Does an individual’s right under HIPAA to access their health information apply only to the information a health care provider maintains about the individual in an Electronic Health Record (EHR), or paper medical record?

No. An individual has a broad right under the HIPAA Privacy Rule to access the PHI about the individual in all designated record sets maintained by or for a covered entity, whether in electronic or paper form, not just the designated record set that comprises the “medical record.” See 45 CFR 164.524(a). (However, if the same PHI is maintained in more than one designated record set, a covered entity need only produce the information once in response to a request for access.) A designated record set also includes billing and payment records, claims and insurance information, as well as other records that are used, in whole or in part, by or for the covered entity to make decisions about individuals. See the definition of “designated record set” at 45 CFR 164.501.

Posted in: HIPAA
Content created by Office for Civil Rights (OCR)
Content last reviewed on June 24, 2016