The Growing Interest In Access

by Adam Bullian | Jan 11, 2018 | PHI Security

privacy.jpegHaving patients access their health records has important clinical benefits, which is a significant reason why it is a right patients are provided in HIPAA. That also means processes must be in place to grant patients access to their records promptly when requested.  

Benefits to Patient Access to Health Records

Last week the U.S. Department of Health and Human Service Office For Civil Rights (“OCR”) rolled out a campaign, “Information Is Powerful Medicine,” to educate and encourage patients to access their health records.

The first thing you should ensure you have in place is a Notice of Privacy Practices. You must provide this to all patients, and received a signed acknowledgment that they read it and were provided a copy if they requested. Your Notice of Privacy Practices should be posted in a prominent location, like a waiting room. While there is wide understanding a Notice of Privacy Practices is required, there are still plenty of organizations not doing what is necessary. I have seen patients asked to sign that they read and were provided a Notice of Privacy Practices, when one was not provided.

 Unfortunately, I also still see many locations that do not have a Notice of Privacy Practices posted.  It is an important document; not necessary because it is required, but because it provides the patient notice of their rights. As mentioned, one of those rights is access to their own records. Access is thought of in two types; viewing and copies. You must provide a way for a patient to view their records free of charge, generally within 30 days of request (keep in mind, some states have made this timeframe shorter). Similarly, you must also provide a patient with a copy of their records, in a form they request (electronic, paper, fax, mail, etc), generally within 30 days of request. You may charge a fee for the copies, but there are strict regulations, which can vary by state, on how much you can charge (check here for more information on how much you can charge for copies). If it is going directly to the patient, there are very limited exceptions on what you cannot provide. For the most part, the only objections are psychotherapy notes (personal notes of a therapist, not included in the medical record), and anything that could cause harm to the patient or someone else.  For everything else, you must provide it to the patient when requested.

OCR campaign or not, patients have a right to access the medical information about them. This is guaranteed by HIPAA, and is important in delivering quality health care. In additional to distributing and posting your Notice of Privacy Practices, you should have internal processes to follow when patients make a request for a copy or to view their record. 

Learn more of more ways to secure your PHI at

Download our free ebook "Top Excuses for Ignoring Cybersecurity"

Screen Shot 2018-01-24 at 1.53.11 PM.png

In this ebook:

  • A look at the increasing risk that healthcare organizations face
  • Statistics that show IT and cyber need more resources and emphasis
  • Easy, actionable tips on improving your security now. 
  • Top cybersecurity trends of recent years