Georgia's Trusted Healthcare
& Medical Provider Attorneys

Are You Compliant? HHS Issues Guidance & Likely To Continue HIPAA Compliance Scrutiny

HIPAA AuditThe Department of Health and Human Services (HHS) started the year by publishing new HIPAA guidance with respect to patient access to medical records.

While the recent HHS guidance does not add anything new to the regulations, it serves as a reminder to providers of certain provisions in the law. The guidance is intended as a tool to aid individuals in exercising their rights to access their medical records and to help providers ensure HIPAA compliance.

HHS highlighted certain provisions in the HIPAA regulations including provider obligations to respond to a request from a patient within 30 days and provide PHI in an electronic format if requested (assuming the electronic format requested can be readily produced by the provider).

The guidance also reminds providers that covered entities are not required to provide every single record about an individual even if the individual asks. Certain exceptions to a patient’s right to access include:

  • Patients do not have the right to access to information that is not used to make decisions about that individual. For example, certain quality assessment or improvement records, patient safety activity records, or business planning, development and management records that are used for business decisions do not have to be provided to an individual.
  • Individuals do not have a right to access psychotherapy notes that a mental health professional maintains separately from the individual’s medical record and that document or analyze the contents of a counseling session with the individual.
  • Providers can deny access to certain records if a licensed health care professional determines in the exercise of professional judgment that the access requested is reasonably likely to endanger the life or physical safety of the individual or another person.
  • Patients do not have a right to access certain records compiled in reasonable anticipation of, or for use in, a legal proceeding.

Additionally, providers do not have to create new information, such as explanatory materials or analyses, that does not already exist in the record.

The government’s emphasis on HIPAA is expected to continue with pending audits of covered entities and business associates likely to take place this quarter. Now is the time for healthcare providers to review their policies to ensure that they are complying with the HIPAA regulations.

If you would like to review the HHS guidance it is available at

If you need help ensuring HIPAA compliance, please contact Danielle Hildebrand at or 678.325.3872.