“While the Privacy Rule allows covered entities to require that individuals request access in writing and requires verification of the identity of the person requesting access, a covered entity may not impose unreasonable measures on an individual requesting access that serve as barriers to or unreasonably delay the individual from obtaining access.“
“For example, a doctor may not require an individual:
- Who wants a copy of her medical record mailed to her home address to physically come to the doctor’s office to request access and provide proof of identity in person.
- To use a web portal for requesting access, as not all individuals will have ready access to the portal.
- To mail an access request, as this would unreasonably delay the covered entity’s receipt of the request and thus, the individual’s access.;
While a covered entity may not require individuals to request access in these manners, a covered entity may permit an individual to do so, and covered entities are encouraged to offer individuals multiple options for requesting access.“
May a covered entity accept standing requests from individuals to access their PHI or to have their PHI sent to a third party of their choice?
Yes, and covered entities should have processes in place that enable individuals to receive access to their PHI, including to direct a copy of their PHI to a third party of their choice, on a standing, regular basis, without requiring individuals to repeat their requests for access every time a copy of their PHI is to be sent or otherwise made accessible. Further, covered entities should take advantage of technology and tools that automate such regular access.