Why depend on the individual’s right of access to facilitate the disclosure of PHI to a third party – why not just have the individual execute a HIPAA authorization to enable the covered entity to make this disclosure?

This guidance remains in effect only to the extent that it is consistent with the court’s order in Ciox Health, LLC v. Azar, No. 18-cv-0040 (D.D.C. January 23, 2020), which may be found at https://ecf.dcd.uscourts.gov/cgi-bin/show_public_doc?2018cv0040-51. More information about the order is available at https://www.hhs.gov/hipaa/court-order-right-of-access/index.html. Any provision within this guidance that has been vacated by the Ciox Health decision is rescinded.

The PHI that an individual wants to have disclosed to a third party under the HIPAA right of access also could be disclosed by a covered entity pursuant to a valid HIPAA authorization.  However, there are differences between the two methods – the primary difference being that one is a required disclosure and one is a permitted disclosure -- that may make the right of access a more favorable choice for most disclosures the individual is initiating on her own behalf.  These differences are illustrated in the following table:

HIPAA AuthorizationRight of Access
Permits, but does not require, a covered entity to disclose PHIRequires a covered entity to disclose PHI, except where an exception applies
Requires a number of elements and statements, which include a description of who is authorized to make the disclosure and receive the PHI, a specific and meaningful description of the PHI, a description of the purpose of the disclosure, an expiration date or event, signature of the individual authorizing the use or disclosure of her own PHI and the date, information concerning the individual’s right to revoke the authorization, and information about the ability or inability to condition treatment, payment, enrollment or eligibility for benefits on the authorization.Must be in writing, signed by the individual, and clearly identify the designated person and where to the send the PHI
No timeliness requirement for disclosing the PHI Reasonable safeguards apply (e.g., PHI must be sent securely)Covered entity must act on request no later than 30 days after the request is received
Reasonable safeguards apply (e.g., PHI must be sent securely)

Reasonable safeguards apply, including a requirement to send securely; however, individual can request transmission by unsecure medium

 

No limitations on fees that may be charged to the person requesting the PHI; however, if the disclosure constitutes a sale of PHI, the authorization must disclose the fact of remuneration

 

Fees limited as provided in 45 CFR 164.524(c)(4)

 


In addition, the Privacy Rule permits covered entities to disclose PHI for treatment, payment and health care operations without the need to first obtain an individual’s authorization or receive an access request by the individual to have the individual’s PHI directed to a third party for such purposes. See 45 CFR 164.506. As a result, if an individual is seeking to have her PHI shared among her treating providers, the covered entities can and should do so; the individual should not have to facilitate this transmission by submitting an access request (and potentially having to wait up to 30 days for the information to be sent and be charged a fee) or by executing a HIPAA authorization. See the Fact Sheets on Understanding Some of HIPAA’s Permitted Uses and Disclosures at http://www.hhs.gov/hipaa/for-professionals/privacy/guidance/permitted-uses/index.html.

Content created by Office for Civil Rights (OCR)
Content last reviewed