45 CFR § 164.524 establishes regulations that give individuals the right to access, inspect, and obtain copies of their protected health information (PHI) held in designated record sets by covered entities.
Core obligations
Under the HIPAA Privacy Rule, covered entities must:
- Provide individuals access to their protected health information (PHI) in designated record sets
- Respond to requests within specified timeframes
- Supply records in the requested format when feasible
- Implement clear procedures for processing requests
- Train staff on proper handling of access requests
What must be provided?
According to 45 CFR § 164.524(a) covered entities must grant access to all records in the designated record set including:
- Clinical records
- Billing records
- Insurance information
- Any other records used to make decisions about the patient
Processing timeframes and requirements
To maintain compliance with 45 CFR § 164.524(b)(2):
- Acknowledge and act on requests within 30 days
- If needed, take one 30-day extension with written notice
- For off-site records, respond within 60 days
- Document all requests and responses in your compliance records
Format and delivery considerations
Technical obligations under 45 CFR § 164.524(c)(2) state that covered entities must:
- Provide records in the patient's requested format if readily producible
- Offer alternative formats if requested format isn't available
- Ensure secure transmission methods for electronic delivery
- Implement processes for direct transmission to third parties when authorized
Fee structure
When establishing a fee policy look into 45 CFR § 164.524(c)(4) which states:
- Charge only reasonable, cost-based fees
- Include only costs for:
- Labor for copying (paper or electronic)
- Supplies for creating copies
- Postage when applicable
- Agreed-upon summary preparation
Do not charge for:
- Record search and retrieval
- Maintaining systems
- Data access infrastructure
- Verification procedures
Valid grounds for denial
A covered entity may deny access only under specific circumstances outlined in 45 CFR § 164.524(a)(2-3), including for:
- Psychotherapy notes
- Information compiled for legal proceedings
- Certain research participation records
- Records that could endanger life or safety
- References to other individuals
- Records from correctional institutions under specified conditions
Information blocking considerations
Under the 21st Century Cures Act:
- Avoid implementing barriers that prevent access to information
- Ensure EHR systems support necessary access to information
- Document any privacy/security-based restrictions
FAQs
What if a patient requests their records be sent to an app of their choosing?
Under HIPAA and information blocking rules, you must accommodate such requests if you have the technical capability to do so securely.
How should a request for access from minors be handled?
Follow state laws regarding minor consent and parental access.
Can patients be required to pick up records in person?
No. You must send records through mail or electronic means if requested.
How should multiple requests from the same patient be handled?
Each request must be processed independently, even if frequent.