Patients have a right to a copy of their protected health information under HIPAA
The Health Insurance Portability & Accountability Act grants to individuals a right of access to inspect and obtain a copy of their protected health information in the designated record set of a covered entity, for as long as the PHI is maintained in the designated record set. But prior to HIPAA, requests for PHI were occurring at the pharmacy. Consider the routine request for a "printout" of prescriptions dispensed over the past year.
It is essential to recognize that the right to access PHI granted by HIPAA extends beyond a printout of Rxs dispensed. For example, with such a printout, the pharmacy likely created, using a function of the Rx dispensing software, a relatively simple list of Rxs dispensed. Information on this list may have included the patient name, drug name, quantity dispensed, and amount paid.
While such a list may have been provided to the patient, the actual electronic patient profile maintained by the pharmacy likely was not provided. Indeed, providing the actual profile would not be necessary if the patient's request was for prescriptions over the past year since the profile contained information for a longer period. But under HIPAA, the patient has a right to inspect and obtain a copy of the actual patient profile maintained by the pharmacy.
HIPAA defines a designated record set as a group of records maintained by or for a covered entity that is:
For purposes of this definition, the term record means any item or collection of information that includes PHI and is maintained, used, or disseminated by or for a covered entity. Records that come to mind include Rxs on file, patient profiles, and billing/claims records.
But upon a request for access to PHI, the privacy official should ensure that access is allowed to all records containing PHI. For example, if the pharmacy requires patients to complete a form for purposes of collecting information for incorporating into the electronic patient profile and the form is maintained by the pharmacy, access to the form should be provided.
Three exceptions exist to the granting of access to PHI. They are:
In relation to these exceptions, HIPAA permits a covered entity to deny access to PHI on the basis of "unreviewable grounds" and "reviewable grounds." Unreviewable grounds of significance to a pharmacy are the following:
Reviewable grounds of significance to pharmacy are the following:
If the basis for denial of access is a reviewable ground, the individual has a right to have the denial reviewed by a health professional designated by the covered entity to act as a reviewing official and who did not participate in the original decision to deny the request. The covered entity must provide or deny access in accordance with the decision of the reviewing official.
Finally, there are a number of "implementation specifications" with which the covered entity must comply, such as responding within 30 days of the receipt of the request and notifying the individual in writing if the request is denied, including whether the denial is based upon an unreviewable or reviewable ground. These specifications can be found by referring to 45 CFR 164.524 in the HIPAA resource maintained by the pharmacy. (For more on HIPAA, see "Solutions for compliance with HIPAA regulations".)
Walter Fitzgerald. HIPAA Today: Individual access to PHI vs. Rx printout. Drug Topics Oct. 20, 2003;147:39.