HIPAA and Patients’ Right to Access Information

Q. What personal health information do individuals have a right under HIPAA to access from their physicians, health care providers, and health plans? 

A. With limited exceptions, the HIPAA Privacy Rule gives individuals the right to access, upon request, a broad array of protected health information (PHI) about themselves from physicians and other covered entities, and from business associates who maintain records on the covered entity’s behalf. According to new guidance  the U.S. Department of Health and Human Services Office for Civil Rights (OCR) has released regarding individuals’ right to access to their health information under HIPAA, this includes:

  • Medical records,
  • Billing and payment records, 
  • Claims and insurance information, 
  • Health plan enrollment records, 
  • Clinical laboratory test reports, 
  • X-rays, 
  • Wellness and disease management program information, 
  • Notes (such as clinical case notes or SOAP notes), and 
  • Other information generated from treating the individual or paying for his or her care, or otherwise used to make decisions about the individual.  

Individuals have a right to this information even it is archived or stored off site or remotely.

Note that as a physician responding to a patient’s request for access to PHI, you are not required to create new information, such as explanatory materials or analyses, that does not already exist in records requested. Further, you have to provide access only to the PHI the patient requested.

In addition, patients do not have a right to access (although you may choose to share this information with them) the following:

  • The psychotherapy notes that a mental health professional maintains separately from the patient’s medical record and that document or analyze the contents of a counseling session with the patient, and
  • Information about the patient compiled in anticipation of, or for use in, a legal proceeding (but the patient retains the right to access his or her underlying PHI used to generate the litigation information).  

Read the OCR guidance in full for clarification and FAQs about the HIPAA patient access rule. Also, see TMA’s HIPAA Resource Center for tools and information to help you comply with HIPAA Privacy and Security rules.

Published Jan. 27, 2016

  TMA Practice E-Tips main page

Last Updated On

November 08, 2016

Related Content

HIPAA