Expanded HHS Guidance Clarifies Patient Right of Access Under HIPAA
The U.S. Department of Health and Human Services (HHS) has released updated guidance clarifying the scope of patients’ rights to access their own protected health information (PHI) under the HIPAA Privacy Rule. Chiropractic physicians in Illinois should be aware that these clarifications further affirm a patient’s right to obtain a broad range of records, as the rules also reinforce the limits on when access may be denied.
Scope of PHI Patients May Access
HHS confirms that, with limited exceptions, individuals have the right to access any PHI maintained in a “designated record set” by or for their health care providers or health plans. This includes:
- Medical records
- Billing records
- Payment records
- Claims records
- Health plan enrollment records
- Case management records
- Insurance information
- Clinical laboratory test reports
- X-rays and other imaging
- Wellness and disease management program information
- Consent forms for treatment
- Clinical case notes, including SOAP notes (but excluding certain psychotherapy notes)
- Records obtained from other health care providers that are maintained in the patient’s file
- Any other records used, in whole or in part, by or for the provider to make decisions about the patient
Access rights also extend to PHI maintained by a provider’s business associate, such as outsourced billing companies or cloud-based EHR vendors.
Records Patients Cannot Access
Some records containing PHI are excluded from the access requirement because they are not part of the designated record set. These include materials used for quality improvement, peer review, provider performance evaluations, internal business planning, formulary development, psychotherapy notes kept separate from the medical record, and information prepared for legal proceedings. However, any underlying PHI from the patient’s medical or payment records that was used to create these materials remains accessible.
Key Clarifications for Chiropractic Physicians
- Providers are not required to create new records or explanatory materials in response to an access request; they must only provide existing PHI from the designated record set.
- Patients are entitled to the specific PHI they request, not the entirety of their record, unless they ask for it.
- Access must be granted for existing records, regardless of record format (paper or electronic) and regardless of the age of the record. (Note: providers are required to comply with standard of care for duration of record retention but are not required to create or recreate records that do not exist at the time of the access request.)
- The 30-day maximum response time remains in place, but HHS emphasizes the expectation that many requests should be fulfilled much more quickly, particularly when records are maintained electronically.
Practical Compliance Considerations
For chiropractic physicians in Illinois, this updated guidance reinforces existing HIPAA obligations already discussed in ICS resources. However, the update highlights several operational points to review:
- Ensure your office can identify all designated record sets and retrieve information from both in-house systems and business associates.
- Train staff to distinguish between PHI subject to access rights versus excluded records.
- Review patient request forms to ensure they do not impose unnecessary barriers, such as requiring in-person appearance or the use of a specific portal.
- Confirm processes for delivering PHI in the format requested, when readily producible, and for documenting any exceptions.
The trend from HHS is clear: patient access to records is a fundamental right, and providers are expected to have efficient, patient-friendly processes in place. As always, ICS will continue to monitor for additional changes and provide members with updates.
