Individual's Right to Access Individually Identifiable Health Information
Drexel University Clinical Covered Entities
Privacy Program Policies and Procedures
Policy Title: Individual's Right to Access Individually Identifiable Health Information
Policy Number: IM-04
Effective Date: April 14, 2003; September 23, 2013
Last Revision: September 2017
Respondible Officer: Vice President, Chief Compliance, Privacy and Internal Audit Officer
Table of Contents
This policy applies to all Covered Entities within Drexel University.
Covered entities are defined in the HIPAA rules as (1) health plans, (2) health care clearinghouses, and (3) health care providers who electronically transmit any health information in connection with transactions for which HHS has adopted standards.
Other than as set forth below, patients may: (1) view; and (2) request a copy of their medical information retained by Drexel University (DU). Requests may also be made to send medical information to a designated third party. The practice providing care will fulfill this obligation upon a reasonable request to do so and as mutually agreed by the treating clinician and the patient. DU may deny access to a patient's records if the practice believes that the release of such information will endanger the life or physical safety of the individual. Providers generally have up to thirty (30) days from the request to make the information available. Providers may offer a summary of the data instead of the actual data itself and may charge a reasonable fee for providing this information. A provider is not required to include material if it was generated by another provider, or it is believed to be inaccurate, or it is not made part of the record set/patient record.
If DU maintains such records in an electronic format, then DU is required to produce a copy in an electronic format, including an electronic designated record set, upon request; provided, that the requested electronic format is readily producible in such form and format. In the event that the requested electronic format is not readily producible, then DU and the requestor must agree upon an acceptable electronic format, and if no agreement can be reached, the information may be delivered in a hard copy format. Information may be provided to individuals by unencrypted email, if requested by the individual to be provided in such format, provided that the individual is informed of the possible risk that a third party may read such email.
If the request is to send patient information to a third party, the request must be made in writing, signed by the individual, and must clearly identity the third party and where to send the information.
The policy provides the opportunity for the patient to 1) view; 2) request a copy of his/her medical records retained by DU; or 3) have a copy of his/her records sent to a designated third party.
- A patient or an authorized surrogate decision maker can request to the medical record in writing by filing a completed "Request Access to Medical documentation" form found in this policy. In the case of a decedent, the request may be made by either a family member of the deceased or another person who was involved in the care or payment of the deceased, unless doing so is inconsistent with a prior expressed preference known to DU.
- The treating clinician will consider the request and approve or deny in writing.
- Copies of all documents will be made part of the Medical Record or patient file in the treating department.
The treating clinician will review the request for access to medical documentation and note the decision in writing.
IM-01, Information Management Policy
Back to Top