Under the Privacy Rule, individuals have the right to:
- Review and obtain a copy of their Protected Health Information - The Rule excepts from the right of access the following PHI:
- Psychotherapy notes
- Information compiled for legal proceedings
- Laboratory results to which the Clinical Laboratory Improvement Act (CLIA) prohibits access
- Information held by certain research laboratories
Note: Covered entities may deny access in certain situations, such as when a health care professional believes access could cause harm to the individual or another. In such situations, the individual must be given the right to have such denials reviewed by a licensed health care professional for a second opinion.
(Covered entities may impose reasonable, cost-based fees for the cost of copying and postage).
- Make Amendments to PHI -The Rule gives individuals the right to have entities amend their PHI when they feel that information is inaccurate or incomplete. If a covered entity accepts an amendment request, it must make a reasonable effort to provide the amendment to persons that the individual has identified as needing it, and to persons that the entity knows might rely on the information. If the request is denied, entities must provide the individual with a written denial and allow the individual to submit a statement of disagreement for inclusion in the record. A covered entity must amend PHI upon receipt of notice to amend from another covered entity.
- Disclosure Accounting - Individuals have a right to know when and to whom, records have been disclosed.
The maximum disclosure accounting period is six years immediately preceding the accounting
request. The Privacy Rule does not require accounting for disclosures for:
- Treatment, payment, and other health care operations
- Disclosures made to individual or the individuals' personal representative
- Notification of or to persons involved in an individual's care or payment for health care, for disaster relief, or for facility directories
- Pursuant to an authorization
- Disclosures of limited data sets
- For national security or intelligence purposes
- Disclosures made to correctional institutions or law enforcement officials for certain purposes regarding inmates or individuals in lawful custody
- Disclosures permitted or required
- Right to Request Restriction - Individuals have the Right to request that entities restrict use and disclosure
of PHI for:
- Treatment, payment, or health care operations
- Disclosures to persons involved in the individual's care or payment for health care
- Disclosures to notify family members or others about he individual's general condition, location or death
A covered entity is under no obligation to agree to requests for restrictions. A covered entity that does agree must comply with the agreed restrictions, except for purposes of treating the individual in a medical emergency.
- Confidential Communications Requirements - Health plans and covered health care providers must permit individuals to request an alternative means or location for receiving communication of PHI by means other than those that the covered entity typically employs. For example, an individual may request that the provider communicate with the individual through a designated address or phone number. Similarly, an individual may request that the provider send communications in a closed envelope rather than a post card.
Health plans must accommodate reasonable requests if the individual indicates that the disclosure of all or part of the PHI could endanger the individual. The health plan may not question the individual's statement of endangerment.