HIPAA Privacy Regulations: Access to Protected Health Information - § 164.524(a)
As Contained in the HHS HIPAA Privacy Rules
HHS Guidance: Individual's Right to Access Health Information
NOTE: Effective October 6, 2014, the CLIA exception in subsection (a) has been removed. The commentary and discussion on this change is available in the February 6, 2014 Federal Register.
HHS Regulations |
(a) Standard: Access to protected health information—(1) Right of access. Except as otherwise provided in paragraph (a)(2) or (a)(3) of this section, an individual has a right of access to inspect and obtain a copy of protected health information about the individual in a designated record set, for as long as the protected health information is maintained in the designated record set, except for:
(i) Psychotherapy notes; and
(ii) Information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding.
(2) Unreviewable grounds for denial. A covered entity may deny an individual access without providing the individual an opportunity for review, in the following circumstances.
(i) The protected health information is excepted from the right of access by paragraph (a)(1) of this section.
(ii) A covered entity that is a correctional institution or a covered health care provider acting under the direction of the correctional institution may deny, in whole or in part, an inmate's request to obtain a copy of protected health information, if obtaining such copy would jeopardize the health, safety, security, custody, or rehabilitation of the individual or of other inmates, or the safety of any officer, employee, or other person at the correctional institution or responsible for the transporting of the inmate.
(iii) An individual's access to protected health information created or obtained by a covered health care provider in the course of research that includes treatment may be temporarily suspended for as long as the research is in progress, provided that the individual has agreed to the denial of access when consenting to participate in the research that includes treatment, and the covered health care provider has informed the individual that the right of access will be reinstated upon completion of the research.
(iv) An individual's access to protected health information that is contained in records that are subject to the Privacy Act, 5 U.S.C. 552a, may be denied, if the denial of access under the Privacy Act would meet the requirements of that law.
(v) An individual's access may be denied if the protected health information was obtained from someone other than a health care provider under a promise of confidentiality and the access requested would be reasonably likely to reveal the source of the information.
(3) Reviewable grounds for denial. A covered entity may deny an individual access, provided that the individual is given a right to have such denials reviewed, as required by paragraph (a)(4) of this section, in the following circumstances:
(i) A licensed health care professional has determined, in the exercise of professional judgment, that the access requested is reasonably likely to endanger the life or physical safety of the individual or another person;
(ii) The protected health information makes reference to another person (unless such other person is a health care provider) and a licensed health care professional has determined, in the exercise of professional judgment, that the access requested is reasonably likely to cause substantial harm to such other person; or
(iii) The request for access is made by the individual's personal representative and a licensed health care professional has determined, in the exercise of professional judgment, that the provision of access to such personal representative is reasonably likely to cause substantial harm to the individual or another person.
(4) Review of a denial of access. If access is denied on a ground permitted under paragraph (a)(3) of this section, the individual has the right to have the denial reviewed by a licensed health care professional who is designated by the covered entity to act as a reviewing official and who did not participate in the original decision to deny. The covered entity must provide or deny access in accordance with the determination of the reviewing official under paragraph (d)(4) of this section.
HHS Description Access to Protected Health Information |
In the NPRM, we proposed to establish a right for individuals to access (i.e., inspect and obtain a copy of) protected health information about them maintained by a covered provider or health plan, or its business partners, in a designated record set.
As in the proposed rule, in the final rule we provide that individuals have a right of access to protected health information that is maintained in a designated record set. This right applies to health plans, covered health care providers, and health care clearinghouses that create or receive protected health information other than as a business associate of another covered entity (see § 164.500(b)). In the final rule, however, we modify the definition of designated record set. For a discussion of the significant changes made to the definition of designated record set, see § 164.501 and the corresponding preamble.
Under the revised definition, individuals have a right of access to any protected health information that is used, in whole or in part, to make decisions about individuals. This information includes, for example, information used to make health care decisions or information used to determine whether an insurance claim will be paid. Covered entities often incorporate the same protected health information into a variety of different data systems, not all of which will be utilized to make decisions about individuals. For example, information systems that are used for quality control or peer review analyses may not be used to make decisions about individuals. In that case, the information systems would not fall within the definition of designated record set. We do not require entities to grant an individual access to protected health information maintained in these types of information systems.
Duration of the Right of Access
As in the proposed rule, covered entities must provide access to individuals for as long as the protected health information is maintained in a designated record set.
Exceptions to the Right of Access
In the NPRM, we proposed to establish a right for individuals to access any protected health information maintained in a designated record set. Though we proposed to permit covered entities to deny access in certain situations relating to the particular individual requesting access, we did not specifically exclude any protected health information from the right of access.
In the final rule, we specify three types of information to which individuals do not have a right of access, even if the information is maintained in a designated record set. They are psychotherapy notes, information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding, and certain protected health information maintained by a covered entity that is subject to or exempted from the Clinical Laboratory Improvements Amendments of 1988 (CLIA). Covered entities may, but are not required to, provide access to this information.
First, unlike the proposed rule, we specify that individuals do not have a right of access to psychotherapy notes.
Second, individuals do not have a right of access to information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding. In the NPRM, we would have permitted covered entities to deny a request for access to protected health information complied in reasonable anticipation of, or for use in, a legal proceeding. We change the language in the final rule to clarify that a legal proceeding includes civil, criminal, and administrative actions and proceedings. In the final rule, we clarify that an individual does not have a right to this information by including it in the list of exceptions rather than stating that a covered entity may deny access to this information. Under this exception, the covered entity may deny access to any information that relates specifically to legal preparations but may not deny access to the individual’s underlying health information. We do not intend to require covered entities to provide access to documents protected by attorney work-product privilege nor do we intend to alter rules of discovery.
Third, unlike the proposed rule, individuals do not have a right of access to protected health information held by clinical laboratories if CLIA prohibits such access. CLIA states that clinical laboratories may provide clinical laboratory test records and reports only to “authorized persons,” as defined primarily by state law. The individual who is the subject of the information is not always included in this set of authorized persons. When an individual is not an authorized person, this restriction effectively prohibits the clinical laboratory from providing an individual access to this information. We do not intend to preempt CLIA and, therefore, do not require covered clinical laboratories to provide an individual access to this information if CLIA prohibits them from doing so. We note, however, that individuals have the right of access to this information if it is maintained by a covered health care provider, clearinghouse, or health plan that is not subject to CLIA.
Finally, unlike the proposed rule, individuals do not have access to protected health information held by certain research laboratories that are exempt from the CLIA regulations. The CLIA regulations specifically exempt the components or functions of “research laboratories that test human specimens but do not report patient specific results for the diagnosis, prevention or treatment of any disease or impairment of, or the assessment of the health of individual patients.” 42 CFR 493.3(a)(2). If subject to the access requirements, these laboratories, or the applicable components of them, would be forced to comply with the CLIA regulations once they provided an individual with the access under this privacy rule. Therefore, to alleviate this additional regulatory burden, we have exempted these laboratories, or the relevant components of them, from the access requirements of this regulation.
Grounds for Denial of Access
In the NPRM we proposed to permit covered health care providers and health plans to deny an individual access to inspect and copy protected health information about them for five reasons: 1) a licensed health care professional determined the inspection and copying was reasonably likely to endanger the life or physical safety of the individual or another person; 2) the information was about another person (other than a health care provider) and a licensed health care professional determined the inspection and copying was reasonably likely to cause substantial harm to that other person; 3) the information was obtained under a promise of confidentiality from someone other than a health care provider and the inspection and copying was likely to reveal the source of the information; 4) the information was obtained by a covered provider in the course of a clinical trial, the individual agreed to the denial of access in consenting to participate in the trial, and the trial was in progress; and 5) the information was compiled in reasonable anticipation of, or for use in, a legal proceeding. In the NPRM, covered entities would not have been permitted to use these grounds to deny individuals access to protected health information that was also subject to the Privacy Act.
In the final rule, we retain all of these grounds for denial, with some modifications. One of the proposed grounds for denial (regarding legal proceedings) is retained as an exception to the right of access. (See discussion above.) We also include additional grounds for denial and create a right for individuals to request review of certain denials.
There are five types of denials covered entities may make without providing the individual with a right to have the denial reviewed.
First, a covered entity may deny an individual access to any information that is excepted from the right of access under § 164.524(a)(1). (See discussion above.)
Second, we add a new provision that permits a covered entity that is a correctional institution or covered health care provider acting under the direction of a correctional institution to deny an inmate’s request to obtain a copy of protected health information if obtaining a copy would jeopardize the health, safety, security, custody, or rehabilitation of the individual or other inmates or the safety of any officer, employee or other person at the correctional institution or responsible for the transporting of the inmate. This ground for denial is restricted to an inmate’s request to obtain a copy of protected health information. If an inmate requests inspection of protected health information, the request must be granted unless one of the other grounds for denial applies. The purpose for this exception, and the reason that the exception is limited to denying an inmate a copy and not to denying a right to inspect, is to give correctional institutions the ability to maintain order in these facilities and among inmates without denying an inmate the right to review his or her protected health information.
Third, as in the proposed rule, a covered entity may deny an individual access to protected health information obtained by a covered provider in the course of research that includes treatment of the research participants, while such research is in progress. For this exception to apply, the individual must have agreed to the denial of access in conjunction with the individual’s consent to participate in the research and the covered provider must have informed the individual that the right of access will be reinstated upon completion of the research. If either of these conditions is not met, the individual has the right to inspect and copy the information (subject to the other exceptions we provide here). In all cases, the individual has the right to inspect and copy the information after the research is complete.
As with all the grounds for denial, covered entities are not required to deny access under the research exception. We expect all researchers to maintain a high level of ethical consideration for the welfare of research participants and provide access in appropriate circumstances. For example, if a participant has a severe adverse reaction, disclosure of information during the course of the research may be necessary to give the participant adequate information for proper treatment decisions.
Fourth, we clarify the ability of a covered entity to deny individuals access to protected health information that is also subject to the Privacy Act. In the final rule, we specify that a covered entity may deny an individual access to protected health information that is contained in records that are subject to the Privacy Act if such denial is permitted under the Privacy Act. This ground for denial exists in addition to the other grounds for denial available under this rule. If an individual requests access to protected health information that is also subject to the Privacy Act, a covered entity may deny access to that information for any of the reasons permitted under the Privacy Act and for any of the reasons permitted under this rule.
Fifth, as in the proposed rule, a covered entity may deny an individual access to protected health information if the covered entity obtained the requested information from someone other than a health care provider under a promise of confidentiality and such access would be reasonably likely to reveal the source of the information. This provision is intended to preserve a covered entity’s ability to maintain an implicit or explicit promise of confidentiality. A covered entity may not, however, deny access to protected health information when the information has been obtained from a health care provider. An individual is entitled to have access to all information about him or her generated by the health care system (apart from the other exceptions we provide here). Confidentiality promises to health care providers should not interfere with that access.
As in the proposed rule, a covered entity may deny access to protected health information under certain circumstances in which the access may harm the individual or others. In the final rule, we specify that a covered entity may only deny access for these reasons if the covered entity provides the individual with a right to have the denial reviewed. (See below for a discussion of the right to review.)
There are three types of denials for which covered entities must provide the individual with a right to review. A denial under these provisions requires a determination by a licensed health care professional (such as a physician, physician’s assistant, or nurse) based on an assessment of the particular circumstances and current professional medical standards of harm. Therefore, when the request is made to a health plan or clearinghouse, the covered entity will need to consult with a licensed health care professional before denying access under this provision.
First, as in the proposed rule, covered entities may deny individuals access to protected health information about them if a licensed health care professional has determined, in the exercise of professional judgment, that the access requested is reasonably likely to endanger the life or physical safety of the individual or another person. The most commonly cited example is when an individual exhibits suicidal or homicidal tendencies. If a licensed health care professional determines that an individual exhibits such tendencies and that permitting inspection or copying of some of the individual’s protected health information is reasonably likely to result in the individual committing suicide, murder, or other physical violence, then the health care professional may deny the individual access to that information. Under this reason for denial, covered entities may not deny access on the basis of the sensitivity of the health information or the potential for causing emotional or psychological harm.
Second, as in the proposed rule, covered entities may deny an individual access to protected health information if the information requested makes reference to someone other than the individual (and other than a health care provider) and a licensed health care professional has determined, in the exercise of professional judgment, that the access requested is reasonably likely to cause serious harm to that other person. On some occasions when health information about one person is relevant to the care of another, a physician may incorporate it into the latter's record, such as information from group therapy sessions and information about illnesses with a genetic component. This provision permits a covered entity to withhold information in such cases if the release of such information is reasonably likely to cause substantial physical, emotional, or psychological harm.
Third, we add a new provision regarding denial of access requested by personal representatives. Under § 164.502(g), a person that is a personal representative of an individual may exercise the rights of the individual, including the right to inspect and copy protected health information about the individual that is relevant to such person’s representation. The provision permits covered entities to refuse to treat a personal representative as the individual, generally, if the covered entity has a reasonable belief that the individual has been or will be subjected to domestic violence, abuse or neglect by the personal representative, or that treating the personal representative as the individual may endanger the individual and, in its professional judgment, the covered entity decides that it is not in the best interest of the individual to treat such person as the personal representative.
In addition to that provision, we add a new provision at § 164.524(a)(3)(iii) to clarify that a covered entity may deny a request to inspect or copy protected health information if the information is requested by a personal representative of the individual and a licensed health care professional has determined that, in the exercise of professional judgment, such access is reasonably likely to cause substantial harm to the individual who is the subject of the information or to another person. The health care professional need not have a reasonable belief that the personal representative has abused or neglected the individuals and the harm that is likely to result need not be limited to the individual who is the subject of the requested protected health information. Therefore, a covered entity can recognize a person as a personal representative but deny such person access to protected health information as a personal representative.
We do not intend these provisions to create a legal duty for the covered entity to review all of the relevant protected health information before releasing it. Rather, we are preserving the flexibility and judgment of covered entities to deny access under appropriate circumstances. Denials are not mandatory; covered entities may always elect to provide requested health information to the individual. For each request by an individual, the covered entity may provide all of the information requested or evaluate the requested information, consider the circumstances surrounding the individual’s request, and make a determination as to whether that request should be granted or denied, in whole or in part, in accordance with one of the reasons for denial under this rule. We intend to create narrow exceptions to the right of access and we expect covered entities to employ these exceptions rarely, if at all. Covered entities may only deny access for the reasons specifically provided in the rule.
Review of a Denial of Access
In the NPRM, we proposed to require covered entities, when denying an individual’s request for access, to inform the individual of how to make a complaint to the covered entity and the Secretary.
We retain in the final rule the proposed approach (see below). In addition, if the covered entity denies the request on the basis of one of the reviewable grounds for denial described above, the individual has the right to have the denial reviewed by a licensed health care professional who is designated by the covered entity to act as a reviewing official and who did not participate in the original decision to deny access. The covered entity must provide access in accordance with the reviewing official’s determination. ( See below for further description of the covered entity’s requirements under § 164.524(d)(4) if the individual requests a review of denial of access.)
HHS Response to Comments Received Access to Protected Health Information |
Comment: Some commenters recommended that there be no access to disease registries.
Response: Most entities that maintain disease registries are not covered entities under this regulation; examples of such non-covered entities are public health agencies and pharmaceutical companies. If, however, a disease registry is maintained by a covered entity and is used to make decisions about individuals, this rule requires the covered entity to provide access to information about a requesting individual unless one of the rule’s conditions for denial of access is met. We found no persuasive reasons why disease registries should be given special treatment compared with other information that may be used to make decisions about an individual.
Comment: Some commenters stated that covered entities should be held accountable for access to information held by business partners so that individuals would not have the burden of tracking down their protected health information from a business partner. Many commenters, including insurers and academic medical centers, recommended that, to reduce burden and duplication, only the provider who created the protected health information should be required to provide individuals access to the information. Commenters also asked that other entities, including business associates, the Medicare program, and pharmacy benefit managers, not be required to provide access, in part because they do not know what information the covered entity already has and they may not have all the information requested. A few commenters also argued that billing companies should not have to provide access because they have a fiduciary responsibility to their physician clients to maintain the confidentiality of records.
Response: A general principle in responding to all of these points is that a covered entity is required to provide access to protected health information in accordance with the rule regardless of whether the covered entity created such information or not. Thus, we agree with the first point: in order to meet its requirements for providing access, a covered entity must not only provide access to such protected health information it holds, but must also provide access to such information in a designated record set of its business associate, pursuant to its business associate contract, unless the information is the same as information maintained directly by the covered entity. We require this because an individual may not be aware of business associate relationships. Requiring an individual to track down protected health information held by a business associate would significantly limit access. In addition, we do not permit a covered entity to limit its duty to provide access by giving protected health information to a business associate.
We disagree with the second point: if the individual directs an access request to a covered entity that has the protected health information requested, the covered entity must provide access (unless it may deny access in accordance with this rule). In order to assure that an individual can exercise his or her access rights, we do not require the individual to make a separate request to each originating provider. The originating provider may no longer be in business or may no longer have the information, or the non-originating provider may have the information in a modified or enhanced form.
We disagree with the third point: other entities must provide access only if they are covered entities or business associates of covered entities, and they must provide access only to protected health information that they maintain (or that their business associates maintain). It would not be efficient to require a covered entity to compare another entity’s information with that of the entity to which the request was addressed. (See the discussion regarding covered entities for information about whether a pharmacy benefit manager is a covered entity.)
We disagree with the fourth point: a billing company will be required by its business associate contract only to provide the requested protected health information to its physician client. This action will not violate any fiduciary responsibility. The physician client would in turn be required by the rule to provide access to the individual.
Comment: Some commenters asked for clarification that the clearinghouse function of turning non-standardized data into standardized data does not create non-duplicative data and that “duplicate” does not mean “identical.” A few commenters suggested that duplicated information in a covered entity’s designated record set be supplied only once per request.
Response: We consider as duplicative information the same information in different formats, media, or presentations, or which have been standardized. Business associates who have materially altered protected health information are obligated to provide individuals access to it. Summary information and reports, including those of lab results, are not the same as the underlying information on which the summaries or reports were based. A clean document is not a duplicate of the same document with notations. If the same information is kept in more than one location, the covered entity has to produce the information only once per request for access.
Comment: A few commenters suggested requiring covered entities to disclose to third parties without exception at the requests of individuals. It was argued that this would facilitate disability determinations when third parties need information to evaluate individuals’ entitlement to benefits. Commenters argued that since covered entities may deny access to individuals under certain circumstances, individuals must have another method of providing third parties with their protected health information.
Response: We allow covered entities to forward protected health information about an individual to a third party, pursuant to the individual’s authorization under § 164.508. We do not require covered entities to disclose information pursuant to such authorizations because the focus of the rule is privacy of protected health information. Requiring disclosures in all circumstances would be counter to this goal. In addition, a requirement of disclosing protected health information to a third party is not a necessary substitute for the right of access to individuals, because we allow denial of access to individuals under rare circumstances. However, if the third party is a personal representative of the individual in accordance with § 164.502(g) and there is no concern regarding abuse or harm to the individual or another person, we require the covered entity to provide access to that third party on the individual’s behalf, subject to specific limitations. We note that a personal representative may obtain access on the individual’s behalf in some cases where covered entity may deny access to the individual. For example, an inmate may be denied a copy of protected health information, but a personal representative may be able to obtain a copy on the individual’s behalf. See § 164.502(g) and the corresponding preamble discussion regarding the ability of a personal representative to act on an individual’s behalf.
Comment: The majority of commenters supported granting individuals the right to access protected health information for as long as the covered entity maintains the protected health information; commenters argued that to do otherwise would interfere with existing record retention laws. Some commenters advocated for limiting the right to information that is less than one or two years old. A few commenters explained that frequent changes in technology makes it more difficult to access stored data. The commenters noted that the information obtained prior to the effective date of the rule should not be required to be accessible.
Response: We agree with the majority of commenters and retain the proposal to require covered entities to provide access for as long as the entity maintains the protected health information. We do not agree that information created prior to the effective date of the rule should not be accessible. The reasons for granting individuals access to information about them do not vary with the date the information was created.
Comment: A few commenters argued that there should be no grounds for denying access, stating that individuals should always have the right to inspect and copy their protected health information.
Response: While we agree that in the vast majority of instances individuals should have access to information about them, we cannot agree that a blanket rule would be appropriate. For example, where a professional familiar with the particular circumstances believes that providing such access is likely to endanger a person’s life or physical safety, or where granting such access would violate the privacy of other individuals, the benefits of allowing access may not outweigh the harm. Similarly, we allow denial of access where disclosure would reveal the source of confidential information because we do not want to interfere with a covered entity’s ability to maintain implicit or explicit promises of confidence.
We create narrow exceptions to the rule of open access, and we expect covered entities to employ these exceptions rarely, if at all. Moreover, we require covered entities to provide access to any protected health information requested after excluding only the information that is subject to a denial. The categories of permissible denials are not mandatory, but are a means of preserving the flexibility and judgment of covered entities under appropriate circumstances.
Comment: Many commenters supported our proposal to allow covered entities to deny an individual access to protected health information if a professional determines either that such access is likely to endanger the life or physical safety of a person or, if the information is about another person, access is reasonably likely to cause substantial harm to such person.
Some commenters requested that the rule also permit covered entities to deny a request if access might be reasonably likely to cause psychological or mental harm, or emotional distress. Other commenters, however, were particularly concerned about access to mental health information, stating that the lack of access creates resentment and distrust in patients.
Response: We disagree with the comments suggesting that we expand the grounds for denial of access to an individual to include a likelihood of psychological or mental harm of the individual. We did not find persuasive evidence that this is a problem sufficient to outweigh the reasons for providing open access. We do allow a denial for access based on a likelihood of substantial psychological or mental harm, but only if the protected health information includes information about another person and the harm may be inflicted on such other person or if the person requesting the access is a personal representative of the individual and the harm may be inflicted on the individual or another person.
We generally agree with the commenters concerns that denying access specifically to mental health records could create distrust. To balance this concern with other commenters’ concerns about the potential for psychological harm, however, we exclude psychotherapy notes from the right of access. This is the only distinction we make between mental health information and other types of protected health information in the access provisions of this rule. Unlike other types of protected health information, these notes are not widely disseminated through the health care system. We believe that the individual’s privacy interests in having access to these notes, therefore, are outweighed by the potential harm caused by such access. We encourage covered entities that maintain psychotherapy notes, however, to provide individuals access to these notes when they believe it is appropriate to do so.
Comment: Some commenters believed that there is a potential for abuse of the provision allowing denial of access because of likely harm to self. They questioned whether there is any experience from the Privacy Act of 1974 to suggest that patients who requested and received their records have ever endangered themselves as a result.
Response: We are unaware of such problems from access to records that have been provided under the Privacy Act but, since these are private matters, such problems might not come to our attention. We believe it is more prudent to preserve the flexibility and judgment of health care professionals familiar with the individuals and facts surrounding a request for records than to impose the blanket rule suggested by these commenters.
Comment: Commenters asserted that the NPRM did not adequately protect vulnerable individuals who depend on others to exercise their rights under the rule. They requested that the rule permit a covered entity to deny access when the information is requested by someone other than the subject of the information and, in the opinion of a licensed health care professional, access to the information could harm the individual or another person.
Response: We agree with the commenters that such protection is warranted and add a provision in § 164.524(a)(3), which permits a covered health care provider to deny access if a personal representative of the individual is making the request for access and a licensed health care professional has determined, in the exercise of professional judgment, that providing access to such personal representative could result in substantial harm to the individual or another person. Access can be denied even if the potential harm may be inflicted by someone other than the personal representative.
This provision is designed to strike a balance between the competing interests of ensuring access to protected health information and protecting the individual or others from harm. The “substantial harm” standard will ensure that a covered entity cannot deny access in cases where the harm is de minimus.
The amount of discretion that a covered entity has to deny access to a personal representative is generally greater than the amount of discretion that a covered entity has to deny access to an individual. Under the final rule, a covered entity may deny access to an individual if a licensed health care professional determines that the access requested is reasonably likely to endanger the life or physical safety of the individual or another person. In this case, concerns about psychological or emotional harm would not be sufficient to justify denial of access. We establish a relatively high threshold because we want to assure that individuals have broad access to health information about them, and due to the potential harm that comes from denial of access, we believe denials should be permitted only in limited circumstances.
The final rule grants covered entities greater discretion to deny access to a personal representative than to an individual in order to provide protection to those vulnerable people who depend on others to exercise their rights under the rule and who may be subjected to abuse or neglect. This provision applies to personal representatives of minors as well as other individuals. The same standard for denial of access on the basis of potential harm that applies to personal representatives also applies when an individual is seeking access to his or her protected health information, and the information makes reference to another person. Under these circumstances, a covered entity may deny a request for access if such access is reasonably likely to cause substantial harm to such other person. The standard for this provision and for the provision regarding access by personal representatives is the same because both circumstances involve one person obtaining information about another person, and in both cases the covered entity is balancing the right of access of one person against the right of a second person not to be harmed by the disclosure.
Under any of these grounds for denial of access to protected health information, the covered entity is not required to deny access to a personal representative under these circumstances, but has the discretion to do so.
In addition to denial of access rights, we also address the concerns raised by abusive or potentially abusive situations in the section regarding personal representatives by giving covered entities discretion to not recognize a person as a personal representative of an individual if the covered entity has a reasonable belief that the individual has been subjected to domestic violence, abuse, or neglect by or would be in danger from a person seeking to act as the personal representative. (See § 164.502(g))
Comment: A number of commenters were concerned that this provision would lead to liability for covered entities if the release of information results in harm to individuals. Commenters requested a “good faith” standard in this provision to relieve covered entities of liability if individuals suffer harm as a result of seeing their protected health information or if the information is found to be erroneous. A few commenters suggested requiring providers (when applicable) to include with any disclosure to a third party a statement that, in the provider’s opinion, the information should not be disclosed to the patient.
Response: We do not intend to create a new duty to withhold information nor to affect other laws on this issue. Some state laws include policies similar to this rule, and we are not aware of liability arising as a result.
Comment: Some commenters suggested that both the individual’s health care professional and a second professional in the relevant field of medicine should review each request. Many commenters suggested that individuals have a right to have an independent review of any denial of access, e.g., review by a health care professional of the individual’s choice.
Response: We agree with the commenters who suggest that denial on grounds of harm to self or others should be determined by a health professional, and retain this requirement in the final rule. We disagree, however, that all denials should be reviewed by a professional of the individual’s choice. We are concerned that the burden such a requirement would place on covered entities would be significantly greater than any benefits to the individual. We believe that any health professional, not just one of the individual’s choice, will exercise appropriate professional judgment. To address some of these concerns, however, we add a provision for the review of denials requiring the exercise of professional judgment. If a covered entity denies access based on harm to self or others, the individual has the right to have the denial reviewed by another health care professional who did not participate in the original decision to deny access.
>Comment: A few commenters objected to the proposal to allow covered entities to deny a request for access to health information if the information was obtained from a confidential source that may be revealed upon the individual’s access. They argued that this could be subject to abuse and the information could be inherently less reliable, making the patient’s access to it even more important.
Response: While we acknowledge that information provided by confidential sources could be inaccurate, we are concerned that allowing unfettered access to such information could undermine the trust between a health care provider and patients other than the individual. We retain the proposed policy because we do not want to interfere with a covered entity’s ability to obtain important information that can assist in the provision of health care or to maintain implicit or explicit promises of confidence, which may be necessary to obtain such information. We believe the concerns raised about abuse are mitigated by the fact that the provision does not apply to promises of confidentiality made to a health care provider. We note that a covered entity may provide access to such information.
Comment: Some commenters were concerned that the NPRM did not allow access to information unrelated to treatment, and thus did not permit access to research information.
Response: In the final rule, we eliminate the proposed special provision for “research information unrelated to treatment.” The only restriction on access to research information in this rule applies where the individual agrees in advance to denial of access when consenting to participate in research that includes treatment. In this circumstance, the individual's right of access to protected health information created in the course of the research may be suspended for as long as the research is in progress, but access rights resume after such time. In other instances, we make no distinction between research information and other information in the access provisions in this rule.
Comment: A few commenters supported the proposed provision temporarily denying access to information obtained during a clinical trial if participants agreed to the denial of access when consenting to participate in the trial. Some commenters believed there should be no access to any research information. Other commenters believed denial should occur only if the trial would be compromised. Several recommended conditioning the provision. Some recommended that access expires upon completion of the trial unless there is a health risk. A few commenters suggested that access should be allowed only if it is included in the informed consent and that the informed consent should note that some information may not be released to the individual, particularly research information that has not yet been validated. Other commenters believed that there should be access if the research is not subject to IRB or privacy board review or if the information can be disclosed to third parties.
Response: We agree with the commenters that support temporary denial of access to information from research that includes treatment if the subject has agreed in advance, and with those who suggested that the denial of access expire upon completion of the research, and retain these provisions in the final rule. We disagree with the commenters who advocate for further denial of this information. These comments did not explain why an individual’s interest in access to health information used to make decisions about them is less compelling with respect to research information. Under this rule, all protected health information for research is subject either to privacy board or IRB review unless a specific authorization to use protected health information for research is obtained from the individual. Thus, this is not a criterion we can use to determine access rights.
Comment: A few commenters believed that it would be “extremely disruptive of and dangerous” to patients to have access to records regarding their current care and that state law provides sufficient protection of patients’ rights in this regard.
Response: We do not agree. Information about current care has immediate and direct impact on individuals. Where a health care professional familiar with the circumstances believes that it is reasonably likely that access to records would endanger the life or physical safety of the individual or another person, the regulation allows the professional to withhold access.
Comment: Several commenters requested clarification that a patient not be denied access to protected health information because of failure to pay a bill. A few commenters requested clarification that entities may not deny requests simply because producing the information would be too burdensome.
Response: We agree with these comments, and confirm that neither failure to pay a bill nor burden are lawful reasons to deny access under this rule. Covered entities may deny access only for the reasons provided in the rule.
Comment: Some commenters requested that the final rule not include detailed procedural requirements about how to respond to requests for access. Others made specific recommendations on the procedures for providing access, including requiring written requests, requiring specific requests instead of blanket requests, and limiting the frequency of requests. Commenters generally argued against requiring covered entities to acknowledge requests, except under certain circumstances, because of the potential burden on entities.
Response: We intend to provide sufficient procedural guidelines to ensure that individuals have access to their protected health information, while maintaining the flexibility for covered entities to implement policies and procedures that are appropriate to their needs and capabilities. We believe that a limit on the frequency of requests individuals may make would arbitrarily infringe on the individual’s right of access and have, therefore, not included such a limitation. To limit covered entities’ burden, we do not require covered entities to acknowledge receipt of the individuals’ requests, other than to notify the individual once a decision on the request has been made. We also permit a covered entity to require an individual to make a request for access in writing and to discuss a request with an individual to clarify which information the individual is actually requesting. If individuals agree, covered entities may provide access to a subset of information rather than all protected health information in a designated record set. We believe these changes provide covered entities with greater flexibility without compromising individuals’ access rights.
Comment: Commenters offered varying suggestions for required response time, ranging from 48 hours because of the convenience of electronic records to 60 days because of the potential burden. Others argued against a finite time period, suggesting the response time be based on mutual convenience of covered entities and individuals, reasonableness, and exigencies. Commenters also varied on suggested extension periods, from one 30-day extension to three 30- day extensions to one 90-day extension, with special provisions for off-site records.
Response: We are imposing a time limit because individuals are entitled to know when to expect a response. Timely access to protected health information is important because such information may be necessary for the individual to obtain additional health care services, insurance coverage, or disability benefits, and the covered entity may be the only source for such information. To provide additional flexibility, we eliminate the requirement that access be provided as soon as possible and we lengthen the deadline for access to off-site records. For on-site records, covered entities must act on a request within 30 days of receipt of the request. For off-site records, entities must complete action within 60 days. We also permit covered entities to extend the deadline by up to 30 days if they are unable to complete action on the request within the standard deadline. These time limits are intended to be an outside deadline rather than an expectation. We expect covered entities to be attentive to the circumstances surrounding each request and respond in an appropriate time frame.
Comment: A few commenters suggested that, upon individuals’ requests, covered entities should be required to provide protected health information in a format that would be understandable to a patient, including explanations of codes or abbreviations. The commenters suggested that covered entities be permitted to provide summaries of pertinent information instead of full copies of records; for example, a summary may be more helpful for the patient’s purpose than a series of indecipherable billing codes.
Response: We agree with these commenters’ point that some health information is difficult to interpret. We clarify, therefore, that the covered entity may provide summary information in lieu of the underlying records. A summary may only be provided if the covered entity and the individual agree, in advance, to the summary and to any fees imposed by the covered entity for providing such summary. We similarly permit a covered entity to provide an explanation of the information. If the covered entity charges a fee for providing an explanation, it must obtain the individual’s agreement to the fee in advance.
Comment: Though there were recommendations that fees be limited to the costs of copying, the majority of commenters on this topic requested that covered entities be able to charge a reasonable, cost-based fee. Commenters suggested that calculation of access costs involve factors such as labor costs for verification of requests, labor and software costs for logging of requests, labor costs for retrieval, labor costs for copying, expense costs for copying, capital cost for copying, expense costs for mailing, postal costs for mailing, billing and bad-debt expenses, and labor costs for refiling. Several commenters recommended specific fee structures.
Response: We agree that covered entities should be able to recoup their reasonable costs for copying of protected health information, and include such provision in the regulation. We are not specifying a set fee because copying costs could vary significantly depending on the size of the covered entity and the form of such copy (e.g., paper, electronic, film). Rather, covered entities are permitted to charge a reasonable, cost-based fee for copying (including the costs of supplies and labor), postage, and summary or explanation (if requested and agreed to by the individual) of information supplied. The rule limits the types of costs that may be imposed for providing access to protected health information, but does not preempt applicable state laws regarding specific allowable fees for such costs. The inclusion of a copying fee is not intended to impede the ability of individuals to copy their records.
Comment: Many commenters stated that if a covered entity denies a request for access because the entity does not hold the protected health information requested, the covered entity should provide, if known, the name and address of the entity that holds the information. Some of these commenters additionally noted that the Uniform Insurance Information and Patient Protection Act, adopted by 16 states, already imposes this notification requirement on insurance entities. Some commenters also suggested requiring providers who leave practice or move offices to inform individuals of that fact and of how to obtain their records.
Response: We agree that, when covered entities deny requests for access because they do not hold the protected health information requested, they should inform individuals of the holder of the information, if known; we include this provision in the final rule. We do not require health care providers to notify all patients when they move or leave practice, because the volume of such notifications would be unduly burdensome.