AHIMA Unveils New Resource Detailing Patients’ PHI Access Rights under HIPAA

by | Mar 4, 2017

The Health Insurance Portability and Accountability Act (HIPAA) allows patients to access a copy of their medical records in electronic or paper form. In 2016, the Department of Health and Human Services released a series of videos and documentation to outline patients’ right to access their health data.

Recently, the American Health Information Management Association (AHIMA) also released guidance – in the form of an online slideshow – further explaining patients’ access rights, what happens when requests are made to healthcare providers, possible fees, and the expected timescale for obtaining copies of PHI.

AHIMA explains that copies will not be provided instantly. As per HIPAA Rules, healthcare providers have up to 30 days to provide access copies of medical records. Many of the bodies will issue designated record sets well within that timeframe. However, in a number of cases, as long as there is a justifiable reason for doing so, a healthcare provider may seek a 30-day extension. In cases like these, it may take up to 60 days for patients to be given copies of their personal health data.

AHIMA has who healthcare providing entities are permitted to disclose this information: Patients or a nominated personal representative of patients – guidance has been issued on who that representative may be.

There are many models that can be used by healthcare providers for charging patients for copies of PHI. While the actual cost for making copies of medical records available may not be provided at the time the request is made, healthcare providers must advise patients of the estimated cost at the time the request is made. AHIMA outlines that if electronic health data is being provided via a patient portal, this will not be chargeable.

As HIPAA serves to protect the privacy of patients, healthcare providers are obliged to verify the identity of the individual making the request or a personal representative if that route is being utilized. A healthcare provider will therefore require official photographic ID to be produced prior to any records being accessed. A waiver will also need to be signed which verifys identity.

AHIMA says that obtaining copies of medical records is important as access to health data improves patient engagement. It also empowers them to make more informed choices about their personal healthcare.

While providers should be able to access their personal health data from other providers, that process is not always simple due to data incompatibility issues. It is therefore important that all patients have complete copies of their personal medical records so they can provide complete sets to new health care providers. Doing so will improves the coordination of care that is available to them.

Patients are reminded that they should also check their health records for any errors and omissions – known allergies for example. If an error or omission is found, a request to change the records should be made to the appropriate healthcare provider.

The AHIMA slideshow can be accessed here.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy