New Guidance on an Individual’s Right to Access Their Personal Health Information
The Department of Health and Human Services recently released new guidance regarding an individual’s right to access his Personal Health Information (PHI). The HIPAA Privacy Rule generally requires that HIPAA covered entities provide individuals, upon request, with access to their PHI. Covered entities may require that the individual request access in writing and may offer electronic methods for submitting these requests for access. When granting access, the Privacy Rule requires that covered entities take reasonable steps to verify the identity of the individual making a request but does not mandate a particular form of verification. A covered entity may not, however, impose unreasonable measures on an individual requesting access to his PHI. Some examples of unreasonable measures according to the new guidance include requiring an individual to: come to a physical office, use a web portal or mail a request. These individual access rights extend to PHI maintained by the covered entity’s business associates, so covered entities are required to produce PHI maintained or held by business associates.