Wagner Header

The Wagner Law Group

The Wagner Law Group, A Professional Corporation, is a nationally recognized ERISA & employee benefits, estate planning, employment, labor & human resources practice. 


Established in 1996, The Wagner Law Group has 22 attorneys engaged exclusively in employee benefits, estate planning and employment law. Six of our attorneys are AV rated by Martindale-Hubbell as having very high to preeminent legal abilities and ethical standards. The firm is among the largest ERISA boutiques in the country. Our practice is national in scope, with clients in more than 40 states and several foreign countries.





Contact Info

The Wagner Law Group


  Integrity | Excellence



Tel: (617) 357-5200 

Fax: (617) 357-5250 

99 Summer Street 

13th Floor

Boston, MA 02110

Palm Beach Gardens 

Tel: (561) 293-3590
Fax: (561) 293-3591
7108 Fairway Drive
Suite 125
Palm Beach Gardens, FL 33418



Tel: (813) 603-2959

Fax: (813) 603-2961

101 East Kennedy Boulevard

Suite 2140
Tampa, FL  33602 


San Francisco

Tel: (415) 625-0002

Fax: (415) 358-8300

315 Montgomery Street

Suite 904

San Francisco, CA 94104


St. Louis

Tel: (314) 236-0065

Fax: (314) 236-5743
100 South 4th Street, Suite 550
St. Louis, MO  63102 







February 4, 2016


 Health and Welfare Law Alert




 Guidance on Individuals' HIPAA Right to

Access PHI




The Department of Health and Human Services ("HHS") has issued guidance clarifying individuals' right under the HIPAA Privacy Rule to access their protected health information ("PHI") maintained by covered entities, including health plans.


Background.  Under HIPAA's Privacy Rule, individuals have the right to access their own PHI from "covered entities (e.g., doctors, hospitals and group health plans).  Regulations issued in 2013 expanded this right to cover electronic PHI.


HHS Guidance.  Among other things, HHS's guidance addresses: the scope of information to be provided; limited exceptions to this right; the form and format in which PHI is to be provided; and the requirement to provide access to individuals in a timely manner.


Highlights from the guidance are as follows:



Covered information.  Individual rights extend only to PHI maintained in a designated record set.  A "designated record set" is defined as a group of records maintained by or for a covered entity that comprises the: (i) medical records and billing records of individuals maintained by or for a covered health care provider; (ii) enrollment, payment, claims adjudication, and case or   medical management record systems maintained by or for a health plan; and (iii) other records that are used, in whole or in part, by or for the covered entity to make decisions about individuals.



The guidance provides examples of PHI included and excluded from a designated record set. 




The following two categories of information are expressly excluded from the right of access:  (i) psychotherapy notes, which are the personal notes of a mental health care provider documenting or analyzing the contents of a counseling session, that are maintained separately from the rest of the patient's medical record; and (ii) information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding.




Access Requests.  Covered entities may require individuals to request access in writing and may offer electronic means for submitting requests, but they cannot require individuals to come to a physical office, use a web portal or mail a request.  Covered entities may prescribe a particular form to be used for requests so long as it does not create a barrier or unreasonably delay access.




Providing Access.  PHI must generally be provided in the format requested by the individual or in a mutually agreeable format.  Individuals who request that PHI be transmitted in an unencrypted email must be warned of the risks and confirm the delivery method.  (Note:  Covered entities that take these steps will not be responsible if an unauthorized disclosure occurs during PHI transmission.)  Individuals' rights to access PHI through other unsecured means depends on the covered entity's capabilities and the security risk that it would pose to other PHI maintained on its system.




Third Parties.  Covered entities must fulfill a written request to direct PHI to a third party if the request is signed by the individual and clearly identifies the designated recipient.




Timeliness.  In general, covered entities must provide access to requested PHI within 30 calendar days following the receipt of a valid request.  If a covered entity is unable to provide access within 30 days, it may extend the deadline for responding by no more than an additional 30 days. 




Fees.  The Privacy Rule permits a covered entity to impose a reasonable, cost-based fee where an individual requests a copy of PHI.  The guidance specifies that covered entities may not recover costs associated with verification, documentation, searching for and retrieving PHI, systems maintenance, and capital expenditures for data access, storage or infrastructure.









This Newsletter is protected by copyright. Material appearing herein may be reproduced with appropriate credit.


This Newsletter is provided for information purposes by The Wagner Law Group to clients and others who may be interested in the subject matter, and may not be relied upon as specific legal advice.  This material is not to be construed as legal advice or legal opinions on specific facts. Under the Rules of the Supreme Judicial Court of Massachusetts, this material may be considered advertising.