Patient Data Access News

Reviewing Patient Access to Health Data Under HIPAA Privacy Rule

Although health IT security and HIPAA compliance are high provider priorities, there are still ample ways to enable patient access to health data.

By Sara Heath

- While the healthcare industry is surely transitioning to a more patient-centric philosophy, emphasizing patient access to health data, it is also becoming more conscious of health data privacy.


With health records being stored digitally, healthcare professionals are taking measures to ensure they aren’t accessed by the wrong individual. However, those measures, brought to fruition as a part of the HIPAA Privacy Rule, bring a bit of confusion for patients looking to access their own health data.

Although healthcare professionals give high priority to health data security, they also want to make clear how HIPAA can still enable patient engagement. Below is a breakdown of how patient access to health data works under the HIPAA Privacy Rule:

What information can patients access?

Under the HIPAA Privacy Rule, patients are able to access any protected health information (PHI) that falls under a designated record set, or that is specifically pertinent to a patient’s health.

READ MORE: What are the Top Pros and Cons of Adopting Patient Portals?

According to the Department of Health and Human Services (HHS), patients are specifically able to access the following:

  • Medical records and billing records about individuals maintained by or for a covered health care provider;
  • Enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or
  • Other records that are used, in whole or in part, by or for the covered entity to make decisions about individuals.  This last category includes records that are used to make decisions about any individuals, whether or not the records have been used to make a decision about the particular individual requesting access.

Earlier this year, HHS further clarified patient data access under HIPAA. In light of alterations made to physician rights to share behavioral health information about a patient looking to purchase a firearm, the department took the opportunity to reiterate patient rights to access their own health information.

Specifically, the HHS notice states that providers must respond in a timely manner to patient requests for their health data, and also said that hospitals cannot require patients to pick up their health files.

The Office of Civil Rights (OCR), a part of HHS, has also recently released a set of clarifications regarding patient access to health data. The agency reiterated the fact that patients have full access to their health data, and also have the power to contribute that data to research opportunities as a part of the recent Precision Medicine Initiative spearheaded by the White House.

How do patients access their health records?

READ MORE: Patients Prefer Email, Patient Portals for Lab Result Alerts

While patients do have access to their own health records, there is a specific protocol they must follow under the HIPAA Privacy Rule.

According to HHS, providers may set some of their own parameters for requests for access. For instance, providers may require patients submit a written request for their data, so long as the provider make this requirement well-known.

The HIPAA Privacy Rule also requires providers to verify the identity of an individual requesting patient data, however it does not specify the form of identification required.

Although providers may require written request and identity verification, HIPAA does say that it may not set up unreasonable barriers to data access. Unreasonable barriers include:

  • Who wants a copy of her medical record mailed to her home address to physically come to the doctor’s office to request access and provide proof of identity in person.
  • To use a web portal for requesting access, as not all individuals will have ready access to the portal. 
  • To mail an access request, as this would unreasonably delay the covered entity’s receipt of the request and thus, the individual’s access. 

What information can’t patients access?

READ MORE: OpenNotes, AMIA Partnership to Improve Patient Data Access

While patients are very clearly allowed access to their clinical information, there is some PHI the HIPAA Privacy Rule does not allow patients to access. Most of this information pertains exclusively to the provider, such as quality assessment and improvement records, patient safety activity records, and business planning, development, and administration records.

Most of this information is kept separately from the patient’s health record and is used for business practice purposes rather than to make decisions regarding specific individuals.

HIPAA identifies two other instances during which patients are restricted from data. First, they may not access psychotherapy notes kept privately by providers during mental health evaluations. Second, they may not access information being gathered for use in a civil, criminal, or administrative action or case.

Can patients authorize others to access their health data?

Patients may have recognized personal representatives who are also able to access their health data under HIPAA regulations. In these instances, the representatives are someone with authority under state laws, and generally apply for emancipated minors, unemancipated minors, and the deceased.

Providers must treat personal representatives just as they would the patient, except in extenuating circumstances. When a provider has reasonable justification to believe disclosing information to a personal representative will endanger the patient, he or she may act accordingly.

When a physician or other covered entity reasonably believes that an individual, including an unemancipated minor, has been or may be subjected to domestic violence, abuse, or neglect by the personal representative, or that treating a person as an individual’s personal representative could endanger the individual, the covered entity may choose not to treat that person as the individual’s personal representative, if in the exercise of professional judgment, doing so would not be in the best interests of the individual.

Patients may also direct PHI disclosure to individuals who are not a personal representative, so long as he or she submit written consent and clearly identifies the individual to whom the PHI should be disclosed. Providers may take steps to verify the individual, as well.


Sign up for our free newsletter:

Our privacy policy

no, thanks