to records, right of (HIPAA)
Rule grants every individual a "right of access"
-- to inspect and obtain a copy of all protected
health information within the designated
record set maintained by the covered
entity. (Such a right of access exists, in varying forms,
under most but not all state law. HIPAA has made this requirement
HIPAA's right of
compiled for use in a civil, criminal or administrative
protected by the Clinical Laboratory Improvements Amendments
of 1988 (42
USC 263a, 42 CFR 493.3(a)(2)).
can deny an individual's request for access, without
providing an opportunity for appeal, in the following circumstances:
- the information
falls into one of the exclusion categories above;
- the request
comes from an inmate in a correctional institution, and
access would endanger the health or safety of that person
or anyone else in the facility;
- the information
is generated in the course of ongoing research,
and disclosure would jeopardize the research (provided that
the individual must have agreed to such a restriction previously,
and access rights are restored at the conclusion of the
- records containing
the information are subject to federal Privacy Act protections
- the information
was obtained from someone under a promise of confidentiality,
and the access requested would be reasonably likely to reveal
A denial of access
is permissible, but with an opportunity to appeal,
when a "licensed health care professional, in the exercise
of professional judgment" determines that the requested
access is "reasonably
likely" to endanger the life or physical safety of, or
cause substantial harm to, the individual or another person.
Requests by a personal
representative of an individual may be denied for the
Note that institutions
are to make a good faith effort only to deny access to the
parts of the record that meet these denial grounds, while
providing the rest. Because some information is "dangerous"
or "tainted" does not mean that there are grounds
for denial of the entire request.
(If the covered
entity does not possess the information requested, but knows
where it is maintained, the covered entity must inform the
individual where to direct the request for access.)
A covered entity
may require that individuals make their access requests in
writing, but must inform individuals of this requirement in
its Notice of
Privacy Practices. It must respond to a request within
30 days of receiving it, either by providing the access specified
or in a written response stating the reason(s) for denial.
If the request is denied, the individual's right to seek review
must also be outlined in the response.
Reviews of denials
must be performed by a licensed health care professional who
is designated by the covered entity to act as a reviewing
official and who did not participate in the original decision
to deny. The covered entity is bound by the reviewer's determination.
Individuals may appeal the institution's determination by
complaining to DHHS.
that is not maintained on site, nor otherwise in readily accessible
form, a covered entity has up to 60 days to provide access
if it does not deny the request.. (An additional 30-day extension
is allowed, but a written explanation of the reasons for delay
must be provided.)
Access must be
provided at "a convenient time and place," or can
be mailed to the individual. The scope, format, and other
aspects of the request may be negotiated with the individual,
as necessary to achieve timely access. Individuals can agree
to a summary or explanation of information in lieu of the
fees for preparations of summaries and explanations, copying
and postage, etc., may be charged.