Report on 2016-2017 HIPAA Audits
Does it explain the appeals process the individual can use if their request is denied?
12
FIGURE 11 COVERED ENTITY ACCESS POLICY AND PROCEDURES--KEY CONSIDERATIONS
AUDIT RESULTS:
Summary of P65 Analysis
Almost all covered entities audited (89%) failed to show they were correctly implementing the
individual right of access. Certain themes recurred in their documentation.
• Inadequate documentation of access requests. Many covered entities stated that they had
never received an access request. This suggests a possible misunderstanding of the
standard, as it is common for a patient to request a copy of lab results, immunization
records, or a copy of a bill. Some covered entities did not maintain adequate records of
how and when it responded to a request. For example, one entity recorded no dates for
the request or response. In another example, the entity responded more than 30 days after
receipt of the request without following the written extension requirements.
• Insufficient evidence of policies for individuals to request and obtain access to PHI. For
example, one entity provided a form used by patients to name an authorized
representative as its access policy.
• Inadequate or incorrect policies and procedures for providing access.
o Procedures that required individuals to submit signed authorization forms – which
exceed what is required for a right of access request. Further, because an entity is
not required by the Privacy Rule to disclose records pursuant to an authorization,
requiring authorization forms for right of access requests implies that the entity
can ignore a request for access without following the required procedures for a
written denial, such as providing the individual with written notice and informing
the individual of the right to request a review of the denial decision.
o Policies that incorrectly state that the entity could deny access to PHI in a
designated record set, such as lab test results,
13
or prescription medication history.
o Lack of policies for honoring requests for information to be provided to a
designated third party.
14
o No provision to enable an individual to state her desired form and format for
receiving the PHI, such as a particular electronic form. For example, a request
form that limited the choices to fax, mail, or in office pick up.
o Policy that did not address situations where a patient requests access to records
not maintained by the entity.
12
§ 164.524(a)(3) Reviewable ground for denial, and (a)(4) Review of a denial of access; also § 164.524(d)
Implementation specifications: Denial of access.
13
As of October 6, 2014, individuals have the right to access test reports directly from clinical laboratories subject to
HIPAA and, as of January 23, 2020, when the covered entity uses or maintains an electronic health record, to direct
that electronic copies of those test reports be transmitted to persons or entities designated by the individual. See
https://www.hhs.gov/hipaa/for-professionals/special-topics/clia/index.html
, and footnote 6.
14
See footnote 6 regarding Ciox Health, LLC v. Azar, et al., which held that the individual’s right to direct PHI to a
third party is limited to an electronic copy of PHI in an electronic health record. The court also held that the
reasonable, cost-based fee limitation does not apply when directing PHI to a third party.