Over the past few months, the United States Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has published several FAQs related to patient access to Protected Health Information (PHI). These FAQs were generated in response to recent studies and OCR investigations that found that patients often face obstacles when trying to access their health information from hospitals and physician practices.

In continuation with our Legal Issues blog series, parts four and five will explore ways providers can avoid patient complaints being filed against them with the OCR regarding PHI access that could lead to investigations and possible enforcement actions. Part four is about removing obstacles from patients requesting their PHI, while part five will look at how providers can properly disclose patients’ information.

HIPAA-compliant authorization not required
HIPAA-compliant authorizations are required when a third party is requesting access to a patient’s PHI. However, a patient or a patient’s authorized representatives (see below) does not need to provide a HIPAA-compliant authorization to obtain access to the patient’s own PHI. A patient can simply submit their request in writing to their healthcare provider, provided that the request contains enough information for the healthcare provider to verify the patient’s identity.

Providers can require that patients use a specific form to request access to their PHI, but the form cannot create an access obstacle. Healthcare providers need to review what documentation they are requiring patients to provide to release their information and ensure that access is not obstructed.

Honor the personal representative’s Release of Information (ROI) request
Under HIPAA, a patient’s personal representative has the same right as the patient to access the patient’s PHI. Examples of personal representatives include healthcare power of attorneys and the parents/guardians of minor children.

Providers should ensure, however, that the personal representative’s request includes information regarding his or her authority to act on behalf of the patient, such as a healthcare power of attorney executed in accordance with applicable state law. Medical providers should make sure their policies do not create a barrier to access for personal representatives.

In light of the OCR’s recent FAQs, healthcare providers should make efforts towards enhancing their patient request policies and procedures to ensure they are providing patients with timely access to their PHI. At MRO, we are dedicated to providing patients with timely access to their PHI and have recently launched a new Patient Advocate Program to guide patients through the ROI process.

In the final segment of our Legal Issues blog series, we’ll take a look at how providers can ensure proper and compliant disclosure of patient information. Don’t want to miss part five? Sign up for future MRO blog posts below.

This blog post is made available by MRO’s general counsel for educational purposes only, as well as to give general information and a general understanding of the law, not to provide specific legal advice. This blog post does not create an attorney-client relationship between the reader and MRO’s privacy and compliance counsel. This blog post should not be used as a substitute for competent legal advice from a licensed professional attorney in your state.