Right of Access to Protected Health Information

Scope

This procedure applies to the workforce members in the designated Indiana University (IU) HIPAA Covered Healthcare Components and HIPAA Affected Areas, anyone rendering services as a Business Associate, and anyone who creates, receives, maintains, or transmits Protected Health Information (PHI) in any capacity at IU, including, but not limited to, faculty, staff, students, trainees, volunteers, visiting scholars, and third-party agents.  For the purposes of this procedure, all of the above will be referred to as workforce members.

Procedure Statement

Individuals have the right to request access to inspect or copy their protected health information that is maintained in a designated record set. Workforce members will address an individual’s request to inspect or copy his or her protected health information in a timely and professional manner. Individuals do not have the right to access certain types of information (set forth below), and in those situations, workforce members may deny an individual’s request to access. In certain circumstances, an individual may have the right to have a denial reviewed.

Workforce members are responsible for complying with this procedure or for developing a comparable operating procedure for addressing, denying, or reviewing an individual’s request to access.

Procedures

A. Process for Requests to Inspect and/or Obtain a Copy of Protected Health Information

1. Individuals requesting an opportunity to access, inspect and/or obtain copies of their PHI must submit a written request to the IU HIPAA Affected Area.
2. The IU HIPAA Affected Area shall respond to written requests within thirty (30) days after receipt of the request. Within this time period, the IU HIPAA Affected Area will either make the information available OR provide written notice to:
   1. Inform the patient that the information does not exist;
   2. Deny the request in whole or in part; or
   3. Inform the patient that there will be a delay in responding, including the reason for the delay and the expected date of completion. The IU HIPAA Affected Area may take one 30-day extension but, within the original time limit, must notify the individual in writing of the reasons for the delay and the anticipated date when the records will be produced.
3. The IU HIPAA Affected Area will inform the individual of the acceptance of the request and provide the access requested by arranging for a convenient time and place for the individual to inspect the protected health information or obtain a copy.
4. The IU HIPAA Affected Areas will provide the individual with access to or a copy of the protected health information in the form the individuals requests, if the information is readily producible (e.g., paper or electronic).
5. All completed requests and any documentation of action taken on the requests will be maintained by the IU HIPAA Affected Area.

B. Notification of Denial

1. The IU HIPAA Affected Area must provide a written denial to the individual that includes the following information:
   1. The basis for the denial;
   2. A statement of the patient’s review rights including a description of how the patient may exercise such review rights; and
   3. A description of how the patient may file a complaint with IU or with the U.S. Department of Health and Human Services.
2. If access is denied because the IU HIPAA Affected Area does not maintain the information, the notice of denial must include any information the IU HIPAA Affected Area has regarding the location of the requested information.
3. If access is denied only for certain parts of the designated record set, then to the extent possible, the IU HIPAA Affected Area will provide the individual access to the other requested information contained in the Designated Record Set.
4. The IU HIPAA Affected Area will place a copy of the denial letter in the Designated Record Set.

C. Denial of Access: Grounds for Denial – No Opportunity for Review Is Required
Unless prohibited by state or federal law, the IU HIPAA Affected Area may deny an individual access to the following types of information and the denial is not subject to review:

1. The protected health information is not part of the designated record set.
2. The protected health information was compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative proceeding or action.
3. The protected health information was received from a source, other than a health care provider, under a promise of confidentiality, and providing access would be reasonably likely to reveal the source of the information.
4. The protected health information is considered part of psychotherapy notes.
5. The protected health information was created or obtained in the course of treatment-related research for which access has been temporarily suspended for as long as the research is in progress, provided that the patient has agreed to the denial of access when consenting to participate in the research and has been informed that the right of access will be reinstated upon completion of the research.
6. When acting under the direction of a correctional institution, the IU HIPAA Affected Area may deny an inmate’s request to obtain information when the access would jeopardize the health, safety, security, custody or rehabilitation of the patient or other inmates, the safety of any officer, employee or person at the correctional institution or the safety of a person responsible for transporting the inmate.
7. The individual has requested access to protected health information that is contained in records that are subject to the Privacy Act, 5 U.S.C. § 552a, and the access may be denied under the provisions of the Privacy Act.

D. Denial of Access: Grounds for Denial - Opportunity for Review Is Required
The IU HIPAA Affected Area must provide the patient an opportunity for review if a patient’s access is denied for any of the following reasons:

1. When a licensed healthcare professional, exercising professional judgment, determines that the access requested is likely to endanger the life or physical safety of the individual or another person.
2. The protected health information makes reference to another person who is not a healthcare provider, and a licensed healthcare professional has determined that the access requested is reasonably likely to cause substantial harm to such other person;
3. The request for access is made by the patient’s legally authorized representative and a licensed healthcare professional has determined that the provision of access to such representative is reasonably likely to cause substantial harm to the patient or another person.

E. Review of Denial

1. If the IU HIPAA Affected Area denies an individual access to protected health information, the individual may request that the denial be reviewed.
2. Another licensed healthcare professional chosen by the IU HIPAA Affected Area will review the individual’s request and the denial. The reviewer may not have participated in the original decision to deny access.
3. The reviewer must act on the request within a reasonable period of time and decide whether or not to deny access to the records requested.
4. The IU HIPAA Affected Area will comply with the final determination of the reviewer and will promptly provide written notice of the reviewer’s decision to the individual.

Reason for the Procedure

The Health Information Portability and Accountability Act (HIPAA) Privacy regulations require that patients be provided with the right to request access to inspect and receive a copy of their protected health information that is contained in a designated record set.

This procedure describes how Indiana University complies with the Privacy Rule’s right to access and defines the limited circumstances in which access to medical and/or billing records may be denied.

History

4/06/2015     New procedure
09/01/206     Updated final procedure (removed Policy from Statement section)
12/13/2021   Updated procedure contacts

Related Information

HIPAA Privacy Rule
45 C.F.R. §164.522