compcareFacebook
CompCare Medical Scheme Logo
Administered by Universal
Administered by Universal
CompCare Medical Scheme Logo
Administered by Universal

0861 222 777 | [email protected]

COMPCARE MEDICAL SCHEME

Promotion of Access to Information Act Manual

INFORMATION MANUAL IN TERMS OF SECTION 51 OF THE PROMOTION OF ACCESS TO INFORMATION ACT (2 OF 2000) (“PAIA”), AND SECTION 18 OF THE PROTECTION OF PERSONAL INFORMATION ACT (4 OF 2013) (“POPI”)

UNIVERSAL HEALTHCARE GROUP OF COMPANIES

(‘’the Group’’)
1. PURPOSE OF THE POLICY

1.1. PAIA gives effect to the provisions of Section 32 of the Constitution, which provides for the right of access to information held by the State, and to information held by another person that is required for the exercise and / or protection of any right.

1.2. The POPI Act gives effect to the provisions of amongst others, Section 14 of the Constitution, which provides for the
right to privacy of all persons.

1.3. The purpose of the Manual is to assist members of the public to make a request for access to a record held by the Universal Group of Companies (hereinafter referred to as “the Group”), by providing a description of the subjects on which the Group holds records, the categories of records held on each subject and the process to obtain access to these records.

1.4. The information provided in this Manual includes:
1.4.1. contact details of the Head (as defined in PAIA), of The Universal Group of Companies;
1.4.2. a description of the guide referred to in Section 10 of PAIA;
1.4.3. a description of the records of the Group which are available in terms of any legislation other than the PAIA
1.4.4. a description of the subjects on which the Group holds records and the categories of records held on each subject;
1.4.5. a description of the subjects on which the Group holds personal information and the categories of personal information held on each subject;
1.4.6. the purpose of processing personal information;
1.4.7. the recipients to whom the personal information may be supplied;
1.4.8. planned trans border flows of information (if applicable).

1.5. The reference to any information in addition to that specifically required in terms of Section 51 of PAIA and Section 18 of the POPI Act, does not create any right or entitlement (contractual or otherwise) to receive such information, other than in terms of PAIA and the POPI Act.

1.6. This Manual may be updated from time to time and will be made available on the Group’s website and / or at its principal place of business, to any person on request (subject to the payment of a reasonable fee), and to the Information Regulator.

1.7. If there is a conflict in the interpretation of, or application of this Manual and PAIA or the POPI Act, PAIA or the POPI Act will prevail.

1.8. This Manual does not intent to be exhaustive of, or comprehensively deal with every procedure provided for in PAIA, or all rights listed under the POPI Act. The reader relying on any provisions of this Manual is advised to familiarise his / her / itself with the provisions of PAIA and the POPI Act.

1.9. The principles outlined in this Manual applies to all requests for health information in other jurisdictions where the Group operates, including but not limited to the HIPAA Privacy Rule contained in 45 CFR 164.501. See Annexure C in this regard.

2. SCOPE AND AUTHORITIES

2.1. The Group comprises of the following companies:
2.1.1. Universal Healthcare (Pty) Ltd (registration number 1999/013368/07) (“Universal Group”);
2.1.2. Universal Healthcare Administrators (Pty) Ltd (registration number 1974/001443/07);
2.1.3. Universal Care (Pty) Ltd (registration number 1999/023901/07);
2.1.4. Universal Healthcare Services (Pty) Ltd (registration number 2008/005871/07);
2.1.5. Universal Cover (Pty) Ltd (registration number 2010/021467/07) and Financial Service Provider Number 43274;
2.1.6. MediKredit Integrated Healthcare Solutions (Pty) Ltd (registration number 1995/001794/07) (“MediKredit”); 2.1.7. Performance Health (Pty) Ltd (registration number 1995/001232/07);
2.1.8. Rostech Property Developments (Pty) Ltd (registration number 1991/007171/07);
2.1.9. Universal Health Cover (Pty) Ltd (registration number 2009/012670/07) and Financial Service Provider Number 46047;
2.1.10. mediBucks (Pty) Ltd (registration number 2010/024875/07);
2.1.11. Universal Corporate Wellness (Pty) Ltd (registration number 2011/139445/07);
2.1.12. Universal Motorsport (Pty) Ltd (registration number 2009/012988/07);
2.1.13. Universal Healthcare Foundation NPC (registration number 2018/046866/08);
2.1.14. Universal Healthcare Marketing (Pty) Ltd (registration number 2020/755658/07);
2.1.15. Universal.one Incorporated (company number 5835568), and
2.1.16. Any company which is from time to time, a subsidiary or holding company (as those terms are defined in the Companies Act, 2008) of Universal, a subsidiary (other than Universal) of a holding company of Universal, or a company that forms part of the Employee Share Ownership Scheme.

2.2. The Group Information Officer / Information Officer oversees the functions and responsibilities as required for in terms of both this Act, as well as the duties and responsibilities in terms of Section 55 of the Protection of Personal Information Act 4 of 2013. All requests for information in terms of the Act must be addressed to the Information Officer.

3. DEFINITIONS AND ABBREVIATIONS

3.1. “Data Subject” means the person to whom the personal information relates.

3.2. “Information Officer” means the person acting on behalf of the Universal Group of Companies as set out in paragraph 2.1 and 3.2 of this Manual.

3.3. “Personal Information” means Information as defined in Section 1 the Protection of Personal Information Act 4 of 2013 (“POPIA”).

3.4. “Record” means any recorded information, regardless of form or medium, which is in the possession of or under the control of the Group, irrespective of whether it was created by the Group.

3.5. “Regulator” refers to the Information Regulator Means the Information Regulator established in terms of the POPI Act, empowered to monitor and enforce compliance by public and private bodies with the provisions of POPIA.

3.6. “Request” means a request for access to a record of the Group.

3.7. “Requester” means any person, including a public body or an official thereof, making a request for access to a record of the Group and includes any person acting on behalf of that person.

3.8. “the Company” refers to any one of the companies listed in paragraph 2.1 and will collectively be referred to as “the Group” for the purposes of this Manual.

4. KEY CONTACTS FOR THE ACCESS TO INFORMATION OF THE UNIVERSAL GROUP

4.1. PAIA provides that all requests for access to a record must be made to the Chief Executive Officer (CEO) of the private body, or any person duly authorised by the CEO i.e. (“Information Officer”) to attend to requests in terms of the Act.

4.2. The Director, Group Legal, Risk & Compliance (Director: GLRC) has been duly authorised by the CEO of the Universal Group of Companies as the Chief Information Officer and will attend to all matters in terms of PAIA. In the circumstances, the Director: GLRC will respond to any request made in terms of the Act and, in doing so, will apply the provisions of the Act as summarised below.

4.3. Requests for access to information in terms of the provisions of PAIA and / or POPIA must be directed to the Group Information Officer whose details are set out below:
4.3.1. Information Officer: Ms. Alicia Tait
Telephone: 011 591 9185
Email address: [email protected] 

4.4. Universal Healthcare Group Head Office:
4.4.1. Postal address: PO Box 1411, Rivonia, 2128
Physical address: Universal House, 15 Tambach Road, Sunninghill Park, Sandton, 2191
Telephone: 011 208 1000
Email address: [email protected]
Website: www.universal.co.za

5. GUIDE ON HOW TO EXERCISE RIGHTS IN TERMS OF PAIA– Section 51(1)(b)(i) of PAIA

5.1. The Regulator has, in terms of Section 10(1) of PAIA (as amended), updated the PAIA Guide as initially compiled by the SAHRC. The purpose of the aforesaid Guide is to provide information that is needed by any person who wishes to exercise any right contemplated in PAIA and POPIA.

5.2. This Guide will specifically assist persons or data subjects on how to access his / her or its personal information in terms of Section 23 of POPIA.

5.3. The Guide (in the official languages) can be obtained from the Information Regulator either at their offices by completing the prescribed form, or from the Information Regulator’s website (https://inforegulator.org.za/).

5.4. The Details of The Information Regulator is as follows:
5.4.1. Postal address: PO Box 31533, Braamfontein, Johannesburg, 2017
Physical address: JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2017 
Telephone: 010 023 5200
Fax number: 086 500 3351
Complaints email: [email protected]
Email address: [email protected]
Website: https://inforegulator.org.za/

6. CATEGORIES OF RECORDS

6.1. Some of the records held by the Group are available in terms of legislation other than PAIA or POPI. Records that must be made available in terms of these Acts will be made available in terms of the requirements of PAIA and this Manual. That legislation includes:
6.1.1. The Companies Act 71 of 2008;
6.1.2. The Medical Schemes Act 131 of 1998 (where it applies to the Administrator of Medical Schemes);
6.1.3. The Financial Sector Regulation Act 9 of 2017;
6.1.4. The Competition Act 89 of 1998;
6.1.5. The Long-Term Insurance Act 52 of 1998;
6.1.6. The Short-Term Insurance Act 53 of 1998;
6.1.7. The Financial Advisory and Intermediary Services Act 37 of 2002;
6.1.8. The National Credit Act 34 of 2005;
6.1.9. The Labour Relations Act 66 of 1995;
6.1.10. Basic Conditions of Employment Act 75 of 1997;
6.1.11. Employment Equity Act 55 of 1998;
6.1.12. The Occupational Health and Safety Act 85 of 1993;
6.1.13. Unemployment Insurance Act 63 of 2001;
6.1.14. The Compensation for Occupational Injuries and Diseases Act 130 of 1993;
6.1.15. Employment Equity Act 55 of 1998;
6.1.16. Skills Development Levies Act 9 of 1999; 6.1.17. The Financial Intelligence Centre Act 38 of 2001; 6.1.18. The Income Tax Act 58 of 1962;
6.1.19. The Value-added Tax Act 89 of 1991; and 6.1.20. Any other industry applicable legislation.

6.2. The Group holds various records. The subjects on which the Group holds records, and the categories of records held by the Group are noted below (the list is not exhaustive):
6.2.1. Human Resources:
6.2.1.1. Employee Records
6.2.1.2. Employee Tax Information
6.2.1.3. Pension / Provident Fund Information Employment Contracts 6.2.1.4. Internal policies
6.2.1.5. Internal evaluation records

6.2.2. Finance:
6.2.2.1. Financial statements and other accounting records 6.2.2.2. Banking Statements
6.2.2.3. Accounting reports
6.2.2.4. Creditors and Debtors

6.2.3. Client / suppliers / service providers / independent contractors:
6.2.3.1. Broker information
6.2.3.2. Beneficiaries of medical schemes
6.2.3.3. Health care provider information
6.2.3.4. Medical records of clients
6.2.3.5. Attendance registers, correspondence and contracts with clients 6.2.3.6. Suppliers and contractors’ information

6.2.4. Other business documentation:
6.2.4.1. Correspondence Business plans
6.2.4.2. Statutory documentation
6.2.4.3. Policies and standard operating procedures, protocols 6.2.4.4. Legislative compliance
6.2.4.5. Marketing information

6.3. The listing of a category or subject matter in this Manual does not guarantee access to such records. All requests for access will be evaluated on a case-by-case basis, in accordance with the provisions of PAIA and other applicable legislation. A request for records shall be made in the prescribed form as noted in Annexure B.

7. FORM OF REQUEST FOR RECORDS

7.1. A request for records shall be made using the prescribed form (Annexure B), accompanied by adequate proof of identity of the applicant, (such as a certified copy of his / her identity document). If a request is made on behalf of a person, the requester must submit proof of the capacity in which the requester is making the request, to the satisfaction of the Information Officer.

7.2. The prescribed form is also available from the Information Regulator’s website: https://inforegulator.org.za/wp-
content/uploads/2020/07/InfoRegSA-PAIA-Form02-Reg7.pdf.

7.3. The prescribed form shall be submitted to the Information Officer named in paragraph 4 hereof. The requester must identify the right that he or she is seeking to exercise or protect and provide an explanation as to why the requested record is required for the exercise or protection of that right.

7.4. The above procedure will apply if the requester is requesting information for personal use and / or on behalf of another person, even if such other person is a permanent employee of the Group.

7.5. The Information Officer will as soon as reasonably possible, and within 30 (thirty) days after the request has been received, decide whether to grant such request or not.

7.6. The requester will be notified of the decision of the Information Officer in the manner indicated by the requester.

7.7. After access is granted, actual access to the record requested will be given as soon as reasonably possible. PAIA provides various grounds for extending the thirty (30) day period. The Information Officer will inform the requester in writing if an extension is required.

7.8. If the request for access is refused, the Information Office shall advise the requester in writing of the refusal. The notice of refusal will provide:
7.8.1. adequate reasons for the refusal; and
7.8.2. that the requester may lodge an appeal with a court of competent jurisdiction against the refusal of the request (including the period) for lodging such an appeal.

7.9. If all reasonable steps have been taken to find a record requested and there are reasonable grounds to believe it cannot be found or does not exist, the Information Officer must by way of affidavit notify the requester that it is not possible to give access to that record, with an account of the steps taken to find the record.

7.10. If the Information Officer fails to give a decision in the prescribed period, it is deemed, in terms of Section 58 read together with Section 56(1) of PAIA, that the Information Officer has refused the request.

8. REFUSAL OF ACCESS TO RECORDS

8.1. Grounds to Refuse Access
8.1.1. A Private Body such as Universal Group is entitled to refuse a request for information.
8.1.2. The main grounds for the Group to refuse a request for information relates to the:
8.1.2.1. mandatory protection of the privacy of a third party who is a natural person or a deceased person (section 63) or a juristic, as included in the Protection of Personal Information Act 4 of 2013, which would involve the unreasonable disclosure of personal information of that natural or juristic person;
8.1.2.2. mandatory protection of personal information and for disclosure of any personal information to, in addition to any other legislative, regulatory or contractual agreements, comply with the provisions of the Protection of Personal Information Act 4 of 2013;
8.1.2.3. mandatory protection of the commercial information of a third party (section 64), if the record contains:
8.1.2.3.1. trade secrets of the third party;
8.1.2.3.2. financial, commercial, scientific or technical information which disclosure could likely cause harm to the financial or commercial interests of that third party;
8.1.2.3.3. information disclosed in confidence by a third party to the Group, if the disclosure could put that third party at a disadvantage in negotiations or commercial competition;
8.1.2.3.4. mandatory protection of confidential information of third parties (section 65) if it is protected in terms of any agreement;
8.1.2.3.5. mandatory protection of the safety of individuals and the protection of property (section 66);
8.1.2.3.6. mandatory protection of records which would be regarded as privileged in legal proceedings (section 67).
8.1.2.4. the commercial activities (section 68) of a Private Body, such as the Group, which may include:
8.1.2.4.1. trade secrets of the Group;
8.1.2.4.2. financial, commercial, scientific or technical information which disclosure could likely cause harm to the financial or commercial interests of the Group;
8.1.2.4.3. information which, if disclosed could put the Group at a disadvantage in negotiations or commercial competition;
8.1.2.4.4. a computer program which is owned by the Group, and which is protected by copyright;
8.1.2.4.5. the research information (section 69) of the Group or a third party, if its disclosure would disclose the identity of the Group, the researcher or the subject matter of the research and would place the research at a serious disadvantage.
8.1.3. Requests for information that are clearly frivolous or vexatious, or which involve an unreasonable diversion of resources shall be refused.
8.1.4. All requests for information will be assessed on their own merits and in accordance with the applicable legal principles and legislation.
8.1.5. If a requested record cannot be found or if the record does not exist, the Information Officer shall, by way of an affidavit or affirmation, notify the requester that it is not possible to give access to the requested record. Such a notice will be regarded as a decision to refuse a request for access to the record concerned for the purpose of the Act. If the record should later be found, the requester shall be given access to the record in the manner stipulated by the requester in the prescribed form, unless the Information Officer refuses access to such record.

9. FEES PRESCRIBED IN TERMS OF LEGISLATION

9.1. The following applies to requests (other than personal requests):
9.1.1. A requestor is required to pay the prescribed fees as set out in Annexure A before a request will be processed.
9.1.2. If the preparation of the record requested requires more than the prescribed 6 (six) hours, a deposit shall be paid (of not more than one third of the access fee which would be payable if the request were granted).
9.1.3. A requestor may lodge an application with a court against the tender / payment of the request fee and / or deposit.

9.2. Records may be withheld until the fees have been paid.

9.3. The fee structure shall be available by way of regulations published from time to time.

9.4. In addition to the request fee, the reproduction fees are prescribed by the Minister in respect of private bodies such as the Universal Group. Please refer to Annexure A.

10. PROTECTION OF PERSONAL INFORMATION - Section 51(1)(c)(i)-(iii) of PAIA read with section 18 of the POPI Act

10.1. The Group processes certain personal information as defined in the POPI Act, relating to multiple data subjects, from time to time. Such personal information will be processed according to the provisions of the POPI Act.

10.2. Where personal information is collected in terms of specific legislation, the Group will inform the data subject in terms of which legislation that data is collected.

10.3. Data subjects have the right to object to the processing of their personal information.

10.4. Should a data subject require confirmation regarding the existence of personal information processed by the Group or believes that the personal information processed by the Group requires rectification, the data subject is entitled to utilise the processes and procedures set out in this Manual to request access to the records of the Group as set out in Section 18(1)(h)(iii) of the POPI Act.

10.5. The Group will not, without data subjects’ express consent use their personal information for any other purpose other than as specifically agreed to with a particular data subject.

10.6. The Group is entitled to use or disclose data subjects’ personal information, if such use or disclosure is required to comply with any applicable law, subpoena, criminal investigation, order of court or legal process served on the Group, or to protect and defend the Group’s rights or property.

10.7. The Group undertakes never to sell or make data subjects’ personal information available to any third-party other
than as specifically agreed to with the data subject.

10.8. The Group will not process personal information concerning:
10.8.1. the religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion,
health or sex life or biometric information of a data subject; or
10.8.2. the criminal behaviour of a data subject to the extent that such information relates to i) the alleged commission by a data subject of any offence; or ii) any proceedings in respect of any offence allegedly committed by a data subject or the disposal of such proceedings, unless:
10.8.2.1. the data subject has given the Group specific consent to process such data; or
10.8.2.2. processing is necessary for the establishment, exercise or defence of a right or obligation in law;
10.8.2.3. processing is necessary to comply with an obligation of international public law;
10.8.2.4. processing is for historical, statistical or research purposes to the extent that: (i) the purpose serves a public interest or (ii) requesting consent would constitute an unreasonable requirement in the circumstances.

10.9. In line with the obligations in terms of Section 22 of the POPI Act, and where there are reasonable grounds to believe that personal information has been accessed or acquired by any unauthorised person, the Group will notify the Information Regulator and the data subject, where possible.

10.10. The Group will:
10.10.1. treat data subjects’ personal information as strictly confidential, save where the Group is entitled to share it as set out in this section;
10.10.2. take appropriate technical and organisational measures to ensure that data subjects’ personal information is kept secure and is protected against unauthorised or unlawful processing, accidental loss, destruction or damage, alteration, disclosure or access;
10.10.3. provide data subjects with access to their personal information to view and / or update personal details;
10.10.4. promptly notify data subjects if the Group becomes aware of any unauthorised use, disclosure or processing of their personal information;
10.10.5. provide data subjects with reasonable evidence of the Group’s compliance with their obligations under this section on reasonable notice and request; and
10.10.6. upon data subjects request, promptly return or destroy any and all of their personal information in the Group’s possession or control, save for that which the Group is legally obliged to retain.

10.11. The Group will not retain data subjects’ personal information longer than the period for which it was originally needed, unless required by law to do so, or where data subjects’ consent to the Group retaining such information for a longer period.

10.12. Whilst the Group will do all things reasonably necessary to protect data subjects’ rights of privacy, the Group cannot guarantee or accept any liability whatsoever for unauthorised or unlawful disclosures of data subjects’ personal information, whilst in its possession, made by third parties who are not subject to the Group’s direct control, unless such disclosure is as a result of the Group’s gross negligence.

10.13. Should a data subject believe that the Group has used their personal information contrary to this Manual and the provisions of the POPI Act, the data subject should first attempt to resolve any concerns with the Group. If the data subject is not satisfied, they have the right to lodge a complaint with the Information Regulator (which address can be found in the Manual, or via email: [email protected]), established in terms of the POPI Act.

11. TRANSBORDER FLOWS OF PERSONAL INFORMATION – (section 51(1)(iv) of PAIA and section 18(1)(g) of the POPI Act

11.1. The Group may from time to time need to transfer authorised personal information to another country for storage purposes, the rendering of services by a foreign third-party service provider or any other reason as agreed to by the data subject.

11.2. The Group will ensure that any person that receives data subjects’ personal information, agrees to treat the information with the same level of protection as the Group is obliged to in terms of Section72 of the POPI Act, read with any applicable international data protection laws.

12. SECURITY MEASURES TO PROTECT PERSONAL INFORMATION – Section 51(1)(v)

12.1. The security measures implemented by the Group ensure the confidentiality, integrity, and availability of personal
information, are listed and described below:

12.2. Physical Security Measures:
12.2.1. Access control to the premises and certain key areas, which access is restricted to authorised personnel.
12.2.2. Devices and user stations are password protected.
12.2.3. Devices (laptops or otherwise) and user stations are safely secured by case lock or otherwise when not in use.
12.2.4. Servers are stored in access-controlled rooms.
12.2.5. Security gate at the premises.
12.2.6. On site security guards.

12.3. Cyber Security Measures:
12.3.1. Firewalls
12.3.2. Virus protection
12.3.3. Data encryption
12.3.4. Systems and devices are automatically locked after certain periods of inactivity
12.3.5. Data is backed up.

13. AVAILABILITY OF THE MANUAL

13.1. A copy of the Manual is available:
13.1.1. on the Group’s website – www.universal.co.za
13.1.2. Head Office of the Group (Universal House) for public inspection during normal business hours, to any person upon request and upon the payment of a reasonable prescribed fee; and
13.1.3. to the Information Regulator upon request.

ANNEXURE A

FEES
1 The request fee payable by every requester R140.00
2 Photocopy/printed black & white copy of A4-size page R2.00 per page of part thereof
3 Printed copy of A4-sizepage R2.00 per page of part thereof
4 For a copy in a computer-readable form on:
(i) Flash drive (to be provided by requestor)
(ii) Compact disc
• If provided by requestor
• If provided to the requestor

R40.00

R40.00
R60.00
5 For a transcription of visual imagesper A4-size page Service to be outsourced and dependent on quotation from Service Provider
6 Copy of visual images Service to be outsourced and dependent on quotation from Service Provider
7 Transcription of an audio record, per A4-size page R24.00
8 Copy of an audio record on:
(i) Flash drive (to be provided by requestor)
(ii) Compact disc
• If provided by requestor
• If provided to the requestor

R40.00

R40.00
R60.00
9 To search for and prepare the record for disclosure for each hour or part of an hour, excluding the first hour, reasonably required for such search and preparation.
To not exceed a total cost of

R145.00

 

R145.00
10 Deposit: If search exceeds 6 hours One third of amount per request calculated in terms of items 2 to 8
11 Postage, e-mailor any other electronic transfer Actual expense, if any

ANNEXURE B

INFORMATION REQUEST FORM

REQUESTS IN RELATION TO YOUR RIGHTS IN TERMS OF THE PROTECTION OF PERSONAL INFORMATION ACT NO 4 OF 2013 (POPIA)

In terms of Section 5 of the POPIA (rights of the data subjects) read in conjunction with Section 23 and 24 of the POPIA, you have the right to have your personal information processed in accordance with the conditions for the lawful processing of personal information, including the right establish whether a responsible party holds your personal information and to request access to it, and you also have the right to request where necessary, the correction, destruction or deletion of your personal information as provided for by the provisions of the Act.

Note:

  1. All Personal Information collected in this form is for the purposes of assessing and giving effect to your requests. For more information on our processing activities, please contact our legal department at [email protected].
  2. Affidavits or other documentary evidence as applicable in support of your requests may be attached.
  3. If the space provided for in this form is inadequate, submit information as an Annexure to this form and sign each page.
  4. All completed requests with supporting documentation must be submitted to the relevant department which you require your information from.

Mark the appropriate request box with “x” or tick and only complete the relevant sections:

 

Objection to the Processing of your Personal Information Complete A, B, C, F, I
Correct or delete Personal Information about the data subject in the possession or under the control of the Universal Group that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading, or obtained unlawfully. Complete A, B, D, F, I
Destroy or delete a record of Personal Information about the data subject that the Universal Group is no longer authorised to retain. Complete A, B, E, F, I
Request for access to records Complete A, B, F, G, H, I
Download Information Request Form

ANNEXURE C

ACCESS TO INFORMATION IN THE UNITED STATES OF AMERICA (USA)

The Privacy Rule generally requires HIPAA covered entities (health plans and most health care providers) to provide individuals, upon request, with access to the protected health information (PHI) about them in one or more “designated record sets” maintained by or for the covered entity. This includes the right to inspect or obtain a copy, or both, of the PHI, as well as to direct the covered entity to transmit a copy to a designated person or entity of the individual’s choice. Individuals have a right to access this PHI for as long as the information is maintained by a covered entity, or by a business associate on behalf of a covered entity, regardless of the date the information was created; whether the information is maintained in paper or electronic systems onsite, remotely, or is archived; or where the PHI originated (e.g., whether the covered entity, another provider, the patient, etc.).

Information Included in the Right of Access: The “Designated Record Set”

Individuals have a right to access PHI in a “designated record set.” A “designated record set” is defined at 45 CFR 164.501 as a group of records maintained by or for a covered entity that comprises the:

  • Medical records and billing records about individuals maintained by or for a covered health care provider;
  • Enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or
  • Other records that are used, in whole or in part, by or for the covered entity to make decisions about individuals. This last category includes records that are used to make decisions about any individuals, whether or not the records have been used to make a decision about the particular individual requesting access.

The term “record” means any item, collection, or grouping of information that includes PHI and is maintained, collected, used, or disseminated by or for a covered entity.

Thus, individuals have a right to a broad array of health information about themselves maintained by or for covered entities, including: medical records; billing and payment records; insurance information; clinical laboratory test results; medical images, such as X-rays; wellness and disease management program files; and clinical case notes; among other information used to make decisions about individuals. In responding to a request for access, a covered entity is not, however, required to create new information, such as explanatory materials or analyses, that does not already exist in the designated record set.

Information Excluded from the Right of Access

An individual does not have a right to access PHI that is not part of a designated record set because the information is not used to make decisions about individuals. This may include certain quality assessment or improvement records, patient safety activity records, or business planning, development, and management records that are used for business decisions more generally rather than to make decisions about individuals. For example, a hospital’s peer review files or practitioner or provider performance evaluations, or a health plan’s quality control records that are used to improve customer service or formulary development records, may be generated from and include an individual’s PHI but might not be in the covered entity’s designated record set and subject to access by the individual.

In addition, two categories of information are expressly excluded from the right of access:

  • Psychotherapy notes, which are the personal notes of a mental health care provider documenting or analyzing the contents of a counseling session, that are maintained separate from the rest of the patient’s medical record. See 45 CFR 164.524(a)(1)(i) and 164.501.
  • Information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding. See 45 CFR 164.524(a)(1)(ii).

However, the underlying PHI from the individual’s medical or payment records or other records used to generate the above types of excluded records or information remains part of the designated record set and subject to access by the individual.

Personal Representatives

An individual’s personal representative (generally, a person with authority under State law to make health care decisions for the individual) also has the right to access PHI about the individual in a designated record set (as well as to direct the covered entity to transmit a copy of the PHI to a designated person or entity of the individual’s choice), upon request, consistent with the scope of such representation and the requirements discussed below. See 45 CFR 164.502(g) and https://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/personalreps.html for more information about the rights that can be exercised by personal representatives.

Requests for Access
Requiring a Written Request

A covered entity may require individuals to request access in writing, provided the covered entity informs individuals of this requirement. See 45 CFR 164.524(b)(1). Covered entities also may offer individuals the option of using electronic means (e.g., e-mail, secure web portal) to make requests for access. In addition, a covered entity may require individuals to use the entity’s own supplied form, provided use of the form does not create a barrier to or unreasonably delay the individual from obtaining access to his PHI, as described below.

Verification

The Privacy Rule requires a covered entity to take reasonable steps to verify the identity of an individual making a request for access. See 45 CFR 164.514(h). The Rule does not mandate any particular form of verification (such as obtaining a copy of a driver’s license), but rather generally leaves the type and manner of the verification to the discretion and professional judgment of the covered entity, provided the verification processes and measures do not create barriers to or unreasonably delay the individual from obtaining access to her PHI, as described below. Verification may be done orally or in writing and, in many cases, the type of verification may depend on how the individual is requesting and/or receiving access – whether in person, by phone (if permitted by the covered entity), by faxing or e-mailing the request on the covered entity’s supplied form, by secure web portal, or by other means. For example, if the covered entity requires that access requests be made on its own supplied form, the form could ask for basic information about the individual that would enable the covered entity to verify that the person requesting access is the subject of the information requested or is the individual’s personal representative. For those covered entities providing individuals with access to their PHI through web portals, those portals should already be set up with appropriate authentication controls, as required by 45 CFR 164.312(d) of the HIPAA Security Rule, to ensure that the person seeking access is the individual or the individual’s personal representative.

Unreasonable Measures

While the Privacy Rule allows covered entities to require that individuals request access in writing and requires verification of the identity of the person requesting access, a covered entity may not impose unreasonable measures on an individual requesting access that serve as barriers to or unreasonably delay the individual from obtaining access. For example, a doctor may not require an individual:

  • Who wants a copy of her medical record mailed to her home address to physically come to the doctor’s office to request access and provide proof of identity in person.
  • To use a web portal for requesting access, as not all individuals will have ready access to the portal.
  • To mail an access request, as this would unreasonably delay the covered entity’s receipt of the request and thus, the individual’s access;

While a covered entity may not require individuals to request access in these manners, a covered entity may permit an individual to do so, and covered entities are encouraged to offer individuals multiple options for requesting access.

Providing Access
Form and Format and Manner of Access

The Privacy Rule requires a covered entity to provide the individual with access to the PHI in the form and format requested, if readily producible in that form and format, or if not, in a readable hard copy form or other form and format as agreed to by the covered entity and individual. See 45 CFR 164.524(c)(2)(i). If the individual requests electronic access to PHI that the covered entity maintains electronically, the covered entity must provide the individual with access to the information in the requested electronic form and format, if it is readily producible in that form and format, or if not, in an agreed upon alternative, readable electronic format. See 45 CFR 164.524(c)(2)(ii). The terms “form and format” refer to how the PHI is conveyed to the individual (e.g., on paper or electronically, type of file, etc.) Thus:

  • Requests for Paper Copies – Where an individual requests a paper copy of PHI maintained by the covered entity either electronically or on paper, it is expected that the covered entity will be able to provide the individual with the paper copy requested.
  • Requests for Electronic Copies – Where an individual requests an electronic copy of PHI that a covered entity maintains only on paper, the covered entity is required to provide the individual with an electronic copy if it is readily producible electronically (e.g., the covered entity can readily scan the paper record into an electronic format) and in the electronic format requested if readily producible in that format, or if not, in a readable alternative electronic format or hard copy format as agreed to by the covered entity and the individual.
  • Where an individual requests an electronic copy of PHI that a covered entity maintains electronically, the covered entity must provide the individual with access to the information in the requested electronic form and format, if it is readily producible in that form and format. When the PHI is not readily producible in the electronic form and format requested, then the covered entity must provide access to an agreed upon alternative readable electronic format. See 45 CFR 164.524(c)(2)(ii). This means that, while a covered entity is not required to purchase new software or equipment in order to accommodate every possible individual request, the covered entity must have the capability to provide some form of electronic copy of PHI maintained electronically.; It is only if the individual declines to accept any of the electronic formats readily producible by the covered entity that the covered entity may satisfy the request for access by providing the individual with a readable hard copy of the PHI.

The covered entity also may provide the individual with a summary of the PHI requested, in lieu of providing access to the PHI, or may provide an explanation of the PHI to which access has been provided in addition to that PHI, so long as the individual in advance: (1) chooses to receive the summary or explanation (including in the electronic or paper form being offered by the covered entity); and (2) agrees to any fees (as explained below in the Section describing permissible Fees for Copies) that may be charged by the covered entity for the summary or explanation. See 45 CFR 164.524(c)(2)(iii).

A covered entity also must provide access in the manner requested by the individual, which includes arranging with the individual for a convenient time and place to pick up a copy of the PHI or to inspect the PHI (if that is the manner of access requested by the individual), or to have a copy of the PHI mailed or e-mailed, or otherwise transferred or transmitted to the individual to the extent the copy would be readily producible in such a manner. Whether a particular mode of transmission or transfer is readily producible will be based on the capabilities of the covered entity and the level of security risk that the mode of transmission or transfer may introduce to the PHI on the covered entity’s systems (as opposed to security risks to the PHI once it has left the systems). A covered entity is not expected to tolerate unacceptable levels of risk to the security of the PHI on its systems in responding to requests for access; whether the individual’s requested mode of transfer or transmission presents such an unacceptable level of risk will depend on the covered entity’s Security Rule risk analysis. See 45 CFR 164.524(c)(2) and (3), and 164.308(a)(1). However, mail and e-mail are generally considered readily producible by all covered entities. It is expected that all covered entities have the capability to transmit PHI by mail or e-mail (except in the limited case where e-mail cannot accommodate the file size of requested images), and transmitting PHI in such a manner does not present unacceptable security risks to the systems of covered entities, even though there may be security risks to the PHI while in transit (such as where an individual has requested to receive her PHI by, and accepted the risks associated with, unencrypted e-mail). Thus, a covered entity may not require that an individual travel to the covered entity’s physical location to pick up a copy of her PHI if the individual requests that the copy be mailed or e-mailed.

Timeliness in Providing Access

In providing access to the individual, a covered entity must provide access to the PHI requested, in whole, or in part (if certain access may be denied as explained below), no later than 30 calendar days from receiving the individual’s request. See 45 CFR 164.524(b)(2). The 30 calendar days is an outer limit and covered entities are encouraged to respond as soon as possible. Indeed, a covered entity may have the capacity to provide individuals with almost instantaneous or very prompt electronic access to the PHI requested through personal health records, web portals, or similar electronic means. Further, individuals may reasonably expect a covered entity to be able to respond in a much faster timeframe when the covered entity is using health information technology in its day to day operations.
If a covered entity is unable to provide access within 30 calendar days — for example, where the information is archived offsite and not readily accessible — the covered entity may extend the time by no more than an additional 30 days. To extend the time, the covered entity must, within the initial 30 days, inform the individual in writing of the reasons for the delay and the date by which the covered entity will provide access. Only one extension is permitted per access request.

Fees for Copies

The Privacy Rule permits a covered entity to impose a reasonable, cost-based fee if the individual requests a copy of the PHI (or agrees to receive a summary or explanation of the information). The fee may include only the cost of: (1) labor for copying the PHI requested by the individual, whether in paper or electronic form; (2) supplies for creating the paper copy or electronic media (e.g., CD or USB drive) if the individual requests that the electronic copy be provided on portable media; (3) postage, when the individual requests that the copy, or the summary or explanation, be mailed; and (4) preparation of an explanation or summary of the PHI, if agreed to by the individual. See 45 CFR 164.524(c)(4). The fee may not include costs associated with verification; documentation; searching for and retrieving the PHI; maintaining systems; recouping capital for data access, storage, or infrastructure; or other costs not listed above even if such costs are authorized by State law.

Denial of Access

Grounds for Denial
Under certain limited circumstances, a covered entity may deny an individual’s request for access to all or a portion of the PHI requested. In some of these circumstances, an individual has a right to have the denial reviewed by a licensed health care professional designated by the covered entity who did not participate in the original decision to deny.

  • Unreviewable grounds for denial (45 CFR 164.524(a)(2)):
  • The request is for psychotherapy notes, or information compiled in reasonable anticipation of, or for use in, a legal proceeding.
  • An inmate requests a copy of her PHI held by a covered entity that is a correctional institution, or health care provider acting under the direction of the institution, and providing the copy would jeopardize the health, safety, security, custody, or rehabilitation of the inmate or other inmates, or the safety of correctional officers, employees, or other person at the institution or responsible for the transporting of the inmate. However, in these cases, an inmate retains the right to inspect her PHI.
  • The requested PHI is in a designated record set that is part of a research study that includes treatment (e.g., clinical trial) and is still in progress, provided the individual agreed to the temporary suspension of access when consenting to participate in the research. The individual’s right of access is reinstated upon completion of the research.
  • The requested PHI is in Privacy Act protected records (i.e., certain records under the control of a federal agency, which may be maintained by a federal agency or a contractor to a federal agency), if the denial of access is consistent with the requirements of the Act.
  • The requested PHI was obtained by someone other than a health care provider (e.g., a family member of the individual) under a promise of confidentiality, and providing access to the information would be reasonably likely to reveal the source of the information.

Reviewable grounds for denial (45 CFR 164.524(a)(3)). A licensed health care professional has determined in the exercise of professional judgment that:

  • The access requested is reasonably likely to endanger the life or physical safety of the individual or another person. This ground for denial does not extend to concerns about psychological or emotional harm (e.g., concerns that the individual will not be able to understand the information or may be upset by it).
  • The access requested is reasonably likely to cause substantial harm to a person (other than a health care provider) referenced in the PHI.
  • The provision of access to a personal representative of the individual that requests such access is reasonably likely to cause substantial harm to the individual or another person.

Note that a covered entity may not require an individual to provide a reason for requesting access, and the individual’s rationale for requesting access, if voluntarily offered or known by the covered entity or business associate, is not a permitted reason to deny access. In addition, a covered entity may not deny access because a business associate of the covered entity, rather than the covered entity itself, maintains the PHI requested by the individual (e.g., the PHI is maintained by the covered entity’s electronic health record vendor or is maintained by a records storage company offsite).

Carrying Out the Denial

If the covered entity denies access, in whole or in part, to PHI requested by the individual, the covered entity must provide a denial in writing to the individual no later than within 30 calendar days of the request (or no later than within 60 calendar days if the covered entity notified the individual of an extension). See 45 CFR 164.524(b)(2). The denial must be in plain language and describe the basis for denial; if applicable, the individual’s right to have the decision reviewed and how to request such a review; and how the individual may submit a complaint to the covered entity or the HHS Office for Civil Rights. See 45 CFR 164.524(d).
If the covered entity (or one of its business associates) does not maintain the PHI requested, but knows where the information is maintained, the covered entity must inform the individual where to direct the request for access. See 45 CFR 164.524(d)(3).
The covered entity must, to the extent possible and within the above timeframes, provide the individual with access to any other PHI requested, after excluding the PHI to which the entity has a ground to deny access. See 45 CFR 164.524(d)(1). Complexity in segregating the PHI does not excuse the obligation to provide access to the PHI to which the ground for denial does not apply.

Review of Denial

If the denial was based on a reviewable ground for denial and the individual requests review, the covered entity must promptly refer the request to the designated reviewing official. The reviewing official must determine, within a reasonable period of time, whether to reaffirm or reverse the denial. The covered entity must then promptly provide written notice to the individual of the determination of the reviewing official, as well as take other action as necessary to carry out the determination. See 45 CFR 164.524(d)(4).