On its newly redesigned website, HHS has issued FAQs addressing an individual's right of access under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). In general, HIPAA requires covered entities (CEs), which include group health plans, to furnish an individual on request with access to the individual's protected health information (PHI) that is maintained by or for the CE (see Practice Note, HIPAA Privacy and Security: Individual Rights and HIPAA Privacy Rule).

The FAQs address various issues regarding HIPAA's right of access, including:

Several of the FAQs address the scope of PHI that individuals have a right to access from group health plans and other CEs. This PHI generally includes information in designated record sets maintained by the plan or its business associate (BA) (see Standard Document, HIPAA Business Associate Agreement). Designated record set information includes:

Psychotherapy notes are expressly excluded from the access right (see Practice Note, HIPAA Privacy Rule: Disclosures for Treatment, Payment, and Health Care Operations).

In responding to an individual's access request, a CE need not create new information (such as explanatory materials or analyses) that does not already exist in the designated record set. Also, the CE need not disclose information that falls outside the designated record set (for example, business planning information or quality assessment and improvement records), because this information is not used to make decisions about particular individuals.

According to HHS, the HIPAA access right extends to PHI maintained by a CE regardless of:

The FAQs also address the limited situations in which a CE may deny an individual's request for access to the individual's PHI, and the process for doing so (see Practice Note, HIPAA Privacy and Security: Individual Rights: Denying Access).

In an FAQ addressing the provision of PHI maintained by BAs, HHS indicates that a CE must, in response to an access request, provide an individual with access to both PHI held by the CE and PHI held by its BAs. According to HHS, the BA agreement will govern whether the BA must either provide:

Also, all access requirements applicable to PHI held by the CE (for example, limits on fees that may be charged) apply equally to PHI held by the BA (see Practice Note, HIPAA Privacy and Security: Individual Rights: Providing Access).

CEs generally must act on an individual's request for access no later than 30 days after receiving the request (see Practice Note, HIPAA Privacy and Security: Individual Rights: Providing Access). In HHS's view, this timeline is an outer limit, and in many cases CEs should be able to respond to individual requests for access well before the 30-day outer limit expires (particularly given the availability of modern digital technologies).

The 30-day deadline applies regardless of whether the requested PHI is maintained by the CE or by a BA on the CE's behalf. As a result, the fact that a BA possesses information needed to respond to an access report is not grounds for extending the 30-day response time. If a CE cannot provide the information until near the 30-day limit, it may provide the requested information piecemeal, as it becomes available.

The HIPAA privacy rules regarding form and format address how PHI is conveyed to an individual (for example, on paper or electronically), while the manner of access generally refers to the time and place of transfer, or the transfer method (for example, mail versus email). Several FAQs address how CEs must respond to an individual's request for an electronic version of PHI. In one FAQ, for example, HHS indicates that although a CE need not purchase a scanner to create electronic copies of PHI, if the CE can readily produce an electronic version of PHI by scanning its paper records then it must do so. A CE also may need to provide PHI in either:

At a minimum, for requested PHI that is maintained electronically, the CE must provide the PHI in an electronic format. In HHS's view, a CE may need to invest in technology to meet this requirement, and the fees for this technology cannot be charged to individuals.

Also, an individual generally may request to have copies of their PHI transferred to them in the manner they request, even if that method is unsecure, provided the method does not present an unacceptable security risk to the PHI. This could include unencrypted email, in which case the CE must:

CEs that comply with an individual's request to receive an email in an unsecure manner, such as unencrypted email, generally are not responsible for an interception of the PHI in transit. This includes requirements under HIPAA's breach notification rules (see Practice Note, HIPAA Breach Notification Rules). However, CEs must use reasonable safeguards to carry out the transmission (for example, correctly entering an individual's email address).

Also, if an individual has requested that PHI be emailed, a CE may not require the individual to travel to the CE's physical office to pick up the PHI.

Though subregulatory, these FAQs offer HHS's updated views and interpretations regarding HIPAA's access right, including to reflect the use of modern technologies. Some of the more interesting FAQs involve HHS's attempt to balance the access right against security risks inherent to common methods of transmitting information in today's world, such as email. For example, in acknowledging an individual's right to receive information at an unencrypted email account, HHS draws a line between the systems used by a CE to transmit PHI (which should not present "unacceptable security risks") and the systems used by an individual to receive the information (which might be less secure).

As an additional safeguard, CEs should note HHS's warning procedure for PHI sent by unencrypted email (that is, a brief warning of security risks and an individual's confirmed acknowledgement of those risks).