Under the HIPAA Privacy Rule, individuals have general rights to access and obtain a copy of their health information. Covered entities may require individuals to request access in writing (if individuals are informed of this requirement), or by electronic means (for example, via a patient portal, or via email). Prior to release of PHI, covered entities must take reasonable steps to verify the individual’s identity, or the identity of their designated personal representative. Access to PHI should be provided in the format requested by the individual whenever possible, no later than 30 days following receipt of the request. If access cannot be provided during this timeframe (for instance, if PHI requested is located off-site or is not readily accessible), the covered entity must inform the individual in writing of the delay, include the reason for the delay, and extend the timeframe for satisfying the request by an additional 30 days. The Privacy Rule allows only one 30 day extension per access request. Covered entities may charge “reasonable” or “cost-based” fees for providing PHI to an individual.

Acceptable/Permissible Fees:

• Labor cost for copying the PHI requested
• Supplies for creating paper copies or electronic media
• Postage costs when the individual requests mailing of records
• Preparation of a PHI summary, if agreed to by the individual

Impermissible Fees:

• Costs associated with verification of PHI
• Costs associated with searching or retrieving PHI
• Other costs not listed above, even if those costs are authorized by State law

Certain requests for PHI can be denied, as detailed in the Privacy Rule.

The American Health Information Management Association (AHIMA) recently published a model “Patient Request for Health Information” form to assist providers and covered entities with PHI requests and ensure they are compliant.

AHIMA’s form can be accessed here:  AHIMA Patient Request for Health Information Form