Skip to site content

Indian Health Service The Federal Health Program for American Indians and Alaska Natives


     Indian Health Manual
Share This Page:

Part 2, Chapter 7:  Manual Exhibit 2-7-A

Policy and Procedure for Patient's Rights to Access, Inspect,
and Obtain a Copy of their Protected Health Information


  1. PURPOSE.  The purpose of Manual Exhibit 2-7-A is to specify Indian Health Service (IHS) policy and procedures regarding the rights of patients, under certain circumstances, to access, inspect, and obtain a copy of their Protected Health Information (PHI).

  2. BACKGROUND.  The Privacy Act of 1974, as amended, 5 United States Code (U.S.C.) §552a: the Department of Health and Human Services (HHS), Privacy Act regulations, 45 Code of Federal Regulations (CFR), Part 5b; and the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule, 45 CFR Parts 160 and 164, provide patients the right to access, inspect, and obtain copies of their PHI maintained in a Privacy Act System of Records (PASOR) and/or a “designated record set” as defined at 45 CFR § 164.501.

  3. AUTHORITY.

    1. 45 CFR 160

    2. 45 CFR 164.524

    3. 45 CFR 5b.5

    4. 45 CFR 5b.6

  4. POLICY.  It is IHS policy to provide patients or their personal representatives the maximum rights under these statutes and regulations to access, inspect, and obtain copies of their PHI that is maintained in a PASOR and/or a HIPAA Privacy Rule-designated record set.  With respect to access by or on behalf of unemancipated minors, please refer to the Manual Exhibit 2-7-Q, “Policy and Procedure on Protected Health Information of Unemancipated Minors.”

  5. PROCEDURES FOR ACCESS WHEN RECORDS ARE SUBJECT TO THE PRIVACY ACT.  In most instances, patient medical records will be subject to both the Privacy Act and the HIPAA Privacy Rule.  Because the HHS Privacy Act regulations and the HIPAA Privacy Rule have different procedures governing patient access to medical records, the IHS is required to choose the procedure that provides the patient with the greatest access to his or her own PHI.  Because the Privacy Act access procedures provide the patient with greater access to his or her own PHI than the HIPAA Privacy Rule access procedures do, the IHS must follow the Privacy Act access procedures when determining whether to provide a patient with access to his or her PHI.

    The following procedures shall be used when a patient whose records are subject to the Privacy Act makes a request to access, inspect, and/or obtain a copy of their PHI.  In all other instances, the service unit shall follow the procedures set forth in Sections 5 and 6 below.

    1. Making the Initial Request.

      1. Request Must be Made in Writing.  A patient must submit a written request to the Chief Executive Officer (CEO) or designee responsible for maintaining the PHI that specifies the records the patient would like notification of or access to.  Service units may use form IHS 810 or a written request from the patient or personal representative.  (For IHS Areas that provide contract health service (CHS) directly through the IHS Area Office, references to the CEO should be considered references to the IHS Area Director’s designee, as applicable.)

      2. Confirming Patient’s Identity.  The identity of the individual requesting access to a patient’s records shall be determined in accordance with the instructions contained in Manual Exhibit 2-7-R, “Policy and Procedures for Verification of Identity Prior to Disclosure of Protected Health Information.”

      3. Patient Must Designate a Representative.  At the time of the request for PHI, the patient must designate, in writing, a representative willing to review the record and inform the patient of its contents at the representative’s discretion.  The representative may be a physician, other health professional, or other responsible individual.

      4. Authorizing a Third Party to Accompany Patient During a Meeting.  If the patient requests access to his or her PHI, and is accompanied by another individual, the patient must affirmatively authorize the presence of the other individual during any discussion of a record to which access is requested.

      5. Requesting Copies.  In addition to requesting notification and access to records, the patient may request copies be made of such records in accordance with the fee schedule set forth at 45 CFR 5b.13.

      6. Maintaining Copy of Requests for Access.  All requests, designations, and correspondence relating to the patient’s request for access should be maintained in a patient’s medical record.

    2. Time Period to Act on Request.  When a patient makes a request to access, inspect, and obtain a copy of their PHI, the CEO or his or her designee must act upon the request:

      1. within 30 days of receipt of the written request if the information is maintained or accessible onsite or

      2. within 60 days if it is not maintained or accessible onsite.

    3. Extension.  A one-time 30-day extension is permitted to complete action on a written request.  A written statement signed by the CEO or his or her designee describing the reason(s) for the delay and a date by which action on the request will be completed must be provided to the patient (or the patient's personal representative, if applicable) within the 30-day or 60-day time frame.

    4. Access Granted in Whole or in Part.  A patient must be granted direct access to his or her PHI if the CEO or designee determines that direct access is not likely to have an adverse effect on the patient.

      1. If direct access is granted, in whole or in part, the CEO or designee shall inform the patient in writing that he or she may inspect and/or obtain a copy of his or her PHI.

      2. The IHS is only required to produce the PHI once per request even if the record is maintained in more than one location or in more than one designated set of records.

      3. The IHS must provide the information in the requested form or format if it is readily producible.  If it is not, the IHS must produce a readable hard copy in another form or format upon which both the patient and the IHS have agreed.

      4. Subject to the patient's agreement in advance, a summary or an explanation of the PHI may be provided in lieu of the underlying information, but the patient retains the right of access to both summaries and underlying information.

      5. When a copy is provided, the date on which the copy is delivered must be entered in the patient's chart.

      6. Access must be provided at a mutually convenient time and place for inspection or copying.  If requested, the IHS must mail the PHI, but may charge a cost-based fee for copying, in addition to postage, (See the fee schedule at 45 CFR 5b.13.)

      7. If an IHS business associate (or associates) maintains any designated record set on behalf of the IHS, and all or a portion of the patient’s medical records are located in the designated record set maintained by such business associate (or associates), then the IHS shall also provide the patient with access to information in any such designated record set in the possession of its business associate (or associates).

    5. Access Denied in Whole or in Part.

      1. If the CEO or designee believes that he or she is not qualified to determine, or if he or she does determine, that direct access by the patient of the PHI is likely to have an adverse effect on the patient, then the applicable record must be sent to the patient’s designated representative, and the patient will be notified in writing that the record has been sent to the designated representative.

      2. If the IHS sent the record to the patient’s designated representative, the designated representative should consider whether there would be any adverse effects on the patient.

      3. The patient will be allowed access to his or her record consistent with a determination by the patient’s designated representative of the manner of disclosure, if any, that would limit any likely adverse effect on the patient.

    6. Denial of Access of Information Compiled in Reasonable Anticipation of Litigation.  In no event shall the IHS provide a patient, or a patient’s designated representative, with access to information compiled in reasonable anticipation of, or for use in, civil, criminal, or administrative actions or proceedings.  In such instances, the patient should be notified in writing of the Agency’s decision to deny access to such information on the grounds that such information was compiled in reasonable anticipation of, or for use in, civil, criminal, or administrative actions or proceedings, citing 5 U.S.C. § 552a(d)(5).

      Note:  This type of information should not be filed in the patient's medical record.  Should such information be found in the patient's medical record, contact the Office of General Counsel.

  6. PROCEDURES FOR ACCESS TO DECEASED PATIENT RECORDS OR RECORDS OF NON-U.S. CITIZENS WHO ARE NOT LAWFULLY ADMITTED FOR PERMANENT RESIDENCE.  The medical records of certain patients are expressly exempted from coverage under the Privacy Act: namely, medical records of deceased patients, and medical records of patients who are neither U.S. citizens nor aliens lawfully admitted for permanent residence in the United States.  The procedures for handling such requests are set forth in this Section 5 and, for requests for access to the medical records of deceased patients by individuals who are not the deceased patient’s personal representative, in Section 6 below.

    1. Making the Initial Request.

      1. Request Must be in Writing.  A patient (or the patient’s legal representative or other third party seeking access to a deceased patient’s PHI) must submit a written request to the CEO or designee of the facility that maintains the PHI, specifying the records the individual would like notification of or access to.  (For IHS Areas that provide CHS directly through the IHS Area Office, references to the CEO should be considered references to the IHS Area Director’s designee, as applicable.)

      2. Authorizing a Third Party to Accompany Patient During a Meeting.  If the patient requests access to his or her record, and is accompanied by another individual, the patient must affirmatively authorize the presence of the other individual during any discussion of a record to which access is requested.

      3. Confirming Patient’s Identity.  The identity of the individual requesting access to a patient’s records shall be determined in accordance with the instructions contained in Manual Exhibit 2-7-R “Policy and Procedures for Verification of Identity Prior to Disclosure of Protected Health Information.”

      4. Determining Whether Individual is a Deceased Patient’s Personal Representative.  If an individual is seeking access to the records of a deceased patient on the basis that he or she has the legal authority to act on behalf of the deceased patient or the deceased patient’s estate, the facility must first determine if the individual is the “personal representative” of the deceased patient as that term is defined in the HIPAA Privacy Rule, 45 CFR § 164.502(g)(4).  In making this determination, the facility should follow the procedures set forth in Manual Exhibit 2-7-S, “Policy and Procedures for the Use and Disclosure of Protected Health Information for Emancipated Minors and Adults with Personal Representatives or Legal Guardians.”  If the individual is deemed not to be the patient’s personal representative, the request for access shall be processed in accordance with the procedures set forth in this Section 5.  If the individual is deemed to be the deceased patient’s personal representative, the request shall be processed in accordance with the procedures set forth in Section 6 below.

      5. Access to PHI in the Format Requested. The IHS may provide access to the PHI in the form or format requested by the individual, if the facility where the record resides has the capability to produce it in the format requested.  For example, if an individual requests a record in a compact disc (CD) format, it may be copied to a CD if the facility has the capability to do so.

        Note: Request to send PHI information via e-mail shall not be honored until the IHS develops policy and procedures for e-mail receipt and transmission of PHI.

      6. Maintaining Copy of the Request.  All requests, designations, and correspondence relating to a patient’s request for access should be maintained in the patient’s medical record.

    2. Time Period to Act on Request.  When a patient or the patient’s personal representative makes a request to access, inspect, and obtain a written copy of their PHI, the CEO or his or her designee must act upon the request:

      1. within 30 days of receipt of the request if the information is maintained or accessible onsite or

      2. within 60 days if it is not maintained or accessible onsite.

    3. Extension.  A one-time 30-day extension is permitted to complete action on the written request.  A written statement signed by the CEO or his or her designee describing the reason(s) for the delay and a date by which action on the request will be completed must be provided to the patient (or the patient’s personal representative, if applicable) within the 30-day or 60-day time frame.

    4. Access Granted in Whole or in Part.

      1. If direct access is granted, in whole or in part, the CEO or designee shall inform the patient in writing that he or she may inspect and/or obtain a copy of his or her PHI.

      2. The IHS is only required to produce the PHI once per request even if the record is maintained in more than one location or in more than one designated set of records.

      3. The IHS must provide the information in the requested form or format if it is readily producible.  If it is not, the IHS must produce a readable hard copy in another form or format upon which both the patient and the IHS have agreed.

      4. Subject to the patient's agreement in advance, a summary or an explanation of the PHI may be provided in lieu of the underlying information, but the patient retains the right of access to both summaries and underlying information.

      5. Access must be provided at a mutually convenient time and place for inspection or copying.  If requested by the patient or his or her personal representative, the IHS shall copy and mail the PHI, but may impose a reasonable, cost-based fee for copying and postage.  (See the fee schedule at 45 CFR 5b.13.)

      6. The IHS may provide access to the PHI in the form or format requested by the individual, if the facility where the record resides has the capability to produce it in the format requested.  For example, if an individual requests record in a CD format, it may be copied to a CD if the facility has the capability to do so.

        Note:  Request to send information via e-mail shall not be honored at this time until the IHS develops policy and procedures for e-mail receipt and transmission of PHI.

      7. When a copy is provided, the date on which the copy is delivered must be entered in the patient's chart.

    5. Access Denied in Whole or in Part.  In some instances, a request for access, either by the patient or by his or her personal representative, will need to be denied.  Under the HIPAA Privacy Rule, certain denials are unreviewable, while others require the CEO or (his or her designee) to provide the patient (or his or her personal representative) with the right to request review of the initial denial decision.  The grounds for denial that are unreviewable are set forth in section 6E(1) below, while the grounds for reviewable denials are set forth in section 6E(2) below.  All requests for access that are denied, whether in whole or in part and for any reason (unreviewable or reviewable denials) must be processed pursuant to the procedures set forth in Section 6E(3) below.  Additionally, access denials must comply with the review procedures set forth in Section 6E(4) below.

      1. Unreviewable Grounds for Denial.  The following grounds for denial of a request for access are unreviewable:

        1. The records requested are “psychotherapy notes.”  (See Manual Exhibit 2-7-N, “Policy and Procedure for Maintenance, Use, and Disclosure of Psychotherapy Notes” Definitions.)

        2. The IHS may deny access to information compiled in reasonable anticipation of, or for use in, civil, criminal, or administrative actions or proceedings.

          Note:  This type of information should not be filed in the patient's medical record.  Should such information be found in the patient's medical record, contact the Office of General Counsel.

        3. The IHS may deny an inmate’s request to obtain a copy of PHI if obtaining such copy would jeopardize the health, safety, security, custody, or rehabilitation of the individual or of other inmates, or the safety of any officer, employee, or person at the correctional institution or responsible for the transporting of the inmate.

        4. The IHS may deny an individual’s access to his or her PHI created or obtained by the Agency in the course of research that includes treatment for as long as the research is in progress, provided that the individual has agreed to the denial of access when consenting to participate in research that includes treatment, and the IHS has informed the individual that the right of access will be reinstated upon completion of the research.

        5. The IHS may deny an individual's access to his or her PHI that is contained in records that are subject to the Privacy Act if the denial of access under the Privacy Act would meet the requirements of that law.

        6. The IHS may deny an individual's access to his or her PHI if the PHI was obtained from someone other than the IHS under a promise of confidentiality and the access requested would be reasonably likely to reveal the source of the information.

        7. The IHS may deny a request to access PHI because the IHS does not maintain the requested PHI.  However, if the IHS knows where it is maintained, the IHS shall inform the patient where the PHI is maintained and direct the request to that site.

      2. Reviewable grounds for denial.  The IHS may deny a patient access to PHI in the following circumstances, provided that the patient is given a right to have such denials reviewed pursuant to the procedures set forth in Section 6E(3) below:

        1. A licensed health care professional has determined, in the exercise of professional judgment, that the access requested is reasonably likely to endanger the life or physical safety of the individual or another person;

        2. The PHI makes reference to another person (unless such other person is a health care provider) and a licensed health care professional has determined, in the exercise of professional judgment, that the access requested is reasonably likely to cause substantial harm to such other person; or

        3. The request for access is made by the individual's personal representative, and a licensed health care professional has determined, in the exercise of professional judgment, that the provision of access to such personal representative is reasonably likely to cause substantial harm to the individual or another person.

      3. Procedures to Follow in the Event of a Denial of Access.  If access is denied for any reason, the CEO or (his or her designee) must use the following procedures:

        1. The CEO or (his or her designee) must, to the extent possible, give the individual access to any PHI requested that is not subject to the denial decision.

        2. The CEO or (his or her designee) must provide a timely, written denial, written in plain language that includes:

          1. the basis for the denial;

          2. if applicable, a statement of the individual’s rights to request a review of the denial decision: and

          3. a description of the facility’s complaint procedures.

      4. Review of Denial Requested.  If the individual has requested a review of a reviewable denial decision, then the facility must designate a licensed health care professional to act as a reviewing official, and promptly refer the request to such designated health professional for his or her review.  That official must not have participated in the facility’s original decision to deny access.  The designated reviewing official must, within a reasonable period of time, determine whether or not to grant the individual the requested access, and the facility shall promptly provide the individual with written notice of such determination.  The individual may not request further review of any determination upholding the original denial.

  7. PROCEDURES FOR ACCESS TO DECEASED PATIENT RECORDS BY PERSONS WHO ARE NOT THE DECEASED PATIENT’S PERSONAL REPRESENTATIVE.  In those instances where an individual who has requested access to PHI of a deceased patient is determined not to be the deceased patient’s personal representative, such requests shall be treated by IHS as Freedom of Information Act (FOIA) requests.  The IHS shall use the following procedures in processing such record requests.

    1. Chief Executive Officer or Designee.  The CEO or (his or her designee) must, in accordance with IHS FOIA policies, immediately forward the request, along with a copy of the relevant medical records, to the IHS Area FOIA Coordinator.

    2. Indian Health Service Area FOIA Coordinator.  The IHS Area FOIA coordinator, in turn, shall immediately forward the request and relevant medical records to the IHS Headquarters FOIA office in Rockville, Maryland.  The IHS Area FOIA coordinator shall maintain a log of all FOIA requests they receive from the service units, indicating:

      1. the date the original FOIA request was received by the service unit;

      2. the date the request was received by the IHS Area FOIA coordinator; and

      3. the date the request was forwarded to the IHS Headquarters FOIA office.

    3. Indian Health Service Headquarters FOIA Coordinator.  Within 20 working days from the date a written request is received, the IHS Headquarters FOIA Coordinator shall respond to the request and notify the person making the request of the rights of such person to appeal any adverse determination.


Back To Top  |  Previous Page
CPU: 110ms Clock: 0s