Over the three decades since its inception in 1996, the Health Insurance Portability and Accountability Act (HIPAA) has set a uniform standard for protecting sensitive patient health information (PHI) from unauthorized disclosure and for minimizing the exploitation of individuals’ PHI.
Having the right to access this PHI serves as a critical cornerstone, giving patients the transparency, consumer confidence, and comprehensive visibility of what health data is present with the healthcare provider. Read on to learn the critical importance of HIPAA right of access and why healthcare providers must honor such a request.
What is the HIPAA Right of Access?
Right of access is one of the most important patient rights established by HIPAA. Individuals’ right to access their health information, as covered under Public Welfare Title 45 Code of Federal Regulations (CFR) § 164.524, provides individuals with easy access to their health information, empowering them to be more in control of decisions regarding their health and well-being.
This is reinforced by HIPAA’s Privacy Rule, which requires HIPAA-covered entities (health plans and most health care providers) to provide individuals with a right of access to inspect and obtain a copy of PHI about the individuals in a designated record set for as long as the protected health information is maintained in the designated record set. one or more "designated record sets" upon request, including the right to inspect, copy, or request the covered entity to send a copy of the PHI to a designated person or entity. However, with the exception of psychotherapy notes and information classified for civil, criminal, or administrative proceedings.
Simply put, HIPAA makes it possible and convenient for patients to access their own medical records, supporting transparency, better decision-making, and accountability.
Do Patients Have the Right to Access All of Their Medical Records?
Healthcare providers can deny individuals' right to access their PHI without providing them an opportunity for review in limited cases, including when the PHI is excluded from access rights, involves inmates/correctional settings, certain research records, Privacy Act records, or when PHI was obtained from someone other than a health care provider under a promise of confidentiality.
Healthcare providers can also deny access with the right to review if a licensed health care professional determines that access could endanger someone’s life or physical safety or cause substantial harm to another person, including when requested by a personal representative.
If the denial is reviewable, the individual can request review by a licensed health care professional, and the covered entity must follow that reviewer’s decision.
Importance of Patients’ Rights to Medical Records
The right to medical records is no different from basic constitutional rights. Such rights provide patients with control and authority over their protected health information and enable them to make informed decisions about which information they choose to share and which not, with whom it is shared, whether it’s accurate or updated, whether they want to amend, request privacy, have their information deleted, etc.
When patients have rights over their PHI, they can make informed judgments about diagnoses, prescription medications, treatment plans, identify gaps and lapses impacting healthcare, and much more. It also helps patients share information quickly with other stakeholders, such as new healthcare providers, get second opinions, manage chronic conditions, and stay actively involved in their healthcare journey.
Common Violations That Trigger OCR Fines
The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) imposes fines for violating the HIPAA Privacy, Security, and Breach Notification Rules. Common violations that often trigger OCR penalties under HIPAA include:
1. Impermissible Use or Disclosure of PHI
When PHI is accessed without the patient’s consent and shared with unauthorized recipients. Apart from misuse and unauthorized disclosure, when PHI is disclosed to agencies that use that information to market their goods and services, and when such information is made public on social, news, and other platforms.
2. Inadequate Security Measures
Lack of adequate security protocols, such as inferior encryption or none at all, poor access controls with no role-based access controls, improper data disposal, technical glitches, undocumented logs, and failure to perform timely security audits and risk assessments are major red flags. Ignoring such lapses could result in PHI exposure that could trigger OCR fines.
3. Business Associate Agreements (BAAs) & Patient Right of Access Violations
A healthcare institution is calling for trouble if it shares PHI with third-party vendors without a signed BAA. Additionally, if a patient requests access to their PHI and the healthcare institution fails to provide them with access to their medical records in a timely manner (generally within 30 days) or charges more than a normal fee, then a fine may be imposed. The response period may be extended once for an additional 30 days, provided the patient is given written notice of the delay and the reason for the extension.
4. Poor Incident Handling & Repeated Noncompliance
Delayed breach notification to affected individuals (within 60 days), failure to notify regulatory authorities, lack of preventive measures, and failure to follow notification SOPs are all ways to trigger OCR fines. Repeated noncompliance with HIPAA Rules can initiate an investigation, which could deplete resources and result in massive penalties.
5. Lack of Common Grammar Across the Enterprise
If the organization is subject to HIPAA regulations, this message should be spread across the organization, and each individual handling PHI should understand the importance of protecting healthcare data. Additionally, organizations should adopt adequate administrative, technical, and physical safeguards to ensure swift compliance with HIPAA standards.
Rights Under the HIPAA Privacy Rule
The HIPAA Privacy Rule provides individuals with several key rights. Patient rights under HIPAA include:
1. Right to Authorize Certain Uses and Disclosures of PHI
Under 45 CFR § 164.508, HIPAA-covered entities must obtain an individual’s valid authorization for uses and disclosures of PHI that are not otherwise permitted by the Act. They can use or disclose PHI for treatment, payment, or healthcare operations without authorization under section 164.506. Patients can seek a copy of the authorization to keep and revoke it at any time.
2. Right to Receive a Notice of Privacy Practices
Under 45 CFR § 164.520, individuals are entitled to a HIPAA Notice of Privacy Practices. The Notice must state the uses and disclosures of protected health information that may be made by the covered entity, and of the individual's rights and the covered entity's legal duties with respect to protected health information.
3. Right to Request Privacy Protection for PHI
Under 45 CFR § 164.522, individuals have the right to ask a covered entity to limit certain uses or disclosures of their PHI to carry out treatment, payment, or health care operations. An individual may request that a covered entity restrict the disclosure of their protected health information to a family member, relative, close personal friend, or any other person involved in their health care or payment for care, even where such disclosure would otherwise be permitted under the Privacy Rule. Although the covered entity has to establish ways individuals can make this request, it doesn’t have to agree to all such restrictions.
4. Right to Access and Obtain a Copy of PHI
Under 45 CFR § 164.524, individuals have the right to access and obtain a copy of their PHI in a designated record set within 30 days of making the request. This time can be extended once for an additional 30 days.
5. Right to Amend PHI
Under 45 CFR § 164.526, individuals have the right to request the covered entity to make amendments to their PHI or any other record. This is common when data is inaccurate or incomplete. The covered entity may decline such a request.
6. Right to an Accounting of Disclosures
Under 45 CFR § 164.528, an individual is entitled to an accounting of all disclosures of PHI made by a covered entity within the six years prior to the request date.
7. Right to Complain to the Secretary
Under 45 CFR § 160.306, an individual who believes a covered entity or business associate is not complying with HIPAA provisions and the rights given to the individuals may file a complaint with the Secretary.
Difference Between ‘Right of Access’ and ‘Disclosure’
“Right of Access” is a patient/individual-initiated request where the patient is requesting the covered entity for their PHI records. On the other hand, ”disclosure” is when a covered entity, most commonly a healthcare provider, shares the PHI with a business associate or another stakeholder for permitted purposes in compliance with HIPAA regulations.
Penalties for HIPAA Right of Access Violations
The HHS OCR enforces HIPAA. Failure to honor the HIPAA right of access can result in massive noncompliance penalties. Depending upon the level of culpability, penalties may range from $141 per violation to a minimum of about $71,000 per violation for willful neglect that is not corrected. This can be subject to an annual cap of approximately $2.1 million per violation category.
For context, the HHS OCR recently imposed a $200,000 penalty in a Right of Access enforcement action against Oregon Health & Science University, for violating an individual’s right to timely access to their medical records through a personal representative. In short, the exact amount depends on culpability and several other factors.
Automate Compliance with Securiti DSPM
As regulatory pressure increases and data environments grow more complex, organizations can no longer rely on manual methods to ensure compliance. DSPM offers a proactive, automated, and scalable solution to maintaining a continuous data security and privacy posture, not just for HIPAA, but for any current or future regulation.
Securiti's Data Command Center (rated #1 DSPM by GigaOM) provides a built-in DSPM solution, enabling organizations to secure sensitive data across multiple public clouds, private clouds, data lakes and warehouses, and SaaS applications, protecting both data at rest and in motion.
With Securiti, organizations can leverage contextual data intelligence and controls to discover and classify data, minimize ROT (Redundant, Obsolete, and Trivial) data risk, reduce misconfiguration vulnerabilities, prevent unauthorized data access, understand data flow, and enforce consistent security controls across the data journey, including real-time streaming data, while also managing compliance and breach risk.
Schedule a demo to learn more.
