Are there any limits or exceptions to the individual’s right to have the individual’s PHI sent directly to a third party?

This guidance remains in effect only to the extent that it is consistent with the court’s order in Ciox Health, LLC v. Azar, No. 18-cv-0040 (D.D.C. January 23, 2020), which may be found at https://ecf.dcd.uscourts.gov/cgi-bin/show_public_doc?2018cv0040-51. More information about the order is available at https://www.hhs.gov/hipaa/court-order-right-of-access/index.html. Any provision within this guidance that has been vacated by the Ciox Health decision is rescinded.

The right of an individual to have PHI sent directly to a third party is an extension of the individual’s right of access; consequently, all of the provisions that apply when an individual obtains access to her PHI apply when she directs a covered entity to send the PHI to a third party. As a result:

• This right applies to PHI in a designated record set;
• Covered entities must take action within 30 days of the request;
• Covered entities must provide the PHI in the form and format and manner of access requested by the individual if it is “readily producible” in that manner; and
• The individual may be charged only a reasonable, cost-based fee that complies with 45 CFR 164.524(c)(4).

Further, the same limited grounds for denial of access that apply when the individual is receiving the PHI directly apply in cases where the individual requests that the PHI be provided to a designated third party. See 45 CFR 164.524(a)(2) and (a)(3). Thus, for example, a covered entity may deny an individual’s request to send PHI to a designated third party when the request is for psychotherapy notes or PHI for which a licensed health care professional has determined, exercising professional judgment, that the access requested is reasonably likely to endanger the life or physical safety of the individual or another person. The provisions of the Privacy Rule providing for review of certain denials of access apply in this circumstance as well. See 45 CFR 164.524(a)(3) and (a)(4). However, a covered entity may not deny an individual’s access request to send PHI to a third party for other purposes. Thus, disagreement with the individual about the worthiness of the third party as a recipient of PHI, or even concerns about what the third party might do with the PHI (except for the express reasons listed in the Privacy Rule, such as in cases where life or physical safety is threatened), are not acceptable reasons to deny an individual’s request.