5.2 Patient Access and Portal Governance

Govern Patient Access as a Legal Right

The HIPAA right of access at 45 CFR 164.524 entitles individuals to inspect and obtain a copy of PHI in a designated record set. Memorize the operating numbers: a covered entity must act within 30 calendar days, may take one 30-day extension with written notice of the reason and a new date, must provide records in the form and format requested if readily producible, and may charge only a reasonable, cost-based fee (labor for copying, supplies, postage, and preparing an explanation if requested). The 2024 OCR guidance is clear that per-page state fee schedules cannot be used to inflate electronic-copy fees.

Layered on top is the ONC Information Blocking rule under the 21st Century Cures Act, effective for actors since 2021. A practice that interferes with the access, exchange, or use of electronic health information (EHI) — for example, deliberately delaying portal release of results or imposing unnecessary procedural hurdles — can be information blocking unless it fits one of the eight exceptions (Preventing Harm, Privacy, Security, Infeasibility, etc.). On the exam, a 'we delay all results 14 days as a courtesy' policy is a red flag.

Portals Are a Governed Workflow

A portal question is never only an IT question. It bundles patient rights, privacy, authentication, proxy authority, release scope, support, and audit. Govern each layer:

Identity Proofing and Proxy

Identity proofing should follow a defined standard (many systems align to NIST 800-63 assurance levels). Proxy access is the most error-prone area: a minor aging to majority, a divorce changing custody, or a revoked power of attorney all change authority. Build periodic proxy review, immediate revocation handling, and a fast path to unlink incorrectly merged accounts. Never assume last year's proxy still holds.

Amendment and Metrics

When a patient sees information they believe is wrong, the response is the HIPAA amendment process (164.526), not deletion or informal editing. The entity has 60 days to act (one 30-day extension), may deny on defined grounds, and must let the patient submit a statement of disagreement. Track these access metrics:

• Request aging against the 30-day clock and extension usage.
• Portal enrollment failure and abandonment rates.
• Complaint themes and amendment turnaround.
• Error-correction (wrong-patient) time-to-resolution.

Designated Record Set and Format Rights

The access right reaches the designated record set (DRS) — the medical and billing records used to make decisions about the individual, plus enrollment, payment, and case-management records for plans. It does not automatically include psychotherapy notes (kept separate under 164.508) or information compiled for litigation. When a patient requests an electronic copy of EHI maintained electronically, the entity must provide it electronically in the requested form if readily producible; it cannot force paper to discourage requests.

The patient may also direct the entity to transmit a copy to a third party in writing — a frequently tested 164.524 right that ROI staff sometimes confuse with a third-party authorization.

Fee Calculation Example

Suppose a patient asks for an electronic copy of a 200-page electronic record. Permissible cost-based charges are limited to actual labor for copying the electronic file, supplies for any portable media requested, and postage if mailed — not a per-page state fee schedule. OCR also permits a flat fee of up to $6.50 for electronic copies of records maintained electronically when the entity does not want to calculate actual costs. Charging $1.00 per page here would be an over-charge and a potential access violation. This is a classic distractor: the 'state allows $1/page' option is wrong for electronic access.

Note that when a patient directs the records to a third party, the same patient-rate fee cap applies; when a third party requests records under its own authorization, ordinary state fee schedules may apply. Mixing those two pathways is a frequent exam trap and a frequent real-world over-billing error.

Exam Stance

Choose the answer that supports access while controlling risk. Refusing because a request is inconvenient is weak and risks an information-blocking finding. Releasing through an unverified channel is also weak. The RHIA answer is to verify, educate, route, document, and improve the workflow so access is both patient-centered and compliant. Connect the roles: clerks need scripts, analysts need tickets, the Privacy Officer needs incident reports, and the HIM director needs metrics and policy revision — so the patient never has to navigate internal silos and never waits past the 30-day clock.