The HIPAA Privacy Rule and HITECH regulations provide patients and their legally authorized representatives with a right to access, inspect, and obtain a copy of the patient’s protected health information in medical and billing records maintained and retained by a covered entity. This policy describes how UW–Madison complies with the Privacy Rule’s right to access and defines the limited circumstances in which access to medical and/or billing records may be denied. In the remainder of this policy, the term “patient” refers to the patient or their legally authorized representative.
- Each applicable UW HCC unit must designate a staff member or office to receive and process requests for access to or copies of medical or billing records.
- An individual must make a request to a staff member for access to inspect or obtain a copy of the individual’s medical or billing records. The UW HCC unit may require that this request be in writing provided that the patient is informed of this requirement in advance. A record of the request must be maintained by the UW HCC unit.
- The individual has the right to request access to inspect or copy their medical or billing records which are part of the designated record set (see UW-120 Requests by Patients to Amend Protected Health Information for more on the designated record set).
- The UW HCC unit may limit access to medical and billing records to the business hours during which the unit is open.
- The UW HCC unit will take action within 30 days after receipt of the request. The UW HCC unit may take one 30-day extension but, within the original time limit, must notify the individual in writing of the reasons for the delay and the date by which it will process the access request.
- The request of an individual for access to the individual’s medical or billing records will be granted unless one of the grounds for denial, listed below in VII or VIII, is present.
- Granting of Request for Access.
- The patient and the UW HCC unit will arrange a mutually convenient time and place for the individual to inspect or obtain a copy, or both, of the requested protected health information. The individual may request that this copy be mailed.
- If the individual directs the UW HCC unit to transmit a copy of the protected health information directly to another person designated by the individual, the UW HCC unit must provide a copy to such designated person. The individual’s request must be in writing, signed by the individual, and must clearly identify the designed person and where to send the copy of the protected health information.
- The UW HCC unit must provide the patient with access to the protected health information in the requested form or format, if it is readily producible in such form or format. If the protected health information is not readily producible in the requested form or format, the UW HCC unit must provide the patient with a readable hard copy form, or other form and format as agreed to by the patient and the UW HCC unit.
- If the protected health information requested is maintained in one or more designated record sets electronically and the individual requests an electronic copy, the UW HCC unit must provide the individual with access to the protected health information in the electronic form and format requested by the individual, if readily producible in such form and format. If the protected health information is not readily producible in the requested electronic form and format, the UW HCC unit must provide the patient with a readable electronic form and format as agreed to by the patient and the UW HCC unit.
- The UW HCC unit may provide the patient with a summary of the protected health information requested, in lieu of providing access to the protected health information, or may provide an explanation of the protected health information to which access has been provided, if the patient agrees in advance to such a summary or explanation and to the fees imposed, if any, by the UW HCC unit for the summary or explanation.
- If the patient requests a copy of the protected health information or agrees to a summary or explanation of such information, the UW HCC unit may impose a reasonable, cost-based fee, provided that the fee includes only the cost of (a) copying; (b) postage (when the patient has requested the copy, summary, or explanation be mailed); and (c) preparing an explanation or summary of the protected health information if agreed to by the patient in lieu of providing access to the information.
- If, after inspection of the protected health information, the patient feels it is inaccurate or incomplete, the patient has the right to request an amendment to the information. The UW HCC unit shall process requests for amendment as detailed in UW-120 Requests by Patients to Amend Protected Health Information.
- Grounds for Denial Where No Opportunity for Review Is Required
- Patients are not allowed access to or copies of the following types of information, and denials of access to or copies of this information are not subject to review:
- Psychotherapy notes (defined above)
- Information compiled in anticipation of or use in a civil, criminal, or administrative action or proceeding
- Protected health information that is exempt from CLIA (Clinical Laboratory Improvement Amendments), pursuant to 42 CFR 493.3(a)(2) (i.e., protected health information created in research laboratories that test human specimens but do not report patient-specific results for diagnosis, treatment, or health assessment of the individual patient).
- The UW HCC unit may deny a patient access to or copies of the following types of protected health information without providing the patient an opportunity for review:
- Protected health information created or obtained in the course of treatment-related research for which access has been temporarily suspended for as long as the research is in progress, provided that the patient has agreed to the denial of access when consenting to participate in the research and has been informed that the right of access will be reinstated upon completion of the research;
- Records that are subject to the Privacy Act of 1974 and the denial of access meets the requirement of that law (note: the Privacy Act of 1974 applies to records held by agencies of the federal government only and therefore this provision is generally inapplicable to UW–Madison)
- Protected health information that was obtained from someone other than a healthcare provider under a promise of confidentiality and access would likely reveal the source of the information.
- Grounds for Denial Where Opportunity for Review of Denial Must Be Provided. The UW HCC unit may deny a patient access to their protected health information, provided that the patient is given an opportunity to have the denial reviewed, in the following circumstances:
- A licensed healthcare professional has determined that the access is reasonably likely to endanger the life or physical safety of the patient or another person.
- The protected health information makes reference to another person who is not a healthcare provider, and a licensed healthcare professional has determined that the access requested is reasonably likely to cause substantial harm to such other person.
- The request for access is made by the patient’s legally authorized representative and a licensed healthcare professional has determined that the provision of access to such representative is reasonably likely to cause substantial harm to the patient or another person.
- Procedures for Denial of Access.
- When access is denied, the UW HCC unit will provide a written denial to the patient. The denial must be provided within 30 days after receipt of the request for access. The UW HCC unit may take one 30-day extension but, within the original time limit, must notify the patient in writing of the reasons for the delay and the date by which it will process the access request.
- The denial must be in plain language and must contain:
- The basis for the denial;
- A statement of the patient’s review rights, if any, including a description of how the patient may exercise such review rights; and
- A description of how the patient may complain to UW–Madison (see section X. below) or to the Secretary of the U.S. Department of Health and Human Services. The description must include the name or title, and telephone number of the UW–Madison HIPAA privacy officer.
- If the UW HCC unit denies access because the UW HCC unit does not have the protected health information that is the subject of the request and the UW HCC unit knows where that information is maintained, the UW HCC unit will inform the patient where to direct the request for access.
- The UW HCC unit will, to the extent possible, give the patient access to or copies of any other protected health information requested, after removing the protected health information to which the UW HCC unit has grounds to deny access.
- Review of Denial of Access.
- If access is denied on a ground that requires an opportunity for review of the denial, the patient has the right to have the denial reviewed by a licensed health care professional who is designated by the UW HCC unit to act as a reviewing official and who did not participate in the original decision to deny. If feasible, the review should be done by a professional who is a supervisor of the person making the denial or another person in that clinic.
- The patient must initiate the review of a denial by making a request for review to the UW HCC unit. If the patient has requested a review, the UW HCC unit will provide or deny access in accordance with the determination of the reviewing professional, who will make the determination within a reasonable period of time.
- The UW HCC unit will promptly provide written notice to the patient of the determination of the reviewing professional. No further review of the denial is required.
Consequences for Noncompliance
Failing to comply with this policy may result in discipline for the individual(s) responsible for such non-compliance.
Further, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) is responsible for enforcing the HIPAA Privacy and Security Rules, and an individual’s noncompliance may result in institutional noncompliance and/or an investigation by OCR. OCR attempts to resolve investigations by obtaining voluntary compliance and entering into corrective action plans and resolution agreements. Failure to comply with HIPAA or cooperate with OCR in an investigation may result in civil and/or criminal penalties.