Question: A patient has asked for copies of his medical records, but he wants records from many years ago — long before we began using our current records system. The records are so old, in fact, that we’ve archived them and store them at another location. Do we still need to comply with the patient’s record request for these old records?
Answer: Yes, you must provide these records. According to guidance from the U.S. Department of Health and Human Services (HHS), an individual has a right to access their protected health information (PHI) in a medical record or other designated record set that a covered entity (CE) maintains, regardless of the date the PHI was created.
Whether you maintain this data onsite or remotely, or whether it is archived, also doesn’t matter. HIPAA provides very limited grounds under which a CE may deny an individual access to his PHI in a designated record set, but these grounds do not include the age or location of the PHI.
For more information on an individual’s right to access PHI, see the HHS guidance at www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html.