HIPAA Right of Access and the 30-Day Rule

The HIPAA Privacy Rule generally provides individuals with a right, upon request, to see and receive copies of the information in their medical and other health records that is maintained by covered entities (i.e., their health care providers and health plans). This right is known as the HIPAA right of access. The HIPAA right of access rules specify how long a covered entity has to reply to an individual seeking the information.

To What Information is an Individual Entitled Under the HIPAA Right of Access?

The Privacy Rule right of access generally requires covered entities to provide individuals, upon request, with access to the protected health information (PHI) about them. The PHI is contained in one or more “designated record sets” maintained by or for the covered entity.

A “designated record set,” under the HIPAA right of access rule, is defined as a group of records maintained by or for a covered entity that comprises:

• Medical records and billing records about individuals maintained by or for a covered health care provider;
• Enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or
• Other records that are used, in whole or in part, by or for the covered entity to make decisions about individuals.

What is a Record?

The definition of the word “record” in “designated record set” is fairly broad. A “record” includes any item, collection, or grouping of information that includes PHI and is maintained, collected, used, or disseminated by or for a covered entity. Records include (but are not limited to):

• Medical records
• Billing and payment records
• Insurance information
• Clinical laboratory test results
• Medical images (such as X-rays)
• Wellness and disease management program files
• Clinical case notes

How Long Do Covered Entities Have to Respond to a Request for Access?

Under the HIPAA right of access rules, covered entities must respond to requests for access in a timely manner. Generally, covered entities must notify individuals of the covered entity’s decision on access, within 30 days of the covered entity’s receipt of the request.

While the HIPAA right of access rule establishes the 30 days as an outside limit, it does not preclude covered entities from responding sooner .

For example, a covered entity may have the capacity, through the use of electronic systems, to provide automated access to an individual’s PHI or respond to requests with immediate access, 24 hours a day. Not all electronic systems, however, allow for the provision of immediate access. A covered entity’s time frame normally depends, at least in part, on its system capacity.

As a practical matter, individuals might expect, when making a request of a technologically sophisticated covered entity, that their requests could be responded to instantaneously or well before the current required time-frame. This might be the case, for example, when access is provided through a direct view or portal into a health care provider’s EHR.