Business Policies and Procedures Manual
Patient Access to Protected Health Information
For more information contact:
Compliance and Civil Rights
ITS Security Operations
509-335-1642 or 509-335-0404
The purpose of this policy is to:
- Define the right of patients to access their protected health information (PHI), as defined by the Health Insurance Portability and Accountability Act of 1996 (HIPAA);
- Describe the circumstances under which it is appropriate to permit such access; and
- Set forth the procedures for approving or denying a patient request for access to their PHI.
The Washington Uniform Health Care Information Act (UHCIA) (Washington’s “mini-HIPAA law”) governs access to health care information as defined by state law. The Family Educational Rights and Privacy Act (FERPA) governs access to treatment or education records of eligible students receiving care in a WSU operated clinic. The HIPAA Privacy Rule specifically excludes from its coverage those records that are protected by FERPA by excluding such records from the definition of “protected health information.” (See U.S. Department of Education (DOE) and Health and Human Services (HHS), Joint Guidance on the Application of the Family Educational Rights and Privacy Act (FERPA) and the Health Insurance Portability and Accountability Act of 1996 (HIPAA) to Student Records; updated Dec. 19, 2019).
Washington State University (WSU) providers treat students and nonstudents in University clinics. Student health client data is subject to FERPA and UHCIA, and nonstudent health client data is subject to HIPAA and UHCIA.
Each health care component (HCC), as defined in WSU’s Executive Policy Manual EP40, must comply with the applicable laws when assessing a patient’s right to access their personal information. For example, Washington State laws that provide individuals with greater rights of access to their PHI than the HIPAA Privacy Rule or treatment record under FERPA, or that are not contrary to the Privacy Rule or FERPA, are not preempted by HIPAA or FERPA and thus still apply.
In accordance with HIPAA (45 CFR 164.524) and the Washington Uniform Health Care Information Act (UHCIA) (RCW 70.02.080, RCW 70.02.090,) WSU recognizes that every patient has the right to access their PHI or health care information maintained in a designated record set.
WSU and/or WSU’s HCCs respond to every request for access in accordance with the requirements of the HIPAA Privacy Rule, the UHCIA, and/or FERPA and the procedures as defined in this policy. Contact the WSU Compliance and Civil Rights Health Sciences Compliance Department for assistance with authorization forms.
Right of Access
The WSU HCC Notice of Privacy Practices informs patients of their right to access their PHI.
A patient has a right of access to inspect and obtain a copy of PHI or health care information maintained by WSU in one or more designated record sets except for:
- Psychotherapy notes
- Information that is compiled in anticipation of, or for use in, a civil, criminal, or administrative action or proceeding.
Designated Record Set
A designated record set is defined as the following:
- A group of records maintained by or for a covered entity that:
- Includes the medical records and billing records about individuals maintained by or for a covered health care provider;
- Includes the enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or
- Is used, in whole or in part, by or for the covered entity to make decisions about individuals.
- For purposes of this definition, the term record means any item, collection, or grouping of information that includes protected health information and is maintained, collected, used, or disseminated by or for a covered entity.
A patient (or their personal representative) must make a written request for access to their PHI or health care information. This request must be documented on the HCC’s designated form or in the notes of the patient’s medical record.
Responding to Access requests
The designated WSU departmental official manages requests for access to PHI or health care information.
WSU must respond to any access request promptly as required under the circumstances, but no later than 15 working days unless an exception exists. See RCW 70.02.080.
One 21-day extension is permitted; however, WSU must provide the patient with a written statement of the reasons for the delay and the date by which the access request will be processed.
Providing Access When Request is Granted
If access is granted, the WSU HCC provides the patient with access to the PHI or health care information in the form or format requested, if readily producible in that form and format.
If the PHI or health care information is not readily available in the requested format, the WSU HCC is to provide it in readable hard copy form or other form and format as agreed to by the WSU HCC and the individual.
Requests for Electronic Access to Electronically-Stored PHI
If an individual specifically requests electronic access to PHI or health care information that is maintained electronically, the WSU HCC provides the individual with access to the information in the requested electronic form and format.
If the PHI or health care information is not readily producible in the requested electronic form and format, then the WSU HCC provides it in an agreed upon alternative, readable electronic format.
If the individual refuses to accept any of the electronic formats that are readily producible, then the WSU HCC may provide the individual with a readable hard copy of the PHI or health care information.
Requests for Paper Copies of Electronically-Stored PHI
If an individual requests a paper copy of PHI or health care information maintained electronically; the WSU HCC provides the individual with the paper copy requested as defined by the HCC’s medical record policies.
Requests for Electronic Access to PHI Maintained in Paper Copy Only
If an individual requests an electronic copy of PHI or health care information maintained only on paper, then the WSU HCC provides the individual with an electronic copy, provided the paper record can be readily scanned into electronic format.
If the paper record is not readily producible in electronic format, then the WSU HCC produces it in a readable alternative electronic format or in hard copy format as agreed to by the HCC and the individual.
The WSU HCC may provide a summary of the PHI or health care information requested if the patient agrees, in advance, to this summary and to any fees imposed.
Upon request, a patient may receive one free copy of the patient’s PHI or health care information if they meet the guidelines as defined in RCW 70.02.030.
The WSU HCC may charge a reasonable cost-based fee for the copies provided. The HCC reviews the fee annually. The fee may include only the costs of the:
- Labor associated with copying the PHI, whether in paper or electronic form;
- Supplies for creating the paper copy or electronic media;
- Postage, when the individual requests that the copy, summary, or explanation, be mailed; and
- Preparation of an explanation or summary of the PHI if agreed to by the individual.
Denying Access Request
If the WSU HCC denies an access request, it must provide a timely, written notice of the denial to the individual. The notice must include the basis for the denial, and, if applicable, a statement of the individual’s review rights. In addition, the written notice must provide a description of how the individual may submit a complaint to the WSU HCC or to the U.S. Department of Health and Human Services (HHS) Office for Civil Rights.
An individual may not be required to provide a reason for requesting access, and the individual’s rationale for requesting access, if voluntarily offered or known by the covered entity or business associate, is not a permitted reason to deny access.
Allowable Reasons to Deny Access Request
The WSU HCC may deny a request for access for the following reasons, and such denials are not subject to review:
- The request is for psychotherapy notes.
- The request is for information compiled in reasonable anticipation of, or for use in, a legal proceeding.
- The requested PHI is in a designated record set which is part of a research study that includes treatment (e.g., clinical trial) and is still in progress, provided the individual agreed to the temporary suspension of access when consenting to participate in the research. The individual’s right of access is reinstated upon completion of the research.
- An individual’s access to PHI created or obtained by a covered health care provider in the course of research that includes treatment may be temporarily suspended for as long as the research is in progress, provided that:
- The individual agreed to the denial of access when consenting to participate in the research that includes treatment; and
- The covered health care provider informed the individual that the right of access is reinstated upon completion of the research.
- An individual’s access to PHI that is contained in records that are subject to the HIPAA Privacy Act (5 USC 552a) may be denied, if the denial of access under the Privacy Act would meet the requirements of that law.
- Access is otherwise prohibited by law (e.g., quality assurance, peer review, etc.).
The WSU HCC may deny the request for additional reasons, but denials based on these grounds are reviewable by a licensed healthcare provider, who is selected by the patient. Specifically, a health care provider may deny access to health care information by a patient if the health care provider reasonably concludes that:
- Knowledge of the health care information would be injurious to the health of the patient; or
- Knowledge of the health care information could reasonably be expected to cause danger to the life or safety of any individual.
Segregation of PHI
If a health care provider denies a request for examination and copying under this section, the provider, to the extent possible, must segregate health care information for which access has been denied from information for which access cannot be denied. The provider must then permit the patient to examine or copy the disclosable information.
Other Health Care Providers
If a health care provider denies a patient’s request for examination and copying, in whole or in part, the provider must permit examination and copying of the record by another health care provider who is:
- Selected by the patient; and
- Licensed, certified, or otherwise authorized under the laws of the state of Washington to treat the patient for the same condition as the health care provider denying the request.
The health care provider denying the request must inform the patient of the patient’s right to select another health care provider under this subsection. The patient is responsible for arranging for compensation of the other health care provider so selected. To the extent HIPAA applies to the access request, the notification must also advise the individual of their right to submit a complaint to WSU or to the HHS Office for Civil Rights.
For University records retention requirements regarding PHI or health care information, see the following records series in the All-University Records Retention Schedule—Student Records:
- Health Client Files (Age 18 and Over)
- Health Client Files (Under Age 18)
Revisions: Mar. 2022 – new policy (Rev. 589)