The Wagner Law Group
Wagner Law Group, A Professional Corporation, is a nationally
recognized ERISA & employee benefits, estate planning,
employment, labor & human resources practice.
in 1996, The Wagner Law Group has 22 attorneys engaged
exclusively in employee benefits, estate planning and
employment law. Six of our attorneys are AV rated by
Martindale-Hubbell as having very high to preeminent legal abilities
and ethical standards. The firm is among the largest ERISA boutiques
in the country. Our practice is national in scope, with clients in
more than 40 states and several foreign countries.
Wagner Law Group
Fax: (561) 293-3591
7108 Fairway Drive
Palm Beach Gardens, FL 33418
East Kennedy Boulevard
Tampa, FL 33602
Francisco, CA 94104
100 South 4th Street, Suite 550
St. Louis, MO 63102
February 4, 2016
Health and Welfare Law
Guidance on Individuals'
HIPAA Right to
Department of Health and Human Services ("HHS") has issued
guidance clarifying individuals' right under the HIPAA Privacy Rule
to access their protected health information ("PHI")
maintained by covered entities, including health plans.
Background. Under HIPAA's Privacy Rule, individuals
have the right to access their own PHI from "covered entities (e.g.,
doctors, hospitals and group health plans). Regulations issued
in 2013 expanded this right to cover electronic PHI.
Guidance. Among other
things, HHS's guidance addresses: the scope of information to be
provided; limited exceptions to this right; the form and format in
which PHI is to be provided; and the requirement to provide access to
individuals in a timely manner.
from the guidance are as follows:
Covered information. Individual rights extend only to PHI
maintained in a designated record set. A "designated
record set" is defined as a group of records maintained by or
for a covered entity that comprises the: (i) medical records and
billing records of individuals maintained by or for a covered health
care provider; (ii) enrollment, payment, claims adjudication, and
case or medical management record systems maintained by
or for a health plan; and (iii) other records that are used, in whole
or in part, by or for the covered entity to make decisions about
The guidance provides examples of PHI included
and excluded from a designated record set.
The following two categories of information are
expressly excluded from the right of access: (i) psychotherapy
notes, which are the personal notes of a mental health care provider
documenting or analyzing the contents of a counseling session, that
are maintained separately from the rest of the patient's medical
record; and (ii) information compiled in reasonable anticipation of,
or for use in, a civil, criminal, or administrative action or
Access Requests. Covered entities may require individuals to request
access in writing and may offer electronic means for submitting
requests, but they cannot require individuals to come to a physical
office, use a web portal or mail a request. Covered entities
may prescribe a particular form to be used for requests so long as it
does not create a barrier or unreasonably delay access.
Providing Access. PHI must generally be provided in the
format requested by the individual or in a mutually agreeable
format. Individuals who request that PHI be transmitted in an
unencrypted email must be warned of the risks and confirm the
delivery method. (Note: Covered entities that take
these steps will not be responsible if an unauthorized disclosure
occurs during PHI transmission.) Individuals' rights to access
PHI through other unsecured means depends on the covered entity's
capabilities and the security risk that it would pose to other PHI
maintained on its system.
Covered entities must fulfill a written request to direct PHI to a
third party if the request is signed by the individual and clearly
identifies the designated recipient.
In general, covered entities must provide access to requested PHI
within 30 calendar days following the receipt of a valid
request. If a covered entity is unable to provide access within
30 days, it may extend the deadline for responding by no more than an
additional 30 days.
The Privacy Rule permits a covered entity to impose a reasonable,
cost-based fee where an individual requests a copy of PHI. The
guidance specifies that covered entities may not recover costs
associated with verification, documentation, searching for and
retrieving PHI, systems maintenance, and capital expenditures for
data access, storage or infrastructure.