E-News Exclusive

HIPAA Authorizations and Right of Access Requests: What’s the Difference?

By Joe Licata

A patient’s health information is some of the most highly protected data under the law. Over the last two decades, HIPAA has governed how protected health information (PHI) is shared, exchanged, and accessed. One of HIPAA’s main goals is to ensure that medical records are only released to a party authorized to receive them.

While it’s important that medical records remain secure, it’s equally important that they’re accessible to patients without too many barriers. Enter patient right of access requests. This provision in HIPAA allows patients or personal representatives of patients to request and receive medical records with fewer barriers (and, therefore, fewer protections) than in a traditional HIPAA authorization.

In this article, we’ll break down right of access requests vs HIPAA authorizations for medical records, including the main purposes, differences, and protections that come with each.

HIPAA Authorization: When It’s Required
HIPAA authorization is what comes to mind most often when thinking about a medical record request. This is a formal process requiring an explicit authorization that outlines exactly how the data may be used (ie, this data is authorized for use only as part of a research study on lung cancer for X period of time). A patient can choose whether to allow these authorizations, and they can be revoked by the patient at any time.

The key elements of a HIPAA authorization include the following:

• Purpose: The main purposes here are marketing activities, research not covered by the Privacy Rule’s limited data set provisions, and disclosures to third parties like attorneys, insurance companies (in certain circumstances), or other entities not directly involved in the patient’s care.

• Scope: The scope is generally limited to the specific use case identified in the authorization and likely only includes a subset of a patient’s medical records as opposed to the entire designated record set.

• Who Can Authorize: The patient whose PHI is being disclosed must provide explicit, written consent that clearly states the specific uses for the data that is being released. In cases where the patient is not capable of providing it, authorization can be provided by a personal representative such as a parent for a minor, an individual with power of attorney, a court-appointed guardian, and an estate administrator.

• Requirements: The authorization must specify the PHI to be disclosed, the purpose of the disclosure, the entities or persons to whom the information will be disclosed, and the expiration date or event of the authorization.

What’s the Difference With a Right of Access Request?
A right of access request refers to the statutory right of patients to access their own PHI held by covered entities, such as health care providers and health plans. This right is established under the HIPAA Privacy Rule, specifically 45 CFR § 164.524.

This right provided by HIPAA aims to empower patients to manage and understand their own health information and make the request process easier for patients who want to access their own health information.

The key elements of a right of access request include the following:

• Purpose: The primary purpose is to allow individuals to review, inspect, and obtain copies of their health information. This empowers patients to manage their health, make informed decisions, and ensure the accuracy of their medical records.

• Scope: The scope is generally broad, covering all PHI in a designated record set, which includes medical records, billing records, and other records used to make decisions about individuals. These requests do not have an expiration date or come with the ability to revoke, like a HIPAA authorization. In short, once these records leave the protections of HIPAA behind, there’s no going back.

• Who Can Request: Only the individual or their personal representative has the right to access information under this type of request.

• Requirements: While there’s no formal authorization required for a right of access request, a patient still has to make the request (generally in writing, although verbal requests can be accepted) and have their identity verified before information can be released. From the covered entity perspective, these requests must be completed within 30 days of receipt, with a possible extension of an additional 30 days if necessary.

How Do HIPAA Protections Differ for Each Request Type?
From a release of information standpoint, both request types include an element of authorization and/or verification to protect the patient from unauthorized disclosures of their information. But HIPAA protections look different once that information has been released.

Information released under a HIPAA authorization receives specific protections under HIPAA even after its release, including penalties for covered entities and other third parties who are found guilty of misusing the information. For example, an attorney who requests records via a HIPAA authorization is still beholden to the HIPAA guidelines and safeguards for the use of those records, including things like redisclosure provisions and the requirement to report a data compromise.

For a right of access request, once the information has been released to a patient or an authorized personal representative of the patient, the picture looks a little different. Because the information is in the hands of the patients or their personal representatives, some of the HIPAA provisions, like redisclosure and data compromise requirements, don’t apply here. This makes sense when you think about it—HIPAA is designed to protect a patient’s data when that data is out of the patient’s hands. In the case of a right of access request, however, the information is by definition in the patient’s hands and thus outside of the HIPAA protection framework.

Because protections look different after release, it’s important to ensure that right of access requests are only made by the patients or their personal representatives. We have seen instances where third parties will attempt to request records under right of access, but that’s not an appropriate use of that provision, especially because of the limited protections under HIPAA once that data is released. Third-party requests should always be made through a HIPAA authorization to hold the requestors accountable for the use of that data. Right of access requests are also not admissible in court since they are intended for personal use.

Final Thoughts
While both right of access requests and HIPAA authorizations involve the handling of PHI, they serve distinct purposes. Right of access requests are designed to provide individuals with control over their health information, whereas HIPAA authorizations ensure that individuals can control how their information is used or disclosed beyond the typical scope of health care operations. Understanding these differences is essential for HIM leaders to navigate the complexities of health information privacy effectively.

— Joe Licata, JD, is the chief operating officer and general counsel for HealthMark Group, where he is the driving force behind the company's commitment to operational excellence. In his role, he oversees day-to-day operations and collaborates with cross-functional teams to optimize processes that enhance patient care and drive success for the millions of patients and thousands of providers that HealthMark serves.

Licata is also the leader for both the HealthMark privacy office and HIPAA steering committee, where he leverages his health care regulatory knowledge to ensure HealthMark maintains the highest standards for the handling and dissemination of confidential patient health information. He’s an active member of the Association of Health Information Outsourcing Services, the Association of Corporate Counsel, and the Texas Bar Association, Health Law Section.

Licata’s professional experience includes expertise in process automation, privacy and security, internet and e-commerce transactions, HIPAA, and other health care regulatory matters. He holds a BS from Texas A&M University and a JD from Southern Methodist University, where he was a Walsh Scholar.