This is archived HHS content.
Skip to main content
HHS
.gov
Health Information Privacy
Search
U.S. Department of Health & Human Services
Search
Close
HHS A-Z Index
HIPAA for Individuals
Filing a Complaint
HIPAA for Professionals
Newsroom
HHS
>
HIPAA Home
>
For Professionals
>
FAQ
> Right to Access and Research
Text Resize
A
A
A
Print
Share
FAQs Categories
Authorizations (30)
Business Associates (42)
Compliance Dates (2)
Covered Entities (14)
Decedents (8)
Disclosures for Law Enforcement Purposes (7)
Disclosures for Rule Enforcement (2)
Disclosures in Emergency Situations (2)
Disclosures Required by Law (6)
Disclosures to Family and Friends (28)
Disposal of Protected Health Information (6)
Facility Directories (7)
Family Medical History Information (3)
FERPA and HIPAA (10)
Group Health Plans (3)
Health Information Technology (41)
Incidental Uses and Disclosures (10)
Judicial and Administrative Proceedings (8)
Limited Data Set (5)
Marketing (18)
Marketing - Refill Reminders (16)
Mental Health (35)
Minimum Necessary (14)
Notice of Privacy Practice (20)
Personal Representatives and Minors (13)
Preemption of State Law (10)
Privacy Rule: General Topics (12)
Protected Health Information (2)
Public Health Uses and Disclosures (13)
Research Uses and Disclosures (20)
Right to Access and Research (58)
Right to an Accounting of Disclosures (8)
Right to File a Complaint (1)
Right to Request a Restriction (2)
Safeguards (13)
Security Rule (25)
Smaller Providers and Businesses (147)
Student Immunizations (8)
Telehealth (11)
Transition Provisions (3)
Treatment, Payment, and Health Care Operations Disclosures (30)
Workers Compensation Disclosures (5)
Right to Access and Research
If someone has a health care power of attorney for an individual, can they obtain access to that individual's medical record?
Can the personal representative of an adult or emancipated minor obtain access to the individual's medical record?
How can family members of a deceased individual obtain the deceased individual's protected health information that is relevant to their own health care?
Does the HIPAA Privacy Rule allow parents the right to see their children’s medical records?
If a child receives emergency medical care without a parent's consent, can the parent get all information about the child's treatment and condition?
Does the HIPAA Privacy Rule require a business associate to provide individuals with access to their protected health information or an accounting of disclosures, or an opportunity to amend protected health information?
What does the HIPAA Privacy Rule say about a research participant's right of access to research records or results?
If patients request copies of their medical records as permitted by the Privacy Rule, are they required to pay for the copies?
Does the HIPAA Privacy Rule require that covered entities provide patients with access to oral information?
How would a covered entity or health information organization (HIO), acting on its behalf, know if someone were a personal representative for the purpose of granting access under the HIPAA Privacy Rule?
How may judgments be made electronically about denial of access under the HIPAA Privacy Rule?
May a covered entity charge individuals a fee for providing the individuals with a copy of their PHI?
What labor costs may a covered entity include in the fee that may be charged to individuals to provide them with a copy of their PHI?
May a covered health care provider charge a fee under HIPAA for individuals to access the PHI that is available through the provider’s EHR technology that has been certified as being capable of making the PHI accessible?
May a covered entity that uses a business associate to act on individual requests for access pass on the costs of outsourcing this function to individuals when they request copies of their PHI?
Must a covered entity inform individuals in advance of any fees that may be charged when the individuals request a copy of their PHI?
How can covered entities calculate the limited fee that can be charged to individuals to provide them with a copy of their PHI?
Is $6.50 the maximum amount that can be charged to provide individuals with a copy of their PHI?
Are costs authorized by State fee schedules permitted to be charged to individuals when providing them with a copy of their PHI under the HIPAA Privacy Rule?
A State law requires that a health care provider give individuals one free copy of their medical records but HIPAA permits the provider to charge a fee. Does HIPAA override the State law?
When do the HIPAA Privacy Rule limitations on fees that can be charged for individuals to access copies of their PHI apply to disclosures of the individual’s PHI to a third party?
May a health care provider withhold a copy of an individual’s PHI from the individual who requested it because the covered entity used the individual’s payment of the allowable fee for the copy to instead pay an outstanding bill for health care services provided to the individual?
Can an individual be charged a fee if the individual requests only to inspect her PHI at the covered entity (i.e., does not request that the covered entity produce a copy of the PHI)?
Can an individual, through the HIPAA right of access, have his or her health care provider or health plan send the individual’s PHI to a third party?
Are there any limits or exceptions to the individual’s right to have the individual’s PHI sent directly to a third party?
Can an individual’s personal representative, through the HIPAA right of access, have the individual’s health care provider or health plan send the individual’s PHI to a third party?
What is the liability of a covered entity in responding to an individual’s access request to send the individual’s PHI to a third party?
What is a covered entity’s obligation under the Breach Notification Rule if it transmits an individual’s PHI to a third party designated by the individual in an access request, and the entity discovers the information was breached in transit?
Why depend on the individual’s right of access to facilitate the disclosure of PHI to a third party – why not just have the individual execute a HIPAA authorization to enable the covered entity to make this disclosure?
What personal health information do individuals have a right under HIPAA to access from their health care providers and health plans?
Does an individual’s right under HIPAA to access their health information apply only to the information a health care provider maintains about the individual in an Electronic Health Record (EHR), or paper medical record?
Does the individual have a right to access PHI about themselves maintained by a covered entity that is very old or is archived?
Does an individual have a right to access all of the information a covered entity maintains in the individual’s medical record?
Under what circumstances may a covered entity deny an individual’s request for access to the individual’s PHI?
Does an individual have a right under HIPAA to access PHI about the individual maintained by a business associate of a covered entity?
Does an individual have a right under HIPAA to access from a clinical laboratory the genomic information the laboratory has generated about the individual?
Does an individual have a right under HIPAA to access more than just test results from a clinical laboratory?
How timely must a covered entity be in responding to individuals’ requests for access to their PHI?
Under the EHR Incentive Program, participating providers are required to provide individuals with access to certain information on much faster timeframes (e.g., a discharge summary within 36 hours of discharge, a lab result within 4 business days after the provider has received the results) than under HIPAA. How do these requirements operate together?
Why does HIPAA give covered entities 30 days to respond to individuals’ requests for access to their PHI? In the digital age, allowing covered entities 30 days to provide individuals with access to their health information seems too long; individuals need this information promptly to manage their health and health care.
In some cases, the 30-day timeframe from a request to provide an individual with access to her PHI may not be sufficient time for a clinical laboratory to complete the test report that is the subject of the individual’s request. What can a clinical laboratory do in these cases?
Under the HIPAA Privacy Rule, do individuals have the right to an electronic copy of their PHI?
If an individual requests an electronic copy of the individual’s PHI that the covered entity maintains only on paper, is the covered entity required to scan the paper records to create an electronic copy of the PHI for the individual?
When an individual exercises her HIPAA right to get an electronic copy of her PHI, can the individual choose the electronic format of the copy?
What is the intersection of the HIPAA right of access and the HITECH Act’s Medicare and Medicaid Electronic Health Record Incentive Program’s “View, Download, and Transmit” provisions?
Does an individual have a right under HIPAA to access his PHI in a particular technical standard?
Do individuals have a right under HIPAA to get copies of their x-rays or other diagnostic images, and if so, in what format?
Do individuals have the right under HIPAA to have copies of their PHI transferred or transmitted to them in the manner they request, even if the requested mode of transfer or transmission is unsecure?
Is a covered entity responsible if it complies with an individual’s access request to receive PHI in an unsecure manner (e.g., unencrypted e-mail) and the information is intercepted while in transit?
Do individuals have a right under HIPAA to have their PHI downloaded on portable media that they provide?
Do individuals have a right under HIPAA to have a covered entity establish a direct connection between the covered entity’s system and the individual’s app or device in order to provide the individuals with access to their PHI?
Does an individual have a right under HIPAA to access their health information in human readable form?
Is a health care provider permitted to deny an individual’s request for access because the individual has not paid for health care services provided to the individual?
If an individual’s physician orders a test from a clinical laboratory that may take multiple steps or a series of tests to complete, at what point does the test report become part of the laboratory’s designated record set to which an individual has a right of access?
Is a clinical laboratory required to provide an individual with access to a test report that is not yet complete?
If an individual requests access from a clinical laboratory to a test report on the individual, is the laboratory required to interpret the test results for the individual?
Under HIPAA, when can a family member of an individual access the individual’s PHI from a health care provider or health plan?
May a covered entity accept standing requests from individuals to access their PHI or to have their PHI sent to a third party of their choice?
Back to
T
op
This is archived HHS content.