HIPAA’s right of access allows individuals to take control of their health data even when it comes to research data. If their data is part of a designated record set, participants have the right to view and obtain it, though there are exceptions, such as during ongoing trials where access may be temporarily restricted.
The impact of HIPAA’s right of access on research data
HIPAA allows patients to inspect and obtain copies of the protected health information (PHI) held by covered entities or their business associates. The data accessible to patients includes information forming part of something called a designated record set. This designated record set includes any group of records used to make decisions about individuals like medical or billing records.
HHS guidance provides, “...it may be unlikely that a researcher would be maintaining a designated record set, any research records or results that are maintained by the covered entity as part of a designated record set would be accessible to research participants unless one of the Privacy Rule’s permitted exceptions applies.” When it comes to research data, the right of access only applies if the record data falls under this record set.
One of these permitted exceptions exists in cases like clinical trials, if a participant agrees, their right of access can be suspended while the trial is ongoing. Once the trials end, the right of access can be restored and participants once more can access their health information.
Who can access research data?
Research data can be accessed by the following individuals:
- Research participants can access their data if it’s part of a designated record set.
- Covered entities may access and maintain research data.
- Business associates of covered entities can access research data for administrative purposes.
- Researchers may access data if they are involved in the study and it is part of the designated record set.
- Health plan administrators can access research data when it’s relevant to claims or medical management.
- Legal representatives of research participants may access their data under HIPAA rules.
The criteria for patients to access their research data
- The research data is part of a designated record set.
- The patient must request access to the data.
- The data must be maintained by a covered entity or business associate.
- The data should be used to make decisions about the patient’s health or care.
- No ongoing clinical trial restrictions should apply (if access was temporarily suspended, it must be reinstated after the trial).
- The patient’s identity must be verified to ensure the request is legitimate.
- The patient may need to consent to secure communication methods like email.
How to securely share research data
Verify the patient's identity
- Make sure that the request is coming from a patient or an authorized representative.
- This can be done by verifying identification through means like personal information only the patient would know or by requesting identification.
Confirm the data type
- Verify the research data requested falls under the designated record set.
- If it includes medical or billing information held by a covered entity it can be shared with the patients but information subject to exceptions cannot.
Use secure communication channels
- Email is a convenient method, but it must be secured to safeguard PHI.
- Use a HIPAA compliant email service like Paubox’s Email Suite that offers a secure and convenient solution to compliance.
FAQs
What are patient's rights under HIPAA?
Patients can also request corrections and control how their information is shared.
What is an IRB?
An institutional review board is a committee that reviews and approves research involving human subjects.
When can a healthcare organization reject a patient's request for access to their health records?
A healthcare organization can reject a request if the information is part of an ongoing clinical trial, poses a risk to the individuals or others, or falls under specific exceptions like psychotherapy notes.
Kirsten Peremore
