PHI Requests, Denials, and Appeals
Know HIPAA rights when patients request protected health information.
Earlier this year, the U.S. Department of Health & Human Services (HHS) clarified certain patient rights under HIPAA regarding access to protected health information (PHI) in their January 2016 release of Individuals’ Right under HIPAA to Access their Health Information 45 CFR § 164.524. Generally, an individual (patient) has a right to access his or her own medical records under HIPAA; however, this right is not absolute. The new HHS guidance provides important distinctions regarding the timeliness of responses to requests for PHI, the narrow grounds for denying such requests, and other various aspects of HIPAA.
Rules and Timeliness for Requests
Although there is no request requirement for access to medical records to be in writing, HHS clarified that a covered entity (i.e., healthcare plans and providers) may require patients to submit a request in writing as long as the patient has notice of this requirement. The covered entity must provide access to the requested PHI (unless access was denied) “no later than 30 calendar days from receiving the individual’s request,” according to 45 CFR § 164.524(b)(2) (2014), which begins upon receipt of the request. HHS encourages a covered entity to respond as soon as possible, and stated the 30-day window is simply an outer limit.
The timeline depends on the information being requested. If the PHI is readily used in the daily operations of the covered entity, the patient should expect this information quickly; if the PHI is older or stored off-site, it may take more time. The patient has a right to PHI regardless of how long ago the provider created it.
The covered entity has the right under HIPAA to extend this timeline by an additional 30 days, but only if the covered entity provides the patient, in writing, with the rationale behind the delay. HHS points out in the January guidance, however, that a covered entity “may not require an individual to provide a reason for requesting access, and the individual’s rationale for requesting access, if voluntarily offered or known by the covered entity, is not a permitted reason to deny access.”
What Medical Record Information Can Be Disclosed?
Now that the covered entity has received the request, the question becomes: “Should this information be disclosed to the patient?”
A patient has a right to access PHI in his or her medical record that is contained in a Designated Records Set (DRS). DRS is a group of records maintained by or for a covered entity, comprised of:
- Medical records and billing records about individuals maintained by or for a covered healthcare provider;
- Enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or
- Other records that are used, in whole or in part, by or for the covered entity to make decisions about patients.
Although the DRS should be disclosed to the patient by right under HIPAA, this does not mean all information kept by the covered entity must be disclosed.
Patients have a right to access a vast range of information, including: billing and payment records; insurance information; clinical laboratory test results; and medical images (X-rays, wellness and disease management program files, and clinical case notes), among other information used to make decisions about them. The covered entity is not, however, required to create new information that does not already exist in the DRS.
Information excluded from the DRS is that which is not used by the covered entity to make decisions about the patient. For example, quality assessments and improvement records are generally used to make business decisions rather than patient decisions. Other information that is not disclosed to patients may include peer review data, physician performance calculations, and quality control records used to improve customer service.
When Can Medical Record Requests Be Denied?
Under HIPAA, there are situations when a covered entity has the right to deny a patient access to PHI following a request for access. Universally, the entity may deny access if the information is not kept in the DRS for that patient. Special circumstances for PHI access denial, for example, are if the release of the information (as determined by a healthcare professional) could endanger the life or physical safety of the patient or another person.
Denied PHI Access that Can Be Reviewed or Appealed
There are narrow circumstances in which a covered entity may deny the request for access to a portion of a patient’s PHI. Among these circumstances, a patient has “a right to have the denial reviewed by a licensed healthcare professional designated by the covered entity who did not participate in the original decision to deny.” These special circumstances are defined under HIPAA as “reviewable” grounds for denial.
HHS clarified that general concerns about psychological or emotional harm are “not sufficient to deny an individual access” (i.e., the patient would be upset by the information). The mere possibility of harm is not sufficient; instead, the licensed professional needs to determine whether the possibility is “reasonably likely.” HHS expects this ground for denial will be used in a very small number of cases.
According to 45 CFR § 164.524(a)(3), the other reviewable grounds occur when a licensed healthcare professional uses professional judgment to determine “access requested is reasonably likely to cause substantial harm to a person (other than a health care provider) referenced in the PHI; or the provision of access to a personal representative of the individual that requests such access is reasonably likely to cause substantial harm to the individual or another person.”
Example: If the entity believes the release of the information would lead a patient to commit suicide or harm another person, the entity has grounds to deny the request and the patient has the right to have this denial reviewed. HHS says this exception is “narrowly construed” to protect the patient’s independence and their right under HIPAA “to obtain information about themselves, which is fundamental in facilitating individuals’ active participation in their own health care.” The reviewable grounds contain a reasonableness standard, and the patient is allowed to appeal the denial in these special circumstances.
Denied PHI Access that
Cannot Be Reviewed or Appealed
There also are circumstances where the individual has no right to have the PHI access denial reviewed. The “unreviewable” grounds for denial under HIPAA include a request for “psychotherapy notes, or information compiled in reasonable anticipation of, or for use in, a legal proceeding,” according to the 2014 45 CFR § 164.524(a)(2). Another example of unreviewable grounds are when an inmate requests PHI kept by a covered entity that is a correctional institution (or healthcare provider acting under the direction of the institution), and providing that information would “jeopardize the health, safety, security, custody, or rehabilitation of the inmate or other inmates, or the safety of correctional officers, employees, or other person at the institution or responsible for the transporting of the inmate.”
HIPAA also allows a covered entity to deny, without review, any request for PHI that:
- Is contained in a research study that includes treatment;
- Is PHI protected (i.e., under the control of a federal agency); or
- Is PHI under the control of someone other than the covered entity, and providing it is “reasonably likely to reveal the source of the information.”
In other words, a patient does not have the right to access psychotherapy notes of a provider that are kept separate from the patient’s medical and billing records. More specifically for psychotherapy notes, “individuals do not have a right to access the psychotherapy notes that a mental health professional maintains separately from the individual’s medical record and that document or analyze the contents of a session with the individual,” according to the January 2016 HHS guidance.
Denial Process Under Reviewable Grounds
If a denial occurs, it must be provided to the patient in writing. If the patient requests a review, the covered entity “must promptly refer the request to the [independent] designated reviewing official,” according to HHS’s January 2016 guidance. This “reviewing official” is allowed a reasonable period of time in which to either reaffirm or reverse the denial. From there, the covered entity must notify the individual of the decision.
Other HHS Guidance and Factors
There are other factors and guidance that are mentioned in the Individuals’ Right under HIPAA to Access their Health Information 45 CFR § 164.524 affecting providers, healthcare entities, and payers who receive requests for patient PHI.
Business Associates: A patient has the right under HIPAA to access their own PHI, and the right extends to PHI held by a business associate of a covered entity. HHS also stressed the business associate agreement will govern the issue of how the information is disclosed and how quickly a response to a request is made, provided the agreement complies with HIPAA.
Payment for Healthcare Services: Although a covered entity or business associate may charge the individual a “reasonable, cost-based fee” for a copy of medical records, the provider may not withhold or deny a patient access to their PHI simply because the patient has not paid the bill for healthcare services provided to the patient.
Clinical Laboratory Tests: Under HIPAA, a clinical lab test report becomes part of the lab’s DRS for that patient. HHS explains that this only applies to “completed” clinical lab test reports; however, other test information may become part of the DRS, even though the report is not completed. Examples for this type of information are test orders, ordering provider information, billing information, and insurance information.
HHS made clear that the clinical lab is under no obligation to interpret any test result for a patient. The patient’s right under HIPAA is to “merely inspect or receive a copy of the completed test reports.” But a clinical lab may provide materials along with the requested PHI that helps to educate or explain the test results, as well as provide a disclaimer about the limitations of the laboratory data or diagnosis.
EHR Incentive Program Guidelines: There are situations where a covered entity has incentives to provide a patient with timely access to PHI. For example, there are requirements under the Medicare and Medicaid Electronic Health Record (EHR) Incentive Programs where a covered entity may receive incentive-based payments from Medicare or Medicaid for successfully demonstrating meaningful use of certified EHR technology, “which includes providing patients the ability to view online, download, and transmit their health information.” HHS notes that these requirements are more precise than the HIPAA requirements.
Be Cautious When Disclosing PHI to Patients
Covered entities and business associates should be cautious when complying with a request for medical records by a patient. First, the provider must determine what information needs to be included in the DRS. Second, the provider must determine if the information requested by the patient is contained within the DRS. If so, the provider should disclose this information to the patient or representative. If the information is not contained in the DRS, the provider can deny the request for PHI under HIPAA; and depending on the information requested, that denial may (or may not) be eligible for review.
Robert A. Pelaia, Esq., CPC, CPCO, is deputy general counsel at the University of
South Florida in Tampa, Fla. He is certified as a Health Care Law Specialist by the Florida Bar Board of Legal Specialization and Education, serves on AAPC’s Legal Advisory Board, and
was a 2011-2013 AAPC National Advisory Board member. Pelaia is a member of the Tampa, Fla., local chapter.
Drew Krieger, Esq., MBA, is a recent law school graduate with experience in healthcare law. He previously worked for a small, transactional healthcare law firm. Krieger resides in Jacksonville, Fla.