Proposed changes to an individual (patient’s) right of access

January 12, 2022 / By Kelly Long, BS, CPC, CPCO

Throughout my 25 years working in the health care industry, I have always had a passion for compliance; and my career path reflects that passion. As a 3M HIS compliance and security program coordinator for the HTD-performance management division, I work in collaboration with fellow compliance, security and privacy colleagues to ensure adherence to rules and regulations.

When the United States Department of Health and Human Services (HHS) proposed to modify the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule to expand an individual (patient’s) right of access to their medical record in January 2021, I, as well as many others took notice.

Anything that has the potential to affect operations within the health care industry will require not only a strong understanding of the proposed changes, but also updates to existing policies, procedures and security standards, changes to data and business use agreements, notices of privacy practices, as well as authorization and disclosure forms to include the new HIPAA Privacy Rules for patient’s right of access.

These changes will not occur until HHS publishes its final rule. Currently, HHS is still reviewing submitted comments. With such an outpouring of responses, it was no surprise that the comment period for the proposed rule, which would have ended originally on March 22, 2021, was extended to May 6, 2021. Essentially these proposed changes have come about as HHS is using HIPAA Individual Access Rights to strengthen and expand a patient’s rights while aligning with information blocking rules. Frankly, HIPAA needed to be modernized to account for digital health as it is here to stay.

Here is an overview of the proposed changes:

Adding definitions for the terms electronic health record (EHR) and personal health application (PHA). PHAs are direct-to-consumer applications used for the patient’s own purposes, such as to monitor their health status and access their protected health information (PHI) using an app. By adding this definition under the HIPAA Individual Right of Access, HHS is adding the transmission of PHI to PHAs as a form of access that a patient can request.

  • Modifying provisions on the individual’s right of access to PHI by: Strengthening individuals’ rights to inspect their PHI in person, which includes allowing individuals to take notes or use other personal resources to view and capture images of their PHI. It is important to note that this does not include allowing the individual to connect a personal device, such as a thumb drive, to information systems as this could pose a serious security risk.

Shortening the required response time to no later than 15 calendar days (from the current 30 days) with potential for an extension of an additional 15 calendar days. Many entities are also subject to the 21st Century Cures Act Information Blocking Rule. This rule already prohibits health care providers from unreasonably delaying access to an individual’s electronic health information.

HHS proposed providing individuals with the right to direct providers to transmit an electronic copy of PHI stored in an EHR directly to a third party designated by the individual. Requests can be submitted via oral, electronic or written means. The only requirements are that the request is clear, conspicuous and specific. However, the handling of an individual’s requests for their information to be sent to a third party by EHR is a major concern, as this may result in non-HIPAA entities access and use of sensitive information about a patient’s health. These entities should be subject to privacy and security standards commensurate with HIPAA rules.

  • Proposed changes on fees. No fee should be charged when an individual inspects their PHI in person or uses an internet-based method to view or obtain a copy of electronic PHI maintained by or on behalf of the covered entity.

1. Regarding an access request to direct an electronic copy of PHI in an EHR to a third party, HHS specifies that covered entities can charge a fee for the labor of copying the PHI and for preparing a summary of the PHI, but only if the individual has agreed that they want a summary created.
2. Covered entities must provide advance notice of fees for copies of PHI requested under the access right and with a patient’s valid authorization. 

  • The HHS rule proposal eliminates the requirement to obtain an individual’s written acknowledgment of receipt of a direct treatment provider’s Notice of Privacy Practices (NPP).
  • There are also multiple HHS rule proposals pertaining to disclosures and exceptions, which I will cover in a separate blog.

Overall, the health care community is in support of the proposed rule’s goal of removing barriers for patients to access their health data to allow for better care coordination. However, concerns remain about compliance, and rightly so. The regulatory framework is already complex and we need assurance that HHS will ensure HIPAA requirements take precedence over other potentially overlapping guidelines.

There is no doubt change is coming and it is better to be proactive rather than reactive. Educate your staff on the proposed rule changes and begin preparation to add to or modify your existing policies and procedures regarding an individual (patient’s) right to access their medical data.  

Kelly Long is a compliance and security program coordinator with 3M Health Information Systems.


How do you ensure coding accuracy and compliance?