Content created by Office for Civil Rights (OCR)
Yes. An individual’s right under the HIPAA Privacy Rule to access PHI about themselves extends to PHI in a designated record set maintained by a business associate on behalf of a covered entity. Thus, if an individual submits a request for access to PHI, the covered entity is responsible for providing the individual with access not only to the PHI it holds but also to the PHI held by one or more of its business associates. However, if the same PHI that is the subject of an access request is maintained in both the designated record set of the covered entity and the designated record set of the business associate, the PHI need only be produced once in response to the request for access. See 45 CFR 164.524(c)(1).
With respect to PHI in a designated record set maintained by a business associate, the business associate agreement between the covered entity and the business associate will govern whether the business associate will provide access directly to the individual or will provide the PHI that is the subject of the individual’s access request to the covered entity for the covered entity to then provide access to the individual. However, regardless of how and to what extent a business associate supports or fulfills a covered entity’s obligation to provide access to an individual, a request for access still must be acted upon within 30 calendar days (or 60 calendar days if an extension is applicable) of receipt of the request by either the covered entity, or by a business associate if the request was made directly to the business associate because the covered entity instructed individuals through its notice of privacy practices (or otherwise) to submit access requests directly to the business associate. Further, all of the access requirements that apply with respect to PHI held by the covered entity (e.g., limitations on fees that may be charged) apply with respect to PHI held by the business associate.