OCR Guidance: General Right

What personal health information do individuals have a right under HIPAA to access from their health care providers and health plans? 

With limited exceptions, the HIPAA Privacy Rule gives individuals the right to access, upon request, the medical and health information (protected health information or PHI) about them in one or more designated record sets maintained by or for the individuals’ health care providers and health plans (HIPAA covered entities).  See 45 CFR 164.524.

Does an individual’s right under HIPAA to access their health information apply only to the information a health care provider maintains about the individual in an Electronic Health Record (EHR), or paper medical record?

No.  An individual has a broad right under the HIPAA Privacy Rule to access the PHI about the individual in all designated record sets maintained by or for a covered entity, whether in electronic or paper form, not just the designated record set that comprises the “medical record.”  See 45 CFR 164.524(a).  (However, if the same PHI is maintained in more than one designated record set, a covered entity need only produce the information once in response to a request for access.)  A designated record set also includes billing and payment records, claims and insurance information, as well as other records that are used, in whole or in part, by or for the covered entity to make decisions about individuals.  See the definition of “designated record set” at 45 CFR 164.501.

Does the individual have a right to access PHI about themselves maintained by a covered entity that is very old or is archived?

Yes. An individual has a right to access PHI about themselves in a medical record or other designated record set maintained by a covered entity, regardless of the date the information was created or whether the information is maintained onsite, remotely, or is archived. There are only very limited grounds under which a covered entity may deny an individual access to PHI about herself in a designated record set, which do not include the age or location of the information. See 45 CFR 164.524(a)(2) – (a)(3).

Does an individual have a right to access all of the information a covered entity maintains in the individual’s medical record?

Yes. Except in very limited circumstances, an individual has a right to access all PHI about the individual that a covered entity (or its business associate) maintains in one or more designated record sets.  A designated record set is defined to include the medical record about the individual.  Thus, an individual generally has a right to access all of the information about the individual that a covered entity maintains in the individual’s medical record, including information the individual provided to the covered entity herself, as well as PHI about the individual contributed to the record by other health care providers or covered entities.  See 45 CFR 164.524(a)(2) – (a)(3) for the limited grounds upon which a covered entity may deny an individual access to PHI in a designated record set.

Does an individual have a right under HIPAA to access PHI about the individual maintained by a business associate of a covered entity?

Yes.  An individual’s right under the HIPAA Privacy Rule to access PHI about themselves extends to PHI in a designated record set maintained by a business associate on behalf of a covered entity.  Thus, if an individual submits a request for access to PHI, the covered entity is responsible for providing the individual with access not only to the PHI it holds but also to the PHI held by one or more of its business associates.  However, if the same PHI that is the subject of an access request is maintained in both the designated record set of the covered entity and the designated record set of the business associate, the PHI need only be produced once in response to the request for access.  See 45 CFR 164.524(c)(1).

With respect to PHI in a designated record set maintained by a business associate, the business associate agreement between the covered entity and the business associate will govern whether the business associate will provide access directly to the individual or will provide the PHI that is the subject of the individual’s access request to the covered entity for the covered entity to then provide access to the individual.  However, regardless of how and to what extent a business associate supports or fulfills a covered entity’s obligation to provide access to an individual, a request for access still must be acted upon within 30 calendar days (or 60 calendar days if an extension is applicable) of receipt of the request by either the covered entity, or by a business associate if the request was made directly to the business associate because the covered entity instructed individuals through its notice of privacy practices (or otherwise) to submit access requests directly to the business associate.  Further, all of the access requirements that apply with respect to PHI held by the covered entity (e.g., limitations on fees that may be charged) apply with respect to PHI held by the business associate.

Does an individual have a right under HIPAA to access from a clinical laboratory the genomic information the laboratory has generated about the individual?

Yes.  An individual has a right under the HIPAA Privacy Rule to access, upon request, PHI about the individual in a designated record set maintained by or for a clinical laboratory that is a covered entity.  The designated record set includes not only the laboratory test reports but also the underlying information generated as part of the test, as well as other information concerning tests a laboratory runs on an individual.  For example, a clinical laboratory that is a HIPAA covered entity and that conducts next generation sequencing (NGS) of DNA on an individual must provide the individual, upon the individual’s request for PHI concerning the NGS, with a copy of the completed test report, the full gene variant information generated by the test, as well as any other information in the designated record set concerning the test.

Does an individual have a right under HIPAA to access more than just test results from a clinical laboratory? 

Yes. Under the HIPAA Privacy Rule, an individual has a general right to access, upon request, PHI about the individual in a designated record set maintained by or for a clinical laboratory that is a covered entity.  A test result or test report is only part of the designated record set a clinical laboratory may hold.  To the extent an individual requests access to all of her information held by the laboratory, the laboratory is required to provide access to all of the PHI about the individual in its designated record set.  This could include, for example, completed test reports and the underlying data used to generate the reports, test orders, ordering provider information, billing information, and insurance information.

Is a health care provider permitted to deny an individual’s request for access because the individual has not paid for health care services provided to the individual?

No.  A covered entity may charge an individual that has requested a copy of her PHI a reasonable, cost-based fee for the copy.  See 45 CFR 164.524(c)(4).  However, a covered entity may not withhold or deny an individual access to her PHI on the grounds that the individual has not paid the bill for health care services the covered entity provided to the individual.

If an individual’s physician orders a test from a clinical laboratory that may take multiple steps or a series of tests to complete, at what point does the test report become part of the laboratory’s designated record set to which an individual has a right of access?

For purposes of the HIPAA Privacy Rule, clinical laboratory test reports become part of the laboratory’s designated record set when they are “complete,” which means that all results associated with an ordered test are finalized and ready for release.

Is a clinical laboratory required to provide an individual with access to a test report that is not yet complete?

No.  For purposes of the HIPAA Privacy Rule, clinical laboratory test reports become part of the laboratory’s designated record set when they are “complete,” which means that all results associated with an ordered test are finalized and ready for release.  However, other information concerning the test may be part of the designated record set and thus, accessible to the individual, even if the test report has not yet been completed, such as test orders, ordering provider information, billing information, and insurance information.

If an individual requests access from a clinical laboratory to a test report on the individual, is the laboratory required to interpret the test results for the individual?

No.  There is no requirement in the HIPAA Privacy Rule that clinical laboratories interpret test results for patients.  An individual has a right under the HIPAA Privacy Rule merely to inspect or receive a copy (or direct the copy to a designated third party), upon request, of the completed test reports (as well as other information in the designated record set) maintained by a laboratory that is a covered entity.  Laboratories may continue to refer patients with questions about the test results back to their ordering or treating providers.  However, while not required, a laboratory providing a test report to an individual that has requested access to the report may also provide educational or explanatory materials regarding the test results to individuals if it chooses to do so.  Similarly, a laboratory that wishes to include a disclaimer, caveat, or other statement explaining the limitations of the laboratory data for diagnosis or treatment or other purposes may do so.