Data Subjects Rights under HIPAA

Data subject rights have gotten a lot of attention lately because of GDPR and CCPA. Some of the most hotly discussed requirements in these new regulations pertain to individual data rights. These data rights have rightly raised public awareness of privacy issues.

With HIPAA, data rights are not new. Under HIPAA, individuals have the right to their data as well as the right to have their data sent to another individual or provider. Unfortunately, there is not a prescribed process or technology to request and access medical records.

According to HIPAA, covered entities have up to 30 days, at the maximum, to provide access to medical records. Additionally, covered entities can charge a reasonable fee based on the cost of providing medical records (printing, CD, USB, etc).

There are two exceptions to these data rights under HIPAA - psychotherapy notes and information used for an investigation.

State laws can be stricter than HIPAA when it comes to patient access to their own medical records. In these cases, the stricter state laws take precedent.

Data subject requests not new under HIPAA and fall on covered entities to process the requests and provide the data to individuals.