Code of Federal Regulations
TITLE 45--PUBLIC WELFARE
SUBTITLE A--DEPARTMENT OF HEALTH AND HUMAN SERVICES
PART 164--SECURITY AND PRIVACY
Subpart E--Privacy of Individually Identifiable Health Information
Revised as of October 1, 2004
CITE: 45CFR164.524
Sec. 164.524 Access of individuals to protected health information.
(a) Standard: Access to protected health information.
- (1) Right of access.
Except as otherwise provided in paragraph (a)(2) or (a)(3) of
this section, an individual has a right of access to inspect and obtain
a copy of protected health information about the individual in a
designated record set, for as long as the protected health information
is maintained in the designated record set, except for:
- (i) Psychotherapy notes;
- (ii) Information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding; and
- (iii) Protected health information maintained by a covered entity that is:
- (A) Subject to the Clinical Laboratory Improvements Amendments of
1988, 42 U.S.C. 263a, to the extent the provision of access to the
individual would be prohibited by law; or
- (B) Exempt from the Clinical Laboratory Improvements Amendments of
1988, pursuant to 42 CFR 493.3(a)(2).
- (2) Unreviewable grounds for denial.
A covered entity may deny an individual access without providing the individual an opportunity for
review, in the following circumstances.
- (i) The protected health information is excepted from the right of
access by paragraph (a)(1) of this section.
- (ii) A covered entity that is a correctional institution or a
covered health care provider acting under the direction of the
correctional institution may deny, in whole or in part, an inmate's
request to obtain a copy of protected health information, if obtaining
such copy would jeopardize the health, safety, security, custody, or
rehabilitation of the individual or of other inmates, or the safety of
any officer, employee, or other person at the correctional institution
or responsible for the transporting of the inmate.
- (iii) An individual's access to protected health information created
or obtained by a covered health care provider in the course of research
that includes treatment may be temporarily suspended for as long as the
research is in progress, provided that the individual has agreed to the
denial of access when consenting to participate in the research that
includes treatment, and the covered health care provider has informed
the individual that the right of access will be reinstated upon
completion of the research.
- (iv) An individual's access to protected health information that is
contained in records that are subject to the Privacy Act, 5 U.S.C. 552a,
may be denied, if the denial of access under the Privacy Act would meet
the requirements of that law.
- (v) An individual's access may be denied if the protected health
information was obtained from someone other than a health care provider
under a promise of confidentiality and the access requested would be
reasonably likely to reveal the source of the information.
- (3) Reviewable grounds for denial. A covered entity may deny an
individual access, provided that the individual is given a right to have
such denials reviewed, as required by paragraph (a)(4) of this section,
in the following circumstances:
- (i) A licensed health care professional has determined, in the
exercise of professional judgment, that the access requested is
reasonably likely to endanger the life or physical safety of the
individual or another person;
- (ii) The protected health information makes reference to another
person (unless such other person is a health care provider) and a
licensed health care professional has determined, in the exercise of
professional judgment, that the access requested is reasonably likely to
cause substantial harm to such other person; or
- (iii) The request for access is made by the individual's personal
representative and a licensed health care professional has determined,
in the exercise of professional judgment, that the provision of access
to such personal representative is reasonably likely to cause
substantial harm to the individual or another person.
- (4) Review of a denial of access. If access is denied on a ground
permitted under paragraph (a)(3) of this section, the individual has the
right to have the denial reviewed by a licensed health care professional
who is designated by the covered entity to act as a reviewing official
and who did not participate in the original decision to deny. The
covered entity must provide or deny access in accordance with the
determination of the reviewing official under paragraph (d)(4) of this
section.
(b) Implementation specifications: requests for access and timely action.
- (1) Individual's request for access. The covered entity must
permit an individual to request access to inspect or to obtain a copy of
the protected health information about the individual that is maintained
in a designated record set. The covered entity may require individuals
to make requests for access in writing, provided that it informs
individuals of such a requirement.
- (2) Timely action by the covered entity.
- (i) Except as provided in
paragraph (b)(2)(ii) of this section, the covered entity must act on a
request for access no later than 30 days after receipt of the request as
follows.
- (A) If the covered entity grants the request, in whole or in part,
it must inform the individual of the acceptance of the request and
provide the access requested, in accordance with paragraph (c) of this
section.
- (B) If the covered entity denies the request, in whole or in part,
it must provide the individual with a written denial, in accordance with
paragraph (d) of this section.
- (ii) If the request for access is for protected health information
that is not maintained or accessible to the covered entity on-site, the
covered entity must take an action required by paragraph (b)(2)(i) of
this section by no later than 60 days from the receipt of such a
request.
- (iii) If the covered entity is unable to take an action required by
paragraph (b)(2)(i)(A) or (B) of this section within the time required
by paragraph (b)(2)(i) or (ii) of this section, as applicable, the
covered entity may extend the time for such actions by no more than 30
days, provided that:
- (A) The covered entity, within the time limit set by paragraph
(b)(2)(i) or (ii) of this section, as applicable, provides the
individual with a written statement of the reasons for the delay and the
date by which the covered entity will complete its action on the
request; and
- (B) The covered entity may have only one such extension of time for
action on a request for access.
(c) Implementation specifications: Provision of access.
If the covered entity provides an individual with access, in whole or in part,
to protected health information, the covered entity must comply with the
following requirements.
- (1) Providing the access requested. The covered entity must provide
the access requested by individuals, including inspection or obtaining a
copy, or both, of the protected health information about them in
designated record sets. If the same protected health information that is
the subject of a request for access is maintained in more than one
designated record set or at more than one location, the covered entity
need only produce the protected health information once in response to a
request for access.
- (2) Form of access requested.
- (i) The covered entity must provide
the individual with access to the protected health information in the
form or format requested by the individual, if it is readily producible
in such form or format; or, if not, in a readable hard copy form or such
other form or format as agreed to by the covered entity and the
individual.
- (ii) The covered entity may provide the individual with a summary of
the protected health information requested, in lieu of providing access
to the protected health information or may provide an explanation of the
protected health information to which access has been provided, if:
- (A) The individual agrees in advance to such a summary or
explanation; and
- (B) The individual agrees in advance to the fees imposed, if any, by
the covered entity for such summary or explanation.
- (3) Time and manner of access. The covered entity must provide the
access as requested by the individual in a timely manner as required by
paragraph (b)(2) of this section, including arranging with the
individual for a convenient time and place to inspect or obtain a copy
of the protected health information, or mailing the copy of the
protected health information at the individual's request. The covered
entity may discuss the scope, format, and other aspects of the request
for access with the individual as necessary to facilitate the timely
provision of access.
- (4) Fees. If the individual requests a copy of the protected health
information or agrees to a summary or explanation of such information,
the covered entity may impose a reasonable, cost-based fee, provided
that the fee includes only the cost of:
- (i) Copying, including the cost of supplies for and labor of
copying, the protected health information requested by the individual;
- (ii) Postage, when the individual has requested the copy, or the
summary or explanation, be mailed; and
- (iii) Preparing an explanation or summary of the protected health
information, if agreed to by the individual as required by paragraph
(c)(2)(ii) of this section.
Note: The 9th Circuit case "Webb et al v. Smart Document Solutions" (No. 05-56282, August 27, 2007) says:
"Although nothing in the HIPAA regulations prevents a law firm from drafting or mailing the request for records on behalf of its clients, or from directing that the records be sent to its office, we hold nonetheless that the HIPAA regulations require the reduced rate only when the individual himself requests the records."
(d) Implementation specifications: Denial of access.
If the covered
entity denies access, in whole or in part, to protected health
information, the covered entity must comply with the following
requirements.
- (1) Making other information accessible. The covered entity must, to
the extent possible, give the individual access to any other protected
health information requested, after excluding the protected health
information as to which the covered entity has a ground to deny access.
- (2) Denial. The covered entity must provide a timely, written denial
to the individual, in accordance with paragraph (b)(2) of this section.
The denial must be in plain language and contain:
- (i) The basis for the denial;
- (ii) If applicable, a statement of the individual's review rights
under paragraph (a)(4) of this section, including a description of how
the individual may exercise such review rights; and
- (iii) A description of how the individual may complain to the
covered entity pursuant to the complaint procedures in Sec. 164.530(d)
or to the Secretary pursuant to the procedures in Sec. 160.306. The
description must include the name, or title, and telephone number of the
contact person or office designated in Sec. 164.530(a)(1)(ii).
- (3) Other responsibility. If the covered entity does not maintain
the protected health information that is the subject of the individual's
request for access, and the covered entity knows where the requested
information is maintained, the covered entity must inform the individual
where to direct the request for access.
- (4) Review of denial requested. If the individual has requested a
review of a denial under paragraph (a)(4) of this section, the covered
entity must designate a licensed health care professional, who was not
directly involved in the denial to review the decision to deny access.
The covered entity must promptly refer a request for review to such
designated reviewing official. The designated reviewing official must
determine, within a reasonable period of time, whether or not to deny
the access requested based on the standards in paragraph (a)(3) of this
section. The covered entity must promptly provide written notice to the
individual of the determination of the designated reviewing official and
take other action as required by this section to carry out the
designated reviewing official's determination.
(e) Implementation specification: Documentation.
A covered entity
must document the following and retain the documentation as required by
Sec. 164.530(j):
- (1) The designated record sets that are subject to access by
individuals; and
- (2) The titles of the persons or offices responsible for receiving
and processing requests for access by individuals.
If the covered entity, after internal appeal, still refuses to provide you with your records, you may appeal to HHS.
Here is the complaint form.
It is a pdf. You can print it out and fill it in.
Or you can get it at www.hhs.gov/ocr/privacy/hipaa/complaints/