The HIPAA Privacy Rule generally requires organization’s health plans and most health care providers (Covered Entities) to provide individuals, upon request, with access to the protected health information (PHI) about them in one or more “designated record sets” maintained by or for the organization.
This includes the right to inspect and/or obtain a copy of the PHI, as well as to direct the Covered Entity to transmit a copy to a designated person or entity of the individual’s choice.
Individuals have a right to access this PHI for as long as the information is maintained by the organization, regardless of the date the information was created, whether the information is in paper or electronic form.
Information Included in the Right of Access: The “Designated Record Set”
Individuals have a right to access PHI in a “designated record set.” A “designated record set” is defined as a group of records maintained by or for an organization that comprises the:
Medical records and billing records about individuals maintained by or for a health care provider;
Enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or
Other records that are used, in whole or in part, by or for the organization to make decisions about individuals.