HIPPA: Patient Rights and Access to PHI

Patient Rights and Access to PHI

Section 1. Patient's Right to Access PHI

Under the privacy rule, the patient reserves the right to freely access their protected health information that is housed in the entity's designated record set. The "designated record set" is composed of the records maintained by the covered entity for the purpose of decision-making, diagnosis, treatment or billing purposes. In the case of a health plan, this would include information regarding enrollment, claim payment data and case management information.

At any time a patient is able to request and review the information held on file by a covered entity to verify accuracy, or to update their own records. Patients should not be restricted from requesting or obtaining their health records, and there should be a clear process and instructions provided to the patient on how to do so.

There are a few cases in which the release of PHI to the patient is restricted, as detailed below:

  • The patient is not able to access psychotherapy notes
  • Health information compiled to be used in court
  • Laboratory results that are prohibited based on the Clinical Laboratory Improvement Act (CLIA)
  • The data compiled by some research studies
  • Situations in which the health care provider feels the patient may use the data to harm himself or another. However, the patient is able to have the decision reviewed by another licensed medical professional for a second opinion.

Patients should make requests for access to PHI in writing, or complete a form provided by the facility. The establishment is allowed to charge a reasonable fee to cover the administrative costs of sending the records, such as copies and postage.

Section 2. Amendments to PHI

There are instances where a patient's medical record may be incomplete or contain incorrect information. In the case that the patient wants to dispute information in their record, or petition for an inclusion, they have that provision under the privacy rule.

The covered entity must outline a process in which the patient is able to request an amendment to their personal health information. This may include making the request in writing, filling out a specific form, etc. Also, it is customary to request documentation to support the request for amendment of the record.

Interested in learning more? Why not take an online HIPAA Compliance course?
Timely Notification

The covered entity must review the request for amendment and supporting documentation in a timely manner and notify the patient of the determination. Notice must be sent to the patient within 60 days, advising them of the outcome of the amendment request, which will usually be one of the following:

  • Approval of the amendment request, in which case the covered entity is required to update the record. Also, the covered entity should disseminate the updated information to any health care providers or individuals who are involved in the care or oversight of the patient, and for which the updated information may affect that care. The patient should supply the contact information for any such persons.

The covered entity should also identify any business associates to which they have supplied the data, which is now to be amended, and have their records updated, especially if they are relying on this information to complete their job functions.

  • Denial of the amendment request must be delivered to the patient in writing, outlining the reasons for denial. The patient must also be informed that they can submit a written statement disagreeing to the denial and the reasons why.

Also, if denied, the patient may ask that the covered entity send a copy of the amendment request and subsequent denial with any future disclosures, so that the new health care professional knows that they disagree with the contents of their patient record. The patient is also allowed to submit a letter of disagreement with the determination, which becomes a part of their patient record. The covered entity may or may not draft a rebuttal to the letter of disagreement.

  • Delay of the determination due to internal processes, requests for additional information, etc. If the determination will be extended past the 60 day time frame, the covered entity is allowed a (one time) 30-day extension. However, the patient must be notified of this in writing within the original 60-day time frame. The covered entity must outline the reasons for the delay and the time frame in which a determination is expected.

A covered entity is within their rights to deny an amendment request in the following circumstances:

  • The medical record was not created by the covered entity. However, if the patient can prove that the originator of the record is unavailable or unable to amend the record, the petitioned covered entity may elect to amend it.
  • The information that the amendment refers to does not exist in the patient's file.
  • The information is not privy to inspection under the access clause of the privacy policy.
  • The record in question is accurate and complete as it is.

In the case of denial, the covered entity must still include in the patient record the original request for amendment, their denial and the statement of disagreement, if one is submitted by the patient.

Right to Request an Accounting of Disclosures

There is a plethora of personal information that is held by various entities, such as health care providers, employers, and government. A conscientious consumer or patient will want to periodically check their personal records to find out who they have been sent out to and for what reason.

The privacy rule allows patients to request an accounting of who a covered entity has disclosed their personal health information to. Patients were able to request records for up to six years, but the law has changed to require that only three years of data be provided. However, the covered entity can restrict accounting to the date that the privacy rule was implemented. A covered entity is not required to include disclosures associated with treatment, payment, and health care operations. Most other disclosures must be accounted for, with the exception of:

  • Disclosures to the individual, of his or her own protected health information
  • Disclosures made based on an authorization signed by the patient
  • Disclosures for the facility's internal directory, or other notification purposes
  • Disclosures made for the creation of a limited data set
  • Disclosures that are incidental to one for which there is an authorization on file
  • Disclosures made for the purposes of law enforcement, national security, and health oversight may be temporarily exempted from accounting. A date range of the exemption must be furnished to the covered entity by the applicable agency.
  • Disclosures that were made prior to the HIPAA compliance date (14 April 2003 for large entities, one year later for small ones).

Proposed updates to the privacy rule will allow the patient to also receive an accounting of access to their PHI. This means that each instance of access to the patient record by the covered entity, their business associates, or other parties, must be logged and can be requested by the patient. If implemented, this update will be rolled out in 2013.

Requests to Restrict Disclosures

A patient may elect to restrict disclosures of their personal health information to the bare minimum required to diagnose, treat, and receive payment. A patient is able to petition a covered entity to restrict use and disclosure of PHI to TPO situations or notifying immediate family in the case of changes in treatment, major illness, or death. The covered entity is not obligated to agree to the restrictions, but if they do, they are required to uphold them, with the exception of required emergency treatment.

Food for Thought

Have you ever needed to access your patient records?
Did you find the process seamless or cumbersome?

Do you think that the accounting of disclosures rule will limit the amount of information a covered entity shares with others?


The privacy rule was drafted with the understanding that patients have a right to access their own health information and should be able to do so freely. Also, patient records may not be completely accurate and the policy allows for patients to amend records they find to be in error. This creates empowerment on the part of the patient and core confidence in the accuracy and validity of their health data.