HIPAA Authorization versus Patient Directive

The HITECH Act (The Health Information Technology for Economic and Clinical Health) was enacted as part of the American Recovery and Reinvestment Act of 2009. The law was created to promote the “adoption and meaningful” use of health information technology. The Act instructed the Secretary of HHS to strengthen an individual’s access rights in important ways. One way is by instructing HHS to clarify individuals’ access rights under HIPAA by expressly requiring covered entities to provide individuals “access” to their information in electronic format if the covered entity has adopted electronic health record technology.

Patients can request access to their health information via a Patient Directive. There are differences between a Directive and a HIPAA compliant authorization as listed below.

HIPAA Authorization

Right of Access

Permits, but does not require, a covered entity to disclose PHI.

Requires a covered entity to disclose PHI, except where an exception applies

Requires a number of elements and statements, which include a description of who is authorized to make the disclosure and receive the PHI, a specific and meaningful description of the PHI, a description of the purpose of the disclosure, an expiration date or event, signature of the individual authorizing the use or disclosure of their own PHI and the date, information concerning the individual’s right to revoke the authorization, and information about the ability or inability to condition treatment, payment, enrollment or eligibility for benefits on the authorization.

Must be in writing, signed by the individual, and clearly identify the designated person and where to send the PHI.

No timeliness requirement for disclosing the PHI.

Covered entity must act on request no later than 30 days after the request is received.

Reasonable safeguards apply (e.g. PHI must be sent securely).

Reasonable safeguards apply, including a requirement to send securely; however, the individual can request transmission by unsecure medium.

No limitations on fees that may be charged to the person requesting the PHI; however, if the disclosure constitutes a sale of PHI, the authorization must disclose the fact of remuneration.

Fees limited as provided in 45 CFR 164.524 (c)(4).

*Table provided by Mariela Twiggs, AHIOS Education Chair and the Office of Civil Rights (OCR)

For patients’ directive, one of the biggest differences revolves around the fees that can be charged for “copies” of medical records. 45 CFR 164 is a Federal mandate which means that State laws pertaining to copy fees are negated. Medical facilities or their Business Associates may include  only: (1) labor for copying the PHI requested by the individual, whether in paper or electronic form; (2) supplies for creating the paper copy or electronic media (e.g., CD or USB drive) if the individual requests that the electronic copy be provided on portable media; (3) postage, when the individual requests that the copy, or the summary or explanation, be mailed; and (4) preparation of an explanation or summary of the PHI, if agreed to by the individual.  The fee may not include costs associated with verification of the patient; documentation; searching for and retrieving the PHI; maintaining systems; recouping capital for data access, storage, or infrastructure; or other costs associated with the processing the release of a patient’s medical records.

In a 2016 survey conducted by the American Health Information Management Association (AHIMA), 4 out of 5 consumers, roughly 82%, are taking advantage of their health care provider’s patient portal to access their health records. This is up from only 27% in 2013. It is important for those who work in the release of information arena, recognize this growing trend and adapt to the way health information is shared and released.


For more information on coding, auditing, and cancer registry, check out the MRA website here

Subscribe to our MRA Newsletter

Bringing peace of mind to healthcare since 1986

Share this post with your friends

You may be interested in...

AHIMA Approved

This program has been approved for continuing education unit(s) (CEUs) for use in fulfilling the continuing education requirements of the American Health Information Management Association (AHIMA). Granting of Approved CEUs from AHIMA does not constitute endorsement of the program content or its program provider.