OCR Guidance: Providing Access

Under the HIPAA Privacy Rule, do individuals have the right to an electronic copy of their PHI?

Yes, in most cases. If the PHI is maintained by a covered entity electronically, an individual has a right to receive an electronic copy of the information upon request (assuming the covered entity does not have a ground for denial under 45 CFR 164.524(a)(2) or (a)(3)).  The covered entity must provide the individual with access to the PHI in the electronic form and format requested by the individual, if it is readily producible in that form and format, or if not, in a readable alternative electronic format as agreed to by the individual and covered entity. See 45 CFR 164.524(c)(2)(ii). Where an individual requests access to PHI that is maintained electronically by a covered entity, the covered entity may provide the individual with a paper copy of the PHI to satisfy the request only in cases where the individual declines to accept any of the electronic formats readily producible by the covered entity.

If the individual requests an electronic copy of PHI that the covered entity maintains only on paper, the covered entity must provide the individual with the electronic copy if the copy is readily producible electronically (e.g., the covered entity can readily scan the paper record into an electronic format) and in the electronic format requested if readily producible in that format, or if not, in a readable alternative electronic format as agreed to by the covered entity and individual. If the copy is not readily producible in electronic form, or the individual declines to accept the electronic format(s) readily producible by the covered entity, then a readable hard copy of the PHI may be provided to satisfy the access request. See 45 CFR 164.524(c)(2)(i).

If an individual requests an electronic copy of the individual’s PHI that the covered entity maintains only on paper, is the covered entity required to scan the paper records to create an electronic copy of the PHI for the individual?

While a covered entity is not required to purchase a scanner to create electronic copies, if a covered entity can readily produce an electronic copy of the PHI for the individual by scanning the records, it must do so. In particular, if an individual requests an electronic copy of PHI in a specific format, and a covered entity maintains that PHI only on paper, the covered entity must provide the individual with the electronic copy, in the format requested, if the copy is readily producible electronically and readily producible in the electronic format requested.  If the copy is readily producible electronically but not in the specific format requested, the covered entity may offer the individual the copy in an alternative readable electronic format.  If the copy is not readily producible in electronic form, or the individual declines to accept the electronic format(s) that are readily producible by the covered entity, then the covered entity may provide the individual with a readable hard copy of the PHI to satisfy the access request. See § 164.524(c)(2)(i). For example, a covered entity that maintains the requested PHI only on paper may be able to readily produce a scanned PDF version of the PHI but not the requested Word version. In this case, the covered entity may provide the individual with the PDF version if the individual agrees to accept the PDF version.  If the individual declines to accept the PDF version, or if the covered entity is not able to readily produce a PDF or other electronic version of the PHI, the covered entity may provide the individual with a hard copy, such as a photocopy, of the PHI.

When an individual exercises her HIPAA right to get an electronic copy of her PHI, can the individual choose the electronic format of the copy?

While individuals do not have an unlimited choice in the form of electronic copy requested, and covered entities are not required to purchase new software or other equipment in order to accommodate every possible individual request, the individual does have a right to receive the copy in the form and format requested by the individual if the copy is readily producible in that form and format. For example, an individual may request that an electronic copy of her PHI be provided to her in Microsoft (MS) Word; MS Excel; Portable Document Format (PDF); or as structured, machine readable data (e.g., a document following the Consolidated Clinical Document Architecture (CCDA) standard using LOINC (to represent lab tests) and RxNorm (to represent medications)); or other electronic format; and the covered entity must provide the copy in the requested format if readily producible in that format.  Further, if the PHI that is the subject of the request is maintained electronically by a covered entity, the entity is required to have the capability to provide some form of electronic copy (see 78 FR 5633) – and this means that some covered entities may need to make some investments (which cannot be charged to individuals) in order to meet this baseline requirement.  If an individual requests a form of electronic copy that the covered entity is unable to produce, the covered entity must offer other electronic formats that are available on its systems. If the individual declines to accept any of the electronic formats that are readily producible by the covered entity, only then may the covered entity provide a hard copy to fulfill the access request.  Thus, individuals who request electronic access to PHI maintained electronically can be diverted to receiving a paper copy only in circumstances where all of the covered entities’ existing capabilities for readily producing electronic copies have been presented to the individual but the individual has determined that those formats are not acceptable to her.

When an individual requests access to PHI in a particular form or format, the question for the covered entity is whether or not the entity is able to readily produce the copy in that format – which is a matter of capability, not “willingness.” Thus, if a covered entity has the capability to readily produce the requested format, it is not permissible for the covered entity to deny the individual access to that format because the entity would prefer that the individual receive a different format, or utilize other customary record access processes of the entity.

What is the intersection of the HIPAA right of access and the HITECH Act’s Medicare and Medicaid Electronic Health Record Incentive Program’s “View, Download, and Transmit” provisions?

Under the HIPAA Privacy Rule, an individual has the right to access PHI maintained about the individual by a covered entity in a designated record set. This may contain electronic or non-electronic PHI. See 45 CFR 164.524(a)(1).  Under the HITECH Act’s Electronic Health Record (EHR) Incentive Program, eligible professionals, eligible hospitals, and critical access hospitals (CAHs) may receive incentive payments under Medicare and Medicaid and avoid payment reductions under Medicare for successfully demonstrating meaningful use of Certified EHR Technology, which includes providing patients the ability to view online, download, and transmit their health information.  It is important to note that in some respects the EHR Incentive Program contains more exacting standards than the baseline requirements of the HIPAA Privacy Rule, while the HIPAA Privacy Rule contains more comprehensive requirements than the EHR Incentive Program (e.g., the HIPAA Privacy Rule access right applies to electronic and paper records, while the EHR Incentive Program applies to certain electronic records).

Below are some key distinctions between the HIPAA right of access and the individual access opportunities that may be offered through the EHR Incentive Program:

*See the EHR Incentive Program Final Rule at 80 FR 62812    **See 80 FR 62602

Although the EHR Incentive Program and the HIPAA Privacy Rule are distinct, it is possible for a provider or hospital to leverage its Certified EHR Technology to fulfill its HIPAA Privacy Rule obligations with respect to individual access in circumstances where the individual either: (1) requests access to PHI that is held in the Certified EHR Technology; or (2) requests access to his PHI, the covered entity professional or hospital informs the individual that the PHI requested is available through the Certified EHR Technology, and the individual agrees to access the requested PHI through the Certified EHR Technology.

In scenario 1, the individual is aware of the EHR Incentive Program and specifically requests access to her PHI via the functionality of the Certified EHR Technology.  For example, in exercising her right of access under the HIPAA Privacy Rule, an individual could request a copy of her information that constitutes the CCDS through the provider’s Certified EHR Technology portal or that it be sent from the Certified EHR Technology to the individual’s Direct address (an electronic address for securely exchanging health information using the Direct technical standard).  If the provider is using Certified EHR Technology, the HIPAA Privacy Rule requires the provider to grant this request from the individual because the form and format requested is “readily producible” using the provider’s Certified EHR Technology.  At the same time, the provider should be able to count this access by the individual for purposes of meeting its EHR Incentive Program objectives, as long as the access was provided within the timeframes required by the EHR Incentive Program.  Because the Privacy Rule provides up to 30 days to act on an access request, meeting the more prompt deadlines of the EHR Incentive Program clearly complies with the Privacy Rule’s deadlines.

In scenario 2, the individual has requested a copy of certain of his PHI, and the provider recognizes that the PHI requested by the individual would be easily available through the Certified EHR Technology.  The individual asks for the information in PDF format; the provider instead offers to set up an account for the individual so that the individual can access this information directly through the portal in the Certified EHR Technology.  If the individual agrees to the portal access, the provider will be able to satisfy the individual’s HIPAA access request using the Certified EHR Technology portal, while at the same time being able to count the access for purposes of meeting EHR Incentive Program objectives (as long as the access was provided within the timeframes required by the EHR Incentive Program).  If the individual declines the offer and instead maintains his request to receive a copy of his PHI in PDF format, the HIPAA Privacy Rule requires the provider to provide the individual with a copy in PDF format, if the PHI is readily producible in that format or, if not, in an alternative electronic format that is agreeable to the patient.  Further, the individual at all times retains the right to access his PHI in a designated record set that is not part of or available through the Certified EHR Technology.

Does an individual have a right under HIPAA to access his PHI in a particular technical standard?

In some circumstances, an individual may request access to an electronic copy of his PHI in a particular technical standard – for example, a copy of the individual’s medication data represented in RxNorm or a lab test represented in LOINC.  An individual may request PHI in a particular standard in order to use that information in other software the individual is using.  If the covered entity is able to readily produce the PHI in the requested standard format, the covered entity must do so (unless the entity has a ground for denial as specified in the Privacy Rule at 45 CFR 164.524(a).  (We note that individuals, in exercising their rights of access under the Privacy Rule, are not required to state their purpose for requesting access, regardless of whether or not a particular form or format for the request is specified, and an individual’s rationale for requesting access is not a reason to deny access.)

Do individuals have a right under HIPAA to get copies of their x-rays or other diagnostic images, and if so, in what format?

Yes. An individual has a right to receive PHI about the individual maintained by a covered entity in a designated record set, such as a medical record. See 45 CFR 164.524(a)(1). This includes x-rays or other images in the record. As with other PHI in a designated record set, the individual has a right to access the information in the form and format she requests, as long as the covered entity can readily produce it in that form and format. See 45 CFR 164.524(c). The large file size of some x-rays or other images may impact the mechanism for access (e.g., the format agreed upon by the individual and the covered entity must accommodate the file size).

Do individuals have the right under HIPAA to have copies of their PHI transferred or transmitted to them in the manner they request, even if the requested mode of transfer or transmission is unsecure?

Yes, as long as the PHI is “readily producible” in the manner requested, based on the capabilities of the covered entity and transmission or transfer in such a manner would not present an unacceptable level of security risk to the PHI on the covered entity’s systems, such as risks that may be presented by connecting an outside system, application, or device directly to a covered entity’s systems (as opposed to security risks to PHI once it has left the systems).

Is a covered entity responsible if it complies with an individual’s access request to receive PHI in an unsecure manner (e.g., unencrypted e-mail) and the information is intercepted while in transit?

No. While covered entities are responsible for adopting reasonable safeguards in implementing the individual’s request (e.g., correctly entering the e-mail address), covered entities are not responsible for a disclosure of PHI while in transmission to the individual based on the individual’s access request to receive the PHI in an unsecure manner (assuming the individual was warned of and accepted the risks associated with the unsecure transmission). This includes breach notification obligations and liability for disclosures that occur in transit. Further, covered entities are not responsible for safeguarding the information once delivered to the individual. Covered entities are responsible for breach notification for unsecured transmissions and may be liable for impermissible disclosures of PHI that occur in all contexts except when fulfilling an individual’s right of access under 45 CFR 164.524 to receive his or her PHI or direct the PHI to a third party in an unsecure manner.

Do individuals have a right under HIPAA to have their PHI downloaded on portable media that they provide?

Whether PHI is “readily producible” for purposes of providing access will depend on the extent to which the requested method of copying, transfer, or transmission is within the capabilities of the covered entity and would not present an unacceptable level of risk to the security of the PHI on the covered entity’s systems, based on the covered entity’s Security Rule risk analysis.

With respect to portable media supplied by an individual, covered entities are required by the Security Rule to perform a risk analysis related to the potential use of external portable media and are not required to accept the external media if they determine there is an unacceptable level of risk to the PHI on their systems. However, covered entities are not then permitted to require individuals to purchase a portable media device from the covered entity if the individual does not wish to do so.  The individual may in such cases opt to receive an alternative form of the electronic copy of the PHI, such as through email.

Do individuals have a right under HIPAA to have a covered entity establish a direct connection between the covered entity’s system and the individual’s app or device in order to provide the individuals with access to their PHI?

Whether PHI is “readily producible” for purposes of providing access will depend on the extent to which establishing the connection is within the capabilities of the covered entity and would not present an unacceptable level of risk to the security of the PHI on a covered entity’s systems, based on the covered entity’s Security Rule risk analysis.

A covered entity may determine that it has the capability to establish the type of connection requested in a manner consistent with the applicable security measures implemented in accordance with its security management process.  In that case, the covered entity must provide access in the manner requested by the individual.  Further, we note that starting in 2018, under Stage 3 of the EHR Incentive Program, eligible professionals, eligible hospitals, and critical access hospitals (CAHs) using Certified EHR Technology must enable application programming interface (API) functionality that would allow patients to use the application of their choice to access their data. In addition, we note that many provider systems are already using API functionality to provide patients with access to their data today in a secure manner.  We expect that covered entities will assess and address any security considerations associated with connecting their systems with individual applications or devices, including through Certified EHR Technology (where applicable), as part of their HIPAA security management process.

Does an individual have a right under HIPAA to access their health information in human readable form?

Yes. In general, a covered entity must provide an individual with access to PHI about the individual in a designated record set in the form and format requested by the individual, if it is readily producible in such form and format. In cases where the PHI is not readily producible in the requested form and format, the covered entity must provide the PHI in a readable alternative form and format as agreed to by the covered entity and the individual.  See 45 CFR 164.524(c)(2).  Thus, individuals have a right under HIPAA to access PHI about themselves in human readable form.  In cases where a covered entity is providing an individual with an electronic copy of PHI, we also expect the covered entity to provide the copy in machine readable form (i.e., in a form able to be processed by a computer), to the extent possible and where consistent with the individual’s request.