New Guidance on Patient Data Access Issued by OCR

by | Jan 11, 2016

The Department of Health and Human Services’ Office for Civil Rights has started 2016 with the launch of a brand new website interface, and has now followed up on previous assurance by issuing new guidance on HIPAA.

This is the first in what is expected to be a regular series of new guidance, which tackles the issue of patient data access rights under HIPAA. The guidance is targeted not at healthcare providers and health insurers, but patients.

OCR Director, Jocelyn Samuels said “Far too often individuals face obstacles to accessing their health information, even from entities required to comply with the HIPAA Privacy Rule…This must change.”

The guidance issued, which takes the form of a Q&A, clarifies what data can be obtained by patients, including information about fincancial charges that can be applied by HIPAA-covered bodies for providing copies of medical data.

Patients are permitted to view the information that has been recorded by HIPAA-covered entities, and the HIPAA Privacy Rule allows the release of health information to patients or their nominated representative in “designated record sets.” Patients are also allowed to obtain a copy of that information.

Patients can ask for that their healthcare provider transmit their PHI to another person or body, such as a nominated representative or another healthcare provider. It does not matter whether the data has been recorded electronically or is on paper or images (x-rays, for example). Copies must be provided when asked for. Covered bodies are permitted to charge patients for providing that information, but only an amount to cover the actual costs of providing the data, not including the duration of time it has taken to prepare copies.

Patient advocates have heralded the new OCR guidance. Get My Health Data campaign coordinator, Christine Bechtel, stated “When all patients can get and use their health data electronically, they will be able to more fully engage in their health and care.” Lynne Thomas Gordon, CEO of the American Health Information Management Association, hopes that the new guidance will be of advantage to patients in other ways, and will “encourage providers to offer the first copy of health information to the patient at minimal or no charge.”

Under current rules and regulations, healthcare providers are required to provide access to PHI (or copies) on request, but have up to 30 days in order to make the information accessible. Since most healthcare providers now store PHI in electronic format, it therefore should be possible for obtain to data to be provided quickly. It is hoped that healthcare providers will make reasonable efforts to provide data access quickly, and will not use the 30-day maximum time limit and unnecessarily delay the provision of PHI to people.

This new guidance can be found on the following website:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy