MedLearn Media.
Happy National Doctor’s Day! Learn how to get a complimentary webcast on ‘Decoding Social Admissions’ as a token of our heartfelt appreciation! Click here to learn more →
CYBER WEEK IS HERE! Don’t miss your chance to get 20% off now until Dec. 2 with code CYBER24
