As part of the European Union’s initiatives toward improving the privacy of personal data, the EU also aims to improve visibility into the data companies collect on their citizens. To achieve this goal, the EU gave every citizen the right of access under the General Data Protection Regulation. This allows citizens to request access to all data the organization stores and collects on them.
On top of the EU’s initiatives to improve visibility into data companies, Americans also have a right of access to data stored related to their healthcare. This right comes from the Health Insurance Portability and Accountability Act (HIPPA). It allows a citizen to request access to their health records as stored by any healthcare provider.
In this article we explore the obligations when individuals exercise their right of access, this article covers the following topics:
- What are the Rights of Access?
- How to Comply with a Right of Access Request
- Best Practices for Maintaining Compliance with Right of Access Regulations
To learn more about Data Privacy with Satori read our Data Privacy Guide.
What are the Rights of Access?
The right of access, also known as the right to access or the right of data subject access, is a fundamental right under the General Data Protection Regulation (GDPR). In addition to the GDPR, the Health Insurance Portability and Accountability Act (HIPAA) also includes provisions related to the rights of access. HIPAA is a US law that protects the privacy and security of health information.
General Data Protection Regulation (GDPR)
The rights of access gives individuals the right to obtain confirmation from a controller (an organization that processes personal data) about whether or not their personal data is being processed, and, if so, to access that personal data and certain information about the processing.
The right of access allows individuals to:
- Confirm whether their personal data is being processed
- Access their personal data
- Obtain information about the processing of their personal data, such as the purposes of the processing, the categories of personal data being processed, and the recipients or categories of recipients to whom the personal data has been or will be disclosed
- Obtain a copy of their personal data that is being processed
Individuals have the right to exercise their right of access at any time and at no charge. However, some circumstances allow a controller to charge a reasonable fee based on administrative costs for additional copies of personal data.
Health Insurance Portability and Accountability Act (HIPAA)
Under HIPAA, individuals have the right to access their health information, including their medical records and billing records. This includes the right to:
- Request a copy of their health information
- Request that their health information be provided to them in a specific format, such as electronically or on paper
- Request that their health information be provided to a third party, such as another healthcare provider or family member
HIPAA requires covered entities (such as healthcare providers, health plans, and healthcare clearinghouses) to provide individuals with access to their health information within 30 days of receiving a request. Covered entities may charge a reasonable fee for the cost of copying and mailing the information.
How to Comply with a Right of Access Request
Whether it’s a request under the GDPR or HIPAA, complying with a request from an individual exercising their right of access to their data follows a similar procedure. Roughly, data controllers can comply with these requests by following these five steps:
- Verify the identity of the requestor: It is important to verify the identity of the individual making the request to ensure that the personal data is only provided to the correct person. This may involve requesting identification or other documentation.
- Confirm that the request is a valid right of access request: Make sure that the request is a valid right of access request and not something else, such as a request to erase personal data or object to its processing.
- Locate and retrieve personal data: This may involve accessing electronic records or paper files.
- Provide the requested personal data: Provide the personal data to the requestor in the format that they have requested, if possible. If the request is for a copy of the personal data, make sure to provide a copy rather than the original.
- Respond within the required timeframe: Under the GDPR, organizations must respond to a right of access request within one month, although this period can be extended by two further months if the request is complex or if the organization has received a large number of requests. Under HIPAA, covered entities must respond within 30 calendar days of receiving the request.
Best Practices for Maintaining Compliance with Right of Access Regulations
Complying with Right of Access requests requires a set procedure. So, here are five best practices you can use to create a process that works best for your organization:
- Establish clear processes and procedures: Ensure that processes and procedures for handling right of access requests, including procedures for verifying the identity of the requestor, locating and retrieving the personal data, and providing the personal data in the format requested.
- Train employees: Employees should understand and know the processes and procedures for handling right of access requests, as well as on their obligations under the GDPR and HIPAA.
- Keep accurate records: Records all right of access requests, including the date of the request, the personal data that was requested, and the action taken in response to the request.
- Respond promptly: Make sure to respond to the right of access requests promptly and within the required timeframe.
- Respect the requestor’s rights: Respect the requestor’s rights under the GDPR and HIPAA, including their right to access their personal data and to have it provided to them in a specific format.
Right of Access requests under the GDPR or HIPAA can cause strain in an organization. To comply, organizations need to provide all data on the requester without a fee associated with the request unless the request falls under specific circumstances. But, responding to right of access requests can be simple with the right tools at your disposal. Satori’s Data Security Platform can help your organization efficiently respond to the right of access requests.
To learn more: