By Jonathan D. Karelitz and Craig B. Simonsen

The Health Insurance Portability and Accountability Act of 1996 (HIPAA), Public Law 104-191, contains extensive rules designed to limit access by non-health plan entities to certain individually identifiable health information (collectively referred to as the “Privacy Rule”).

The Privacy Rule contains a number of exceptions for when protected health information (PHI) may be accessed. One such exception is when an individual seeks to access his or her own PHI.

Recently the U.S. Department of Health & Human Services (HHS) has issued a fact sheet in the form of a topical Frequently Asked Questions (FAQs) to further clarify individuals’ rights to access and obtain a copy of their PHI.

According to Jocelyn Samuels, Director, Office for Civil Rights (OCR), recent studies and HHS enforcement data have shown that “far too often individuals face obstacles to accessing their health information, even from entities required to comply with the Privacy Rule.” As an “important step” so that individuals may more readily take advantage of their HIPAA right of access, the HHS released this fact sheet.

The FAQs address the scope of information covered by HIPAA’s access right, the limited exceptions to this right, the form and format in which information should be provided to individuals, the requirement to provide access to individuals in a timely manner, and the intersection of HIPAA’s right of access with the requirements for patient access under the Health Information Technology for Economic and Clinical Health (HITECH) Act’s Electronic Health Record Incentive Program.

As noted above, under the Privacy Rule, HIPAA covered entities (health plans and most health care providers) are required to provide individuals, upon request, with access to the PHI about them in one or more “designated record sets” maintained by or for the covered entity.  Individuals have the right to inspect or obtain a copy, or both, of PHI, as well as to direct the covered entity to transmit a copy to a designated person or entity of the individual’s choice.

A covered entity may require individuals to request access in writing. Covered entities also may offer individuals the option of using electronic means to make requests for access. In addition, the Privacy Rule requires a covered entity to take “reasonable steps” to verify the identity of an individual making a request for access.

For employers that have health plan administration responsibilities, the take-away from this new fact sheet is clear: Be certain to have all of the appropriate policies and procedures in place to provide covered employees with access to their own PHI.