HIPAA Policy Section 7.2: Right to Access Protected Health Information
System recognizes an Individual’s right to inspect and/or obtain copies of his or her own PHI contained in a Designated Record Set, to the extent the Individual is entitled to such access. This right is separate from any right an Individual may have to request records through the Texas Public Information Act.
7.2(1) An Individual’s Right to Make Written Request for Access to Designated Record Set
- Individuals requesting an opportunity to inspect and/or obtain copies of their PHI shall submit a written request to the Privacy Officer or to make a written request that their PHI be disclosed to a third party pursuant to the Individuals rights under HIPAA.
- If an Individual notifies staff of a System office of his or her desire to make such a request, the Office shall notify the Individual that s/he has a right to make written request to inspect or request copies of the desired records for the Individual or a third party, but only from the Privacy Officer and provide the Individual either a copy of or the website address where the form Request for Access to Protected Health Information is located and/or the Privacy Officer’s email address, Privacyofficer@utsystem.edu, in order to assist the individual with making a written, complete request.
- No one other than the Privacy Officer can accept an Individual’s request for his or her own designated record set. A copy of the Request Form is provided in the Appendix to this Manual. If the Individual orally notifies the Privacy Officer of a request, the Privacy Officer shall notify the Individual how to make such a request.
- An Individual or any other person seeking access to records pursuant to the Texas Public Information Acts shall be directed to the System website for information about how to make such a request. That website is http://www.utsystem.edu/openrecords.
- An Individual shall have access to PHI for as long as it is maintained in a Designated Record Set, subject to this Section. The Privacy Officer shall be responsible for receiving and processing requests for access by Individuals. The Privacy Officer shall have ultimate authority regarding whether such requests shall be granted or denied.
7.2(2) Verification of Requestor’s Identity
- Before PHI is released under this section to an Individual, the requesting person’s identity shall be verified in accordance with Section 4.10 of this Manual.
- An Individual’s Personal Representative shall have the right to access PHI to the same extent the individual has such right under this Section.
7.2(3) Time Period for Responding to a Request for Access. ￼
System shall provide access or a written denial to the Designated Record Set, as applicable, in response to an individual’s request for access within 30 days of the Privacy Officer’s receipt of the request, except that if System maintains the records in electronic form and can reasonably provide the records in electronic form in response to a request within 15 days, System shall provide such unless:
- The PHI is maintained off-site (including records held by a Business Associate), in which case access or written denial must be provided within 60 days; or
- System extends the deadline by providing the individual, within the 30-day or 60-day deadline, as applicable, a written statement of the reasons for the delay and the date by which action on the request will be completed, but in no case may this extension be for more than 30 days. System is allowed only one extension for a decision on a request for access.
7.2(4) Providing Access to Records in the Designated Record Set
- If an Individual makes a valid request for access to some or all of the requested PHI, such access shall be provided as follows:
- if the records are in electronic form and are readily producible by System in electronic form and electronic form is acceptable to Individual is readily producible, System shall provide the individual with access to the information in electronic form or format requested;
- if records are requested in a format requested by the Individual that is not readily producible, the Information may be produced in a readable hard copy format;
- if the Individual is requesting personal access to inspect, arrangements shall be made with the individual to establish a convenient time for him to inspect the records;
- if an Individual requests copies of PHI, System shall honor that request if fees for copying and mailing, which shall be reasonable, are paid in advance (if the requested PHI may be provided more quickly and inexpensively in an electronic format, the Individual shall be notified of this option); and
- an Individual may be provided with a summary of the information rather than the information itself if (i) the Individual agrees to receive a summary and (ii) the Individual agrees in advance to any fees that will be imposed in preparing the summary.
- If access to PHI is granted in part and denied in part, System shall provide the Individual with the granted access to the PHI, excluding (through redaction) the PHI for which access has been denied.
- System may shall charge a reasonable cost-based fee for providing access/copies, which includes (i) the cost of copying (supplies and labor), (ii) postage, and (iii) the cost of preparing a summary or explanation (if applicable) if the individual agrees to a charge in advance.
7.2(5) Denial of Access to PHI
- Access to PHI may be denied if:
- the PHI requested is not part of the Designated Record Set;
- the PHI requested is Psychotherapy Notes;
- the PHI requested was compiled by System in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding;
- the PHI requested was received from a source, other than a health care provider, under a promise of confidentiality, and providing access would be reasonably likely to reveal the source of the information;
- a designated health care professional has determined access should be denied access because in his or her professional judgment he or she believes that the access requested is reasonably likely to endanger the life or physical safety of the individual or another person—this would not include the potential for causing emotional or psychological harm;
- a designated health care professional has decided to deny access because in his or her professional judgment he or she believes that the PHI contains a reference to a third person, and it is reasonably likely that access may ￼ cause substantial physical, emotional, or psychological harm to that other person; or
- a designated health care professional has decided to deny access because the person requesting the PHI is the Personal Representative of the Individual and in the professional’s judgment the provision of access is reasonably likely to cause substantial harm to the Individual who is the subject of the information or to another person.
- It is expected that the exceptions to open access will be employed rarely The reasons for denial listed set forth in paragraphs 7.2(5)(a)(i)-(iv) are not reviewable. Reasons for denial listed in paragraphs 7.2(5)(a)(v)-(vii) may be reviewed in accordance with subsection 7.2(7) of this Section.
7.2(6) Notice of Denial.
If access is to be denied in part or in whole, System shall provide written notice, in plain language and within the timeframes established by this Section to the requesting person of the following:
- the specific grounds for the denial;
- an Individual’s right to protest the denial to the Privacy Officer and to the Secretary and the name or title and phone number of the Privacy Officer, as well as a contact source for the Secretary;
- if the denial is reviewable, an Individual’s right to have the decision to deny access reviewed by another licensed health care provider, designated by System, who did not participate in the initial decision to deny access (the Individual may exercise this right by notifying the Privacy Officer in writing); and
- if the PHI is not in System Designated Record Set but System knows where the information is maintained, the Individual should be directed there to make a request for access.
7.2 (7)Review of Denials
- If an Individual is entitled to, and has requested, review of a denial of access, System shall designate a licensed health care professional who was not directly involved in the decision to deny access to be the designated reviewer and shall promptly refer such request to that reviewer. The reviewer shall determine within a reasonable period of time whether to deny access based upon the criteria listed in Subsection 5 of this Section. The decision of the official shall be final.
- System shall promptly notify the individual in writing of the determination of the reviewer, and if the reviewer finds that the Individual should be given access to inspect and/or copy his PHI, System shall provide that access as described in Subsection 7.2(4) of this Section.
7.2(8) Document Retention
System shall retain documentation of the Designated Record Sets that are subject to access by individuals in paper or electronic form in accordance with Section 9.2 of this Manual.
For each request, as applicable, System shall retain (i) the Individual’s written request for access; (ii) the Individual’s written response to the request including a notice of deadline extension (if any); (iii) if the request is denied, the Individual’s written request for review, if any, and written notice of the reviewer’s determination on review; and (iv) if the request is granted, a description of how access was provided and any summaries or explanations prepared by System. Such documents shall be retained in accordance with Section 9.2 of this Manual.
45 C.F.R. § 164.524
65 Fed. Reg. at 82538, 82547, 82554-58, 82731-36 (Dec. 28, 2000)
OCR Guidance at 28 (July 6, 2001)