Section 18: Patient Access to Protected Health Information
UT Dallas Callier Center recognizes a Patient’s right to inspect and/or obtain copies of his or her own PHI contained in a Designated Record Set, to the extent the Patient is entitled to such access. This right is separate from any right an individual may have to request records through the Texas Public Information Act.
A Patient’s Right to Make Written Request for Access to Designated Record Set
a. Patients requesting an opportunity to inspect and/or obtain copies of their PHI shall submit a written request to the Privacy Officer to review or have the Callier Center disclose their PHI to a third party pursuant to the Individual’s rights under HIPAA. Request for Access Form
- i. If a Patient notifies staff of the Callier Center or another University office of his or her desire to make such a request, staff shall notify the Patient that s/he has a right to make a written request to inspect or request copies of the desired records. The written request may only be made to the Privacy Officer. The Patient shall be provided with the website address where the form “Request for Access to Protected Health Information” is located and/or the Privacy Officer’s email address, email@example.com, in order to assist the Individual with making a complete written request.
- ii. No one other than the Privacy Officer or his/her designee can accept a Patient’s request for his or her own designated record set. A copy of the Request Form is provided in the forms section of this Manual. If the Patient orally notifies the Privacy Officer of a request, the Privacy Officer shall notify the Patient how to make such a request.
- iii. An individual or any other person seeking access to records pursuant to the Texas Public Information Act shall be directed to the UT System website http://www.utsystem.edu/openrecords for information about how to make such a request.
b. A Patient shall have access to PHI for as long as it is maintained in a Designated Record Set, subject to this section. The Privacy Officer shall be responsible for receiving and processing requests for access by Patients. The Privacy Officer shall have ultimate authority regarding whether such requests shall be granted or denied.
Verification of Requestor’s Identity
a. Before PHI is released under this section, the requesting person’s identity shall be verified in accordance with Section 17 of this Manual.
b. A Patient’s Personal Representative shall have the right to access PHI to the same extent that the individual has such right under this section.
Time Period for Providing Access
The Callier Center shall provide access or a written denial to the Designated Record Set, as applicable, in response to an individual’s request for access within 30 days of the Privacy Officer’s receipt of the request, unless:
a. the PHI is maintained off-site (including records held by a Business Associate), in which case access or written denial must be provided within 30 days; or
b. System extends the deadline by providing the individual, within the 30-day, as applicable, a written statement of the reasons for the delay and the date by which action on the request will be completed, but in no case may this extension be for more than 30 days. System is allowed only one extension for a decision on a request for access.
a. If an individual makes a valid request for access to some or all of the requested PHI, such access shall be provided as follows:
- i. if records are requested in a format requested by the Patient that is not readily producible, the PHI may be produced in a readable hard copy format;
- ii. if the Patient is requesting personal access to inspect, arrangements shall be made with the individual to establish a convenient time for him to inspect the records;
- iii. if a Patient requests copies of PHI to be provided to the Patient or a third party, the Callier Center shall honor that request, if fees for copying and mailing, which shall be reasonable, are paid in advance;
- iv. if a Patient requests copies of PHI in an electronic format, the Patient must provide a password protected USB flash drive or the electronic copy will be encrypted and the document password protected; and
- v. a Patient may be provided with a summary of the information rather than the information itself if (i) the individual agrees to receive a summary and (ii) the individual agrees in advance to any fees that will be imposed in preparing the summary.
b. If access to PHI is granted in part and denied in part, the Center shall provide access to the PHI, excluding (through redaction) the PHI for which access has been denied.
c. Callier Center shall charge a reasonable cost-based fee for providing access/copies, which includes (i) the cost of copying (supplies and labor), (ii) postage, and (iii) the cost of preparing a summary or explanation (if applicable) if the individual agrees to a charge in advance.
Denial of Access to PHI
a. Access to PHI may be denied if:
- i. the PHI requested is not part of the Designated Record Set;
- ii. the PHI requested is psychotherapy notes;
- iii. the PHI requested was compiled by the University in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding;
- iv. the PHI requested was received from a source, other than a health care provider, under a promise of confidentiality, and providing access would be reasonably likely to reveal the source of the information;
- v. a designated health care professional has determined access should be denied because in his or her professional judgment s/he believes that the access requested is reasonably likely to endanger the life or physical safety of the individual or another person—this would not include the potential for causing emotional or psychological harm;
- vi. a designated health care professional has decided to deny access because in his or her professional judgment s/he believes that the PHI contains a reference to a third person, and it is reasonably likely that access may cause substantial physical, emotional, or psychological harm to that other person; or
- vii. a designated health care professional has decided to deny access because the person requesting the PHI is the Personal Representative of the Patient and in the professional’s judgment the provision of access is reasonably likely to cause substantial harm to the Patient who is the subject of the information or to another person.
b. It is expected that the exceptions to open access will be employed rarely. The reasons for denial listed set forth in paragraphs (a)(i)-(iv) are not reviewable. Reasons for denial listed in paragraphs (a)(v)-(vii) may be reviewed in accordance with this Section 18.
Notice of Denial
If access is to be denied in part or in whole, the Callier Center shall provide written notice, in plain language and within the timeframes established by this Section, to the requesting person of the following:
a. the specific grounds for the denial;
b. a Patient’s right to protest the denial to the Privacy Officer and to the Secretary and the name or title and phone number of the Privacy Officer, as well as a contact source for the Secretary;
c. if the denial is reviewable, a Patient has the right to request that a licensed health care provider, designated by UT Dallas, who did not participate in the initial decision to deny access will review the denial (the Patient may exercise this right by notifying the Privacy Officer in writing); and
d. if the PHI is not in a University Designated Record Set but the University knows where the information is maintained, the Patient should be directed there to make a request for access.
Review of Denials
a. If a Patient is entitled to, and has requested, review of a denial of access, the Center shall designate a licensed health care professional who was not directly involved in the decision to deny access to be the designated reviewer and shall promptly refer such request to that reviewer. The reviewer shall determine within a reasonable period of time whether to deny access based upon the criteria listed in this section. The decision of the official shall be final.
b. The University shall promptly notify the individual in writing of the determination of the reviewer, and if the reviewer finds that the individual should be given access to inspect and/or copy the PHI, the Center shall provide that access as described in this section.
The Center shall retain documentation of the Designated Record Sets that are subject to access by individuals in paper or electronic form in accordance with this Manual.
For each request, as applicable, the Center shall retain (i) the written request for access; (ii) any written response to the request including a notice of deadline extension (if any); (iii) if the request is denied, any written request for review, if any, and written notice of the reviewer’s determination upon review; and (iv) if the request is granted, a description of how access was provided and any summaries or explanations prepared by the Center.
HIPAA Regulatory Citation: 45 CFR § 164.524(a) Effective: 04/14/2003
Revised: 05/26/2015, 03/13/2013
Reviewed: 03/24/2021, 08/13/2015
Donise W. Pearson, HIPAA Privacy Officer
UT Dallas Callier Center