5. Procedures
1. RIGHT OF ACCESS (45 CFR § 164.524)
1.1 Patients have the right to inspect and obtain a copy of their PHI in a designated record set.
1.2 Requests may be submitted in writing using the Patient Access Request Form. The practice may require written requests but shall not create barriers to access.
1.3 [PRACTICE NAME] shall respond to access requests within 30 calendar days of receipt. If additional time is needed, one 30-day extension is permitted with written notice to the patient explaining the reason and the expected date of completion.
1.4 The practice shall provide the records in the format requested by the patient if readily producible (e.g., electronic format if the records are maintained electronically), or in a mutually agreed-upon alternative format.
1.5 Fees: Under 45 CFR § 164.524(c)(4), the practice may charge only a reasonable, cost-based fee for a copy (or for an agreed summary or explanation) that is limited to: labor for copying the PHI; supplies for creating the paper copy or the requested electronic media; postage if the copy is mailed; and the cost of preparing a summary or explanation if the individual agreed to one in advance. Retrieval and search fees may NOT be charged. HHS recognizes three methods to calculate the allowable fee: (a) actual allowable costs, (b) a schedule of average allowable costs, or (c) an OPTIONAL flat fee of up to $6.50 (inclusive of labor, supplies, and postage). The $6.50 flat fee is NOT a universal cap on all copy fees — it is an optional method available only for a request for an ELECTRONIC copy of PHI that is maintained electronically. For all other requests, the practice must use the actual-cost or average-cost method. [Confirm any applicable STATE-SPECIFIC fee limit, which may be lower.] Note: These fee limits apply to an individual's request for access to the individual's own PHI; following Ciox Health, LLC v. Azar (D.D.C. 2020), HHS has stated that the access fee limitation does not apply to an individual's written request to transmit a copy of PHI to a third party.
1.6 Denial: The practice may deny access only in the limited circumstances specified by 45 CFR § 164.524(a). Denials fall into two categories:
(a) UNREVIEWABLE grounds (45 CFR § 164.524(a)(2)) — the patient has NO right to have the denial reviewed. These include: psychotherapy notes; information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding; certain inmate requests where access would jeopardize health, safety, security, custody, or rehabilitation; a temporary suspension of access for PHI created or obtained in the course of qualifying research in which the individual agreed in advance; certain Privacy Act records; and PHI obtained from someone other than a health care provider under a promise of confidentiality where access would be reasonably likely to reveal the source.
(b) REVIEWABLE grounds (45 CFR § 164.524(a)(3)) — the patient HAS the right to have the denial reviewed. These include: a licensed health care professional's determination that access is reasonably likely to endanger the life or physical safety of the individual or another person; PHI that references another person (other than a health care provider) where access is reasonably likely to cause substantial harm to that other person; and a personal representative's request where access is reasonably likely to cause substantial harm to the individual or another person.
For reviewable denials, the patient may have the denial reviewed by a licensed health care professional designated by the practice who did not participate in the original denial decision, and the practice must act in accordance with that reviewer's determination.
1.7 Patient-directed transmission: A patient may request that a copy of their PHI be transmitted directly to another person designated by the patient. The request must be in writing, clearly identify the designated person, and be signed by the patient.
2. RIGHT TO AMENDMENT (45 CFR § 164.526)
2.1 Patients have the right to request that [PRACTICE NAME] amend their PHI in a designated record set if they believe the information is inaccurate or incomplete.
2.2 Requests must be submitted in writing using the Amendment Request Form and must include the reason for the amendment.
2.3 [PRACTICE NAME] shall respond within 60 calendar days. One 30-day extension is permitted with written notice.
2.4 If the amendment is accepted: the practice shall make the amendment, inform the patient, and make reasonable efforts to inform persons identified by the patient and persons known to have received the unamended information.
2.5 If the amendment is denied: the practice shall provide a written denial stating the basis for the denial. The patient may submit a statement of disagreement. [PRACTICE NAME] may prepare a rebuttal. All materials (original request, denial, disagreement, rebuttal) shall be appended to or linked with the designated record set.
2.6 Grounds for denial include: the PHI was not created by [PRACTICE NAME], the PHI is not part of the designated record set, the PHI is accurate and complete, or the PHI is not available for access under 45 CFR § 164.524.
3. RIGHT TO AN ACCOUNTING OF DISCLOSURES (45 CFR § 164.528)
3.1 Patients have the right to receive an accounting of disclosures of their PHI made by [PRACTICE NAME] in the six years prior to the request.
3.2 The accounting shall include: the date of the disclosure, the name and address of the entity or person who received the PHI, a brief description of the PHI disclosed, and a brief statement of the purpose of the disclosure.
3.3 Disclosures exempt from accounting include: disclosures for treatment, payment, or healthcare operations; disclosures to the patient; disclosures authorized by the patient; disclosures for the facility directory or to persons involved in the patient's care; disclosures for national security or intelligence purposes; and disclosures to correctional institutions.
3.4 [PRACTICE NAME] shall respond within 60 calendar days. One 30-day extension is permitted with written notice.
3.5 The first accounting in any 12-month period shall be provided at no charge. A reasonable, cost-based fee may be charged for additional requests within the same 12-month period, provided the patient is informed of the fee in advance.
4. RIGHT TO REQUEST RESTRICTIONS (45 CFR § 164.522(a))
4.1 Patients may request restrictions on the use or disclosure of their PHI for treatment, payment, or healthcare operations.
4.2 [PRACTICE NAME] is not generally required to agree to a requested restriction, except: the practice must agree to restrict disclosures to a health plan for payment or healthcare operations purposes if the patient has paid for the service in full out of pocket and the disclosure is not required by law.
4.3 If [PRACTICE NAME] agrees to a restriction, the restriction must be documented and followed. The restriction may be terminated by the practice with patient notification, applying only to PHI created or received after termination.
5. RIGHT TO CONFIDENTIAL COMMUNICATIONS (45 CFR § 164.522(b))
5.1 Patients may request that [PRACTICE NAME] communicate with them about health matters by a particular means or at a particular location (e.g., calling only a specific phone number, sending correspondence to a specific address).
5.2 [PRACTICE NAME] shall accommodate reasonable requests. The practice may not require an explanation for the request but may require the patient to provide an alternative means of contact.
6. DOCUMENTATION
6.1 All patient rights requests, responses, and associated documentation shall be retained for a minimum of six (6) years per 45 CFR § 164.530(j).
6.2 A Patient Rights Request Log shall be maintained to track all requests, their status, and the resolution.