HIPAA Compliance Plan
« Previous PageHIPAA Survival Guide Table of ContentsNext Page »

Make sure you are Omnibus Rule Compliant: HIPAA Privacy Checklist.


§ 164.524 Access of individuals to protected health information

Introductory Comment: This section contains, among other details, a number of procedural steps that must be taken under certain scenarios (e.g. concerning delays in providing access). Only the top level entry points into the section are covered so as to provide a point of reference for research as may be required. A provider should be aware that this is another area where state law is often implicated and therefore must be reviewed.

    (a) Standard: Access to protected health information. In general, an individual has a right of access to inspect and obtain a copy of Protected Health Information about the individual in a designated record set, for as long as the protected health information is maintained in the designated record set.

    HIPAA Survival Guide Note

    There are a few exceptions (e.g. psychotherapy notes, Protected Health Information prepared for litigation, etc.) but these do not appear to target "mainstream access." In short, the right to access and inspect is broad.

    (b) Implementation specifications: Requests for access and timely action.

    HIPAA Survival Guide Note

    In general, a provider has 30 days to respond to a request if the requested Protected Health Information is on site and 60 days otherwise. There are also procedural formalities that must be followed with respect to the justification of delays.

    (c) Implementation specifications: Provision of access.

    HIPAA Survival Guide Note

    Lots of detail here regarding the form by which access is provided, whether summaries of Protected Health Information can be provided, and fees that can be charged for provision (e.g. copying, postage, preparation and explanation, etc.).

    (d) Implementation specifications: Denial of access.

    HIPAA Survival Guide Note

    If a provider denies access (i.e. in those limited set of circumstances where a denial is valid) then there are procedural formalities that must be followed (e.g. a timely, written, rule driven denial must be provided to the individual).

    (e) Implementation specification: Documentation.

    HIPAA Survival Guide Note

    A provider must document those record sets available for access and designate a person or office responsible for receiving and processing requests.

§ 164.526 Amendment of protected health information

HIPAA Survival Guide Note

An individual has the right to have a Covered Entity amend Protected Health Information in a designated record set for as long as the Protected Health Information is maintained in the record set. As you might imagine, there are procedural safeguards that must be followed if a request to amend is denied and, in addition, there are detailed implementation specifications that control how the amendment process works. The regulatory text of this section is several pages in length, and as a practical matter, is best reviewed when the need arises.

§ 164.528 Accounting of disclosures of protected health information

HIPAA Survival Guide Note

Ditto. See the prior §164.526 note.

Download a FREE copy of the HIPAA Survival Guide 4th Edition.

« Previous PageHIPAA Survival Guide Table of ContentsNext Page »