OCR Guidance: Denying Requests

Denying Requests

Under certain limited circumstances, providers may deny a request for health information. In this section, you’ll learn about those circumstances as well as how individuals can challenge a denial. Don’t forget to take the quiz when you’re done reading!

Ready to Test Your Knowledge? Take the Quiz!

Grounds for Denial

“Under certain limited circumstances, a covered entity may deny an individual’s request for access to all or a portion of the PHI requested. In some of these circumstances, an individual has a right to have the denial reviewed by a licensed health care professional designated by the covered entity who did not participate in the original decision to deny.”¹

1. HHS: Health Information Privacy Division. (2016, February). 
Individuals’ Right under HIPAA to Access their Health Information 45 CFR § 164.524.”

Unreviewable Grounds for Denial

45 CFR 164.524(a)(2).

“The request is for psychotherapy notes, or information compiled in reasonable anticipation of, or for use in, a legal proceeding.”

“An inmate requests a copy of her PHI held by a covered entity that is a correctional institution, or health care provider acting under the direction of the institution, and providing the copy would jeopardize the health, safety, security, custody, or rehabilitation of the inmate or other inmates, or the safety of correctional officers, employees, or other person at the institution or responsible for the transporting of the inmate.  However, in these cases, an inmate retains the right to inspect her PHI.”

“The requested PHI is in a designated record set that is part of a research study that includes treatment (e.g., clinical trial) and is still in progress, provided the individual agreed to the temporary suspension of access when consenting to participate in the research.  The individual’s right of access is reinstated upon completion of the research.”

“The requested PHI is in Privacy Act protected records (i.e., certain records under the control of a federal agency, which may be maintained by a federal agency or a contractor to a federal agency), if the denial of access is consistent with the requirements of the Act.”

“The requested PHI was obtained by someone other than a health care provider (e.g., a family member of the individual) under a promise of confidentiality, and providing access to the information would be reasonably likely to reveal the source of the information.”

Reviewable Grounds for Denial

45 CFR 164.524(a)(3). A licensed health care professional has determined in the exercise of professional judgment that:

“The access requested is reasonably likely to endanger the life or physical safety of the individual or another person. This ground for denial does not extend to concerns about psychological or emotional harm (e.g., concerns that the individual will not be able to understand the information or may be upset by it).”

“The access requested is reasonably likely to cause substantial harm to a person (other than a health care provider) referenced in the PHI.”

“The provision of access to a personal representative of the individual that requests such access is reasonably likely to cause substantial harm to the individual or another person.”

Reasons for Request

Reasons for Request

“Note that a covered entity may not require an individual to provide a reason for requesting access, and the individual’s rationale for requesting access, if voluntarily offered or known by the covered entity or business associate, is not a permitted reason to deny access. In addition, a covered entity may not deny access because a business associate of the covered entity, rather than the covered entity itself, maintains the PHI requested by the individual (e.g., the PHI is maintained by the covered entity’s electronic health record vendor or is maintained by a records storage company offsite).”

Carrying out the Denial

“If the covered entity denies access, in whole or in part, to PHI requested by the individual, the covered entity must provide a denial in writing to the individual no later than within 30 calendar days of the request (or no later than within 60 calendar days if the covered entity notified the individual of an extension). See 45 CFR 164.524(b)(2). The denial must be in plain language and describe the basis for denial; if applicable, the individual’s right to have the decision reviewed and how to request such a review; and how the individual may submit a complaint to the covered entity or the HHS Office for Civil Rights. See 45 CFR 164.524(d).

If the covered entity (or one of its business associates) does not maintain the PHI requested, but knows where the information is maintained, the covered entity must inform the individual where to direct the request for access. See 45 CFR 164.524(d)(3).

The covered entity must, to the extent possible and within the above timeframes, provide the individual with access to any other PHI requested, after excluding the PHI to which the entity has a ground to deny access. See 45 CFR 164.524(d)(1). Complexity in segregating the PHI does not excuse the obligation to provide access to the PHI to which the ground for denial does not apply.”

Review of Denial

“If the denial was based on a reviewable ground for denial and the individual requests review, the covered entity must promptly refer the request to the designated reviewing official. The reviewing official must determine, within a reasonable period of time, whether to reaffirm or reverse the denial.  The covered entity must then promptly provide written notice to the individual of the determination of the reviewing official, as well as take other action as necessary to carry out the determination. See 45 CFR 164.524(d)(4).”

Want More Details?

OCR answers a frequently asked question:

  • Circumstances for Denial

    Under what circumstances may a covered entity deny an individual’s request for access to the individual’s PHI?

    A covered entity may deny an individual access to all or a portion of the PHI requested in only very limited circumstances.  For example, a covered entity may deny an individual access if the information requested is not part of a designated record set maintained by the covered entity (or by a business associate for a covered entity), or the information is excepted from the right of access because it is psychotherapy notes or information compiled in reasonable anticipation of, or for use in, a legal proceeding (but the individual retains the right to access the underlying PHI from the designated record set(s) about the individual used to generate this information).

    Harm

    “Another limited ground for denial exists if a licensed health care professional determines in the exercise of professional judgment that the access requested is reasonably likely to endanger the life or physical safety of the individual or another person.  For example, a covered entity may deny a suicidal patient access to information that a provider determines in his professional judgment is reasonably likely to lead the patient to take her own life. However, we stress that this ground is narrowly construed in order to protect individuals’ autonomy interests and their right under the Privacy Rule to obtain information about themselves, which is fundamental in facilitating individuals’ active participation in their own health care. General concerns about psychological or emotional harm are not sufficient to deny an individual access (e.g., concerns that the individual will not be able to understand the information or may be upset by it).  In addition, the requested access must be reasonably likely to cause harm or endanger physical life or safety. Thus, concerns based on the mere possibility of harm are not sufficient to deny access. As a result, we expect this ground for denial to apply in extremely rare circumstances.  Further, an individual who is denied access based on these grounds has a right to have the denial reviewed by a licensed health care professional designated by the covered entity as a reviewing official who did not participate in the original decision to deny access.”

    Reasons for Requests

    “For a complete list of the grounds and conditions for denial of access, see 45 CFR 164.524(a)(2)-(4).  Note that an individual may not be required to provide a reason for requesting access, and the individual’s rationale for requesting access, if voluntarily offered or known by the covered entity or business associate, is not a permitted reason to deny access.”

    Timeliness

    “If a covered entity denies access, in whole or in part, to PHI requested by the individual based on one or more permitted grounds, the covered entity must provide a denial in writing to the individual no later than 30 calendar days after the request (or no more than 60 calendar days if the covered entity notified the individual of an extension). See 45 CFR 164.524(b)(2).  The denial must be in plain language and describe the basis for denial; if applicable, the individual’s right to have the decision reviewed and how to request such a review; and how the individual may submit a complaint to the covered entity or the HHS Office for Civil Rights. See 45 CFR 164.524(d).

    Fulfilling the Rest of the Request

    “The covered entity must, to the extent possible, provide the individual with access to any other PHI requested, after excluding the PHI to which the entity has a ground to deny access. See 45 CFR 164.524(d)(1).

Ready to Test Your Knowledge? Take the Quiz!
Start Over: General Right

Patient Stories

Back To Top