A key part of the HIPAA Privacy Rule is allowing patients to access their own medical records when and how they request it. This is known as “right of access.” As HHS explains, “Providing individuals with easy access to their health information empowers them to be more in control of decisions regarding their health and well-being.”
You may have seen controversies about providers failing to provide patients their records. Ciitizen highlighted this issue with its Patient Record Scorecard, an evaluation of dozens of providers’ compliance (or noncompliance) with HIPAA Right of Access. Ciitizen’s findings reveal how difficult it is, in most cases, for patients to get access to their medical records.
Don’t be that organization. Make sure you understand your patients’ rights and are prepared to comply with HIPAA Right of Access. Let’s look at an overview of your main responsibilities when you encounter a right of access request.
What rights do patients have to access their PHI?
In most circumstances, your patients have the right to inspect or get a copy of their own protected health information (PHI). Patients may request medical, billing, or their other personal information that your organization maintains. Your organization is allowed to require patients to make their requests in writing, but you have to make sure patients are aware of this requirement.
Patients can also ask that you send a copy of their records to another person or organization, such as a school or another healthcare provider. These types of requests must be in writing, clearly identify the person and place to send the records, and signed by the patient.
If you don’t have the records but know who does, you must tell the patient where they should send their request for access.
What timeframe do I have to provide the records in?
When a patient requests to inspect or obtain a copy of their PHI, you must comply in a timely manner. First, inform the patient you accepted the request and then provide the access no later than 30 days after receiving the request. Within this timeframe, you must arrange the time and location for the patient to access their records, discuss the scope or format of the records, or mail hard copies.
If your organization can’t meet this timeframe, you may extend the time by no more than 30 days. In this case, make sure you send a written statement to the patient explaining the reasons for the delay and the new date you will complete the request.
What format should I provide the records in?
Your patients have the right to get their records delivered to them in any format that they want, as long as it’s possible for your organization to readily produce that format. Formats may include hard copies, electronic files, a CD, or a flash drive.
If the patient agrees, you may instead provide a summary or explanation of the PHI they are asking for.
How much should I charge for access to records?
Your organization may require patients to pay a reasonable, cost-based fee in order to access their records. The fee should only cover labor, supplies, postage, and/or preparation of an explanation or summary.
There are three ways of calculating costs:
- Actual labor costs for each specific request
- A schedule of the average labor costs to fulfill various types of requests
- A flat rate of no more than $6.50
No matter which fee structure you use, you must let the patient know the approximate fee in advance.
When can I deny a patient right of access?
If any of the following circumstances apply, you may deny a person access to their records without giving them the opportunity to review the denial:
- The requested PHI are the patient’s psychotherapy notes or information that will be used in a court case.
- The requestor is an inmate and providing the records might jeopardize the inmate or others.
- The requested PHI is from your organization’s research activities (only if the patient consented to the research and understands their right of access is suspended).
- The requested PHI is subject to the Privacy Act.
- The requested PHI comes from someone other than a healthcare provider under the promise of confidentiality.
In the following circumstances, you may deny a person’s access request, but they then have the right to have the denial reviewed:
- A licensed healthcare professional has determined that access to the record would likely endanger the patient or someone else.
- The requested record references another person, and a licensed healthcare professional has determined that access is likely to cause harm to that person.
- The requestor is a patient’s personal representative, and a healthcare professional has determined that providing access is likely to cause harm to the patient.
In these three cases, the person making the request can have a licensed healthcare professional review the denial. This person must be designated by your organization as a reviewing official. You must comply with the reviewing official’s decision and provide prompt written notice to the patient about the outcome of the review.
If you deny an access request for any reason, you must inform the patient with a timely written denial. This statement must explain the basis for the denial, the patient’s right to review the denial (if applicable), and how they can complain to your organization. Keep documentation of the records involved and the individual or office who processed the request.
The ability to access one’s medical records is a vital patient right. The time it takes a patient to access their records can make the difference between getting the care they need and not getting care. Therefore, your organization is responsible for complying with HIPAA Right of Access. You must always be prepared to provide patients with their records in a timely manner.