TheHIPAAPrivacyRule’sRightOfAccessandHealthInformationTechnology
4
CONTENT‐ DESIGNATEDRECORDSETS
An individual’s right of access generally applies to the information that exists within a covered
entity’s designated record set(s), including: (1) a health care provider’s medical and billing
records, (2) a health plan’s enrollment, payment, claims adjudication, and case or medical
management record systems, and (3) any information used, in whole or in part, by or for the
covered entity to make decisions about individuals. A record is any item, collection, or
grouping of information that includes PHI and is maintained, collected, used, or disseminated
by or for the covered entity. See 45 C.F.R. § 164.501 (definition of “designated record set”).
Covered entities that use electronic records (e.g., EHRs or electronic claims systems) will want
to remain cognizant that the right of access applies regardless of the information’s format. The
term “designated record set,” therefore, cannot be limited to information contained in an
electronic record, but also will include any non-duplicative, electronic or paper-based
information that meets the term’s definition. While overlap may initially exist between
electronic and paper-based record sets, covered entities will likely find their access-related
obligations to be less time and labor intensive the more PHI they convert to being electronic.
Further, a covered entity that utilizes a business associate to maintain or otherwise operate its
electronic records will want to ensure the business associate is obligated to share non-
duplicative information pursuant to electronic access requests. The same would be true if a
health information organization (HIO), as a business associate, maintains an electronic
repository of some or all of a covered entity’s PHI.
FORM OR FORMAT OF ACCESS PROVIDED
The Privacy Rule requires covered entities to provide access to the PHI in the form or format
requested by the individual, if it is readily producible in such form or format. If the PHI is not
readily producible in the form or format requested, access must be provided in a readable hard
copy form, or in the alternative, some other form or format as agreed to by the covered entity
and the individual. The covered entity also may provide the individual with a summary of the
PHI or may provide an explanation of the PHI which has been provided, so long as the
individual agrees to the alternative form and associated fees. See 45 C.F.R. § 164.524(c)(2).
To the extent individuals request that access to their PHI be provided in an electronic form or
format, covered entities’ utilization of electronic records will likely increase the amount of PHI
that is “readily producible” in electronic form, thereby benefiting both the requesting
individual, as well as the covered entity:
Electronic access may provide individuals with more timely access to more information
in a more convenient manner. For example:
• Electronic copies of PHI may be downloaded to USB thumb-drives or copied to
compact discs relatively quickly and may provide individuals with a more
convenient means of transporting and maintaining the information.