Your Rights to Timely Access of Your Medical Records
February 18, 2015
Generally speaking, under HIPAA Regulations, 45 CFR § 164.524(a), you have a right of access to inspect and obtain a copy of your protected health information, for as long as the protected health information is maintained in the designated record set. The covered entity (health care provider) must permit you to request access to inspect or to obtain a copy of your protected health information that is maintained in a designated record set. Subsection (b)(2) provides that the covered entity must act on a request for access no later than 30 days after receipt of the request. The covered entity must provide the access in a timely manner as required by paragraph (b)(2) of this section, including and arranging with you for a convenient time and place to inspect or obtain a copy of the protected health information, or mailing the copy of the protected health information at your request. The covered entity may discuss the scope, format, and other aspects of the request for access with you as necessary to facilitate the timely provision of access.
Unfortunately, violations of these regulations do not likely give rise to a private cause of action or lawsuit. However, these regulations could be the basis for a letter to the covered entity asserting that you are entitled to have your request for your medical records acted upon within 30 days. While you likely cannot file a private cause of action for these particular violations, you are able to file a complaint against a covered entity that you believe has not complied with HIPAA regulations. The complaint should be filed with the U.S. Department of Health and Human Services at http://www.hhs.gov/ocr/privacy/hipaa/complaints/index.html. The Department of Health and Human Services’ Office of Civil Rights is the governmental body that has enforcement responsibility for HIPAA violations and violators can be sentenced to prison time or fined for failure to comply. While harsh penalties like these are likely going to be reserved for violators with more serious violations, the fact that there are penalties might be something worth addressing in a letter to the covered entity in order to get them to comply with HIPAA’s 30 day requirement.