OSIS Insights


HIPAA Protected Documentation and the NextGen PHI Log

Posted by Nicole Miller on Mar 8, 2021 9:00:00 AM

In this article, we will highlight Right of Access in the Health Insurance Portability and Accountability Act (HIPAA) Security Rule and the NextGen PHI Log, a template in NextGen to use when releasing protected health information (PHI)Before we review the NextGen PHI Log, we will highlight key HIPAA Privacy Rules, discuss HIPAA requirements for providing medical records to patients (Right of Access), and then review the NextGen PHI Log Template 

History of HIPAA Privacy Rules 

1996: HIPAA law passed by Congress 

2003: Privacy Rule went into effect 

2005: Security Rule went into effect 

2009: HITECH enacted as part of the American Recovery and Reinvestment Act (ARRA) of 2009 

  • CMS Incentive Programs such as Meaningful Use 
  • Significant changes to HIPAA 

2013: HIPAA/HITECH Omnibus Final Rule Published 

  • Defines Business Associate and Breach Notification Requirements 

As you see in the history timeline above, in 2013 The Omnibus Final Rule is the compilation and update of all the HIPAA Rules that gives it context of the adoption of Health Information Technology 

The HIPAA Security Rule requires covered entities and their business associates the ability to conduct a risk assessment of their healthcare organization to ensure it complies with HIPAA’s administrative, physical, and technical safeguards. Conducting a risk assessment can also reveal where your organizationPHI may be at riskgood example of this is the free Security Risk Assessment tool provided through The Office of the National Coordinator for Health Information Technology that can help you walk through this process. 

HIPAA Right of Access to PHI 

The Privacy Rule requires HIPAA covered entities to provide individuals with access to their PHI managed by the covered entity. 

  • This includes the right to inspect or obtain a copy.  
  • Also, this gives the right to direct the covered entity to transmit a copy to the designated person or entity of the person’s choice. 
  • Requests must be made no later than 30 calendar days from the request, unless the requester is notified that additional time is required to respond.  

Individuals have a right to access PHI in a “designated record set defined as group of records maintained by or for covered entity. 

  • Medical and/or billing records 
  • Enrollment, payment, claims adjudication, and case/medical management record systems maintained by or for a health plan. 
  • Other records used to make decisions about individuals. 

Two categories are excluded: 

  • Psychotherapy notes 
  • Information compiled in reasonable anticipation of, or for use in a civil, criminal, or administrative action or proceeding. 

Providing individuals with an easy access to health information can lead to better patient care, control of decisions regarding their health, management of chronic conditions and treatment plans, find and fix errors, track progress, and directly contribute to their overall well-beingAdvancement in health information technology has allowed patients to access their PHI faster and easier, enabling patients to take the driver’s seat in the transition to a more patient-centered health care approach. 

Health Centers Act Now! 

The Office of Civil Rights (OCR) is the enforcement entity of HIPAA Rules. They work in close partnership with The Office of National Coordinator of Health Information Technology to develop resources to assist with compliance and effective implementation. The OCR has identified enforcement of Right of Access as a top priority to support individuals’ right to timely access to their health records under the HIPAA Privacy Rule. Their initiative announced in 2019 has led to over 14 settlements, to date, to enforce respect of the patient’s rights to timely access to their medical records. From this, health centers have started assessing their policies and procedures and implementing new initiatives to coincide with the Security Rule.  

While most practices have a standard medical release request form, many have not updated to reflect the changes in policy or the method to which the requestor would like the PHI. Ask yourself, how often does your practice review and update your policies and procedures? Are your new employees aware of the timelines under the Rule to release and respond to requests for PHI?  

How does NextGen Offer Health Centers Assistance with PHI? 

NextGen offers a demographic template to help document medical record releases.  The PHI Log is a demographic template that is not encounter-based. There is a default link on the Patient Information Bar (PIB), or you can access the template icon from the history bar. This template helps document releases of PHI in accordance with HIPAA requirements.  

Disclosures of PHI

The date requested field should be the date the patient or other entity/provider requested the documents. Based off the information we learned earlier about how the OCR is enforcing respect of the patient’s rights to have timely access to their medical records. Once this date is entered, the clock starts, and the practice has 30 days to respond to the request. Entering this date correctly will assist in monitoring if your practice is compliant with requirements for providing records in a timely mannerEntering detailed information on the  is also particularly important to be entered correctly for future reference. 

Date Requested

Who Requested

Practices must record what PHI was released to meet HIPAA requirements.

What was released

This section provides the ability to document when the request was processed and accompanying information, along with indication whether release was related to a transition of care 

Request is Processed

The following is an example of documentation for a release request providing time stamps for request and response date, along with key information required for Accounting Disclosure reporting under HIPAA. 

Documentation for Release Request

The two examples below show based upon information entered for the releaseThis grid on the PHI template provides a quick view of key information that was recorded. 

Example 1 

Disclosures of PHI Log 1

Example 2 

Disclosures of PHI Log

NextGen can generate a PHI Log Report with defined Start/End dates to provide upon a request for disclosuresA patient has the right to request this information and the practice must respond within a defined timeline. Based on the examples above, we have pulled the PHI Log Report to show how helpful this report is to view the PHI that was requested 

PHI Log Report

Example 1 

Example 1 PHI Log Report

Example 2 

Example 2 PHI Log Report

Questions to Ask When Reviewing Policies and Procedures 

  • How often does your organization review and edit exiting HIPAA policies and forms 
  • If changes are made, how is this communicated with staff? 
  • If paper forms, are old versions destroyed 
  • If you use signature pads, do you have the newest form available in a format that a patient could review if requested 

Preparing your Practice for PHI Released Documentation 

  • Review policies and procedures and update accordingly. 
  • Forms updated and easily accessible. 
  • Confirm your staff is aware of processes and workflow when a request is submitted. 
  • Confirm staff person responsible for each step. 
  • Monitor compliance for timely response requests. 
  • Training on NextGen documentation workflow. 


U.S. Department of Health and Human Services 

Proposed Modifications to the HIPAA Privacy Rule 

Health Information and the Law 

The HIPAA Privacy Rule’s Right of Access and Health Information Technology 

Topics: EHR, Community Health Center, FQHC, NextGen Optimization, NextGen EHR