HHS Clarifies Individuals’ Access to Personal Health Information
09-30-2025
Under the Health Insurance Portability and Accountability Act (“HIPAA”) Privacy Rule, individuals have broad rights to request access to their individual protected health information (“PHI”). This information is often maintained in designated record sets by their health care providers and health plans (together, “HIPAA covered entities”). Examples of such PHI includes insurance information, billing and payment records, clinical laboratory test reports, X-rays, wellness program information, and disease management program information. Recently the Department of Health and Human Services (“HHS”) clarified what specific information individuals have access to.
Access to Information
While the rights individuals have to access their own PHI are quite broad, there are several notable exceptions. For example, individuals have no statutory right to access psychotherapy notes or “information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding.”
HIPAA covered entities may also deny access to PHI in other circumstances, some of which are reviewable and others which are not. A denial which cannot be reviewed is the denial by a covered entity that is a correctional institution where obtaining the PHI would “would jeopardize the health, safety, security, custody, or rehabilitation of the individual or of other inmates, or the safety of any officer, employee, or other person at the correctional institution or responsible for the transporting of the inmate.” Outside of correctional institutions, such a denial becomes reviewable where “a licensed health care professional has determined, in the exercise of professional judgment, that the access requested is reasonably likely to endanger the life or physical safety of the individual or another person.”
Designated Record Sets
Beyond the specific exclusions and permitted denials discussed above, individuals are also limited to access the information contained in designated record sets. These are groups of records maintained by or for covered entities and include medical records, billing records, enrollment records, payment records, claims adjudication records, and case management records. All such records must be used by or for the covered entity to make decisions about individuals.
In their recent clarification, HHS indicated that individuals do not have a right to access PHI that is not part of a designated record set. This means a covered entity is not required to create new information, such as explanatory materials or analyses, that does not already exist in the designated record set. Such information is not part of the designated record set because this information is not used to make decisions about individuals. HHS also reinforced that “a covered entity is only required to provide access to the PHI to which the individual requests access.”
Conclusion
Health plans may not see regular requests to access their PHI from plan participants; however, they still must be aware that this is possible and included in an individual’s rights. In complying with such requests, plans should understand the limits of what needs to be provided.
NOTICE OF DISCLAIMER: Neither BUA nor any affiliated companies is a law or accounting firm, and therefore they cannot provide legal or tax advice. The information herein is provided for general information only and is not intended to constitute legal or tax advice as to an organization’s or individual's specific circumstances. It is based on BUA’s understanding of the law as it exists on the date of this publication. Subsequent developments may result in this information becoming outdated or incorrect and BUA does not have an obligation to update this information. You should consult an attorney, accountant, or other legal or tax professional regarding the application of the general information provided here to your organization’s specific situation in light of your or your organization’s particular needs.