By Christine Queally Foisey, President & CEO, MedSafe
Most medical practices, healthcare organizations, and clinicians are very familiar with HIPAA rules and regulations. However, the law can be extensively complicated and is often a source of confusion and misinterpretation. According to the Office for Civil Rights (OCR), one of the most common complaints and frequently misunderstood parts of the law involves a patient’s right to access their personal medical records. Due to the recent increase of patient complaints on this subject matter, the OCR has published new guidance regarding the right of access. Below are a few of the highlights.
The HIPAA Privacy Rule requires all covered entities to provide individuals with access to their personal health information in “designated record sets,” upon their request. A designated record set is a group of records maintained by or for a covered entity, including; medical and billing records, enrollment, payment, claims, or medical management record systems and other records used by a covered entity to make decisions about an individual’s health.
Information that is not included is PHI (protected health information) that is not part of the designated record set or used to make decisions about an individual's health, psychotherapy notes, and information compiled for a legal suit. Following are answers to some common questions around this topic.
- Does the HIPAA rule apply to electronic medical records? Yes. Patients have the right to access both paper and electronic medical records.
- Can a patient request that another individual be given access to their information? Yes. A patient should sign a request that provides the recipient which records to send, and where to send them.
- Can a covered entity charge the patient a fee for copies of their medical records? Yes. HIPAA allows a “reasonable fee.” The covered entity can charge a minimal fee for supplies and labor. It is important to note that state law may limit the ability to charge for records.
- What form or format must the medical records be provided? A covered entity must provide the patient with their medical records in the form and format requested, or if not available, in a readable format as agreed to by the covered entity and individual.
- What is the timeframe in which a covered entity must provide a patient their requested records? A covered entity has 30 days from the date of request to produce the records. One 30-day extension is permissible with a written notice to the patient and reason for the delay with the expected date of completion.
- How quickly must an entity make corrections to inaccurate medical records? When patients access a medical record and discover information they believe is inaccurate, they must file a written request for the record to be corrected. The covered entity must then respond to the request within 60 days. It may take an additional 30 days but must provide a written explanation for the delay and a date of completion.
- What should patients do if they have difficulty obtaining a copy of their medical records? It may be appropriate to contact the healthcare provider’s designated privacy HIPAA compliance officer. This action will document the complaint, and show that the patient has made an effort to resolve the problem. If the provider ignores the complaint, the individual may want to proceed with an HHS complaint.
Providing patients with access to their medical health information empowers individuals to take control over health decisions and enables them to effectively monitor chronic conditions, adhere to treatment plans, and track their progression. Additional benefits include increased patient engagement, improved outcomes, and a more patient-centered health care system. For further information regarding the HIPAA Privacy Rule visit www.hhs.gov.