Medical Records folders.With business associates now directly liable for HIPAA breaches, one thing hasn’t changed: Request for Access, section 164.524. This section asserts that covered entities must allow “means by which individuals have a right to review or obtain copies of their protected health information” and that these requests must be addressed “in a timely manner” which ends up being defined as “within 30 days”.

Covered entities are still responsible for responding to request for access within 30 days (in most cases).  So if a business associate fails to respond, the liability falls on the covered entity. This brings up all kinds of questions and concerns:

  • What happens when the business associates are the companies that actually have the requested data?
  • What if there are multiple business associates involved in the request for access?
  • What about patients being contacted by a company they don’t know about?

Let’s take these one at a time and dissect them.  There are no right or wrong answers for them, but they must be considered for HIPAA request for access.

What happens when the business associates are the companies that actually have the requested data?

In this case, one might think the patient should make the request for access directly to the business associate. However, the covered entity is ultimately responsible for providing the data to the individual requesting access, and would probably want to be involved in helping get that information to the patient.  Asking an individual to take their request elsewhere would mean the covered entity would not accept responsibility.  That means that most requests for access to data at business associates will be initiated by the covered entity.  The covered entity can either receive the information and provide it to the patient, or request that the business associate send the information directly to the patient.  This process should be governed by the business associate agreement between the covered entity and the business associate.

What if there are multiple business associates involved in the request for access?

Again, the covered entity and business associates must agree on who is doing what in their business associate agreement.  There is no requirement that requires the response to a request for access to be provided in a single transaction.  So, theoretically, the covered entity could have each business associate send a portion of the information.  Hozswever, consider this question from a customer service point of view.  Would you want your customers to get disjointed information from multiple sources?  In this case, it might make sense for the covered entity to act as the broker, collect all the responses, and send the requested information to the individual all at once.

What about patients being contacted by a company they don’t know about?

This question is also well addressed from a customer service point of view. As a covered entity, do you want your customers to receive protected information from a company they’ve never heard of before? As a consumer of healthcare, I’d almost automatically assume a breach of my data.  I might call the covered entity first, but I might also just report a violation to HHS.  Then the covered entity must spend time, money, and energy responding to an inquiry from the HHS.  There’s nothing to say that the business associate(s) cannot send the data on the covered entity’s letterhead or other media.  From a purely practical standpoint, it makes sense to at least keep up the appearance that the data is coming from the covered entity directly.

Response Timeline

Finally, there’s the timeline.  A covered entity has 30 days to respond to a request for access, with a possible 30-day extension.  When the extension is “used”, the covered entity must notify the individual of the reason(s) for delay and when the expected date is.  That expected date must still be within 60 days of the initial request.  If there are business associates involved with maintaining or managing the data requested, that information must be sent to the individual within 30 days – whether it goes through the covered entity or not.  Therefore it is advisable to put a much shorter time frame requirement into a business associate agreement, so that the covered entity has sufficient time to respond in a timely fashion.