September 18, 2020
When it comes to medical records requests, you just hand over patient files – right? Wrong! The HIPAA Privacy Rule unequivocally provides individuals with the right to see and receive copies of their medical records upon request – but has some requirements when it comes to the who, what, and how of handing those records off. Appropriate patient access can be a fine line, and if you stray too far to either side you may end up in the next historic Office for Civil Rights (OCR) announcement of multiple access-related fines. Here’s the 411 on patient record access:
Access is just for the patient, right?
We hope it’s obvious that patients should be able to access their own records (who doesn’t want a hard copy of their dry eye disease diagnosis), but it’s not just patients that have the right to request records. In fact, the OCR levied two fines just this week for not providing access to an authorized personal representative of a patient.
A ‘personal representative’ is someone with the authority under state law to make health care decisions for another individual. This may be the case if:
- The patient is a minor and the individual requesting access is a parent or legal guardian.
- The patient is deceased and the individual has legal authority to act on behalf of the decedent.
- The patient is an adult or emancipated minor but who has someone designated to make health care decisions for them (such as if they are incapacitated, end of life care, etc.).
How must access be requested?
Making things easy (cough cough), HIPAA law does not specify any required method of requesting access. Patients may ask verbally, in writing, or by secure email or patient portal – really, whatever method suits the patient. Your practice CAN specify the way you want patients to request access, they just have to be informed first about this requirement (possibly as part of your onboarding forms). We do recommend making access requests written, just to document the date of the request.
Do I need to verify the requester is authorized?
Once you have a patient or their personal representative requesting access, you can just hand over the records, right? Not so fast. The HIPAA Privacy Rule requires practices to take reasonable steps to verify the individual making a request for access is who they say they are. While there’s no specific form of verification required, such as a copy of their driver’s license, it’s extremely important for your practice to use professional judgment when determining that a request is ‘legit’. Verification must also be done without adding unnecessary delays in fulfilling the request.
What form must records be provided in?
We’re long past the days of keeping everything on paper, and most practice’s manage their health records electronically. However, the Privacy Rule requires a practice to provide access to protected health information (PHI) in the format that it was requested in – either a paper or electronic copy. If the records are not readily producible in the requested format, you’ll need to agree on an alternative format instead.
How quickly do records need to be provided?
The phrase “ASAP” is nice and all until it comes to meeting specific HIPAA deadlines. When a request is made, the practice must provide access as soon as possible and at minimum within 30 calendar days (the federal law) or less depending on your specific state laws. If unable to provide access within 30 days, the practice can inform the individual of the reasons for the delay and can have no more than one 30 day extension period.
Timeliness is key when it comes to patient access. One practice in particular didn’t provide patient records until 9 months after the initial request was made. The patient filed a complaint to the OCR that resulted in an $85,000 fine along with a corrective action plan. If you thought 9 months was bad, just this week the OCR announced another fine for failing to provide medical records for almost 3 years.
Can I charge patients for copies of their records?
Depending on the format requested or the time needed to collect records, there might be some costs involved. Thankfully HIPAA accounts for this, and lets your practice impose a reasonable, cost-based fee for requests. This fee can include:
- Labor for copying the requested PHI whether in a paper or electronic format.
- Supplies for creating the paper copy or electronic media.
- Postage when the patient requests the information to be sent through the mail.
There’s a lot more that goes into requesting records than simply handing them over. If you’re confused about all this – and we get it, we were too – having a HIPAA expert on deck to help sort out specific scenarios quickly can help your practice stay on top of requirements without unintentionally violating HIPAA. Don’t have an expert to help? Work with an outside HIPAA compliance provider (just picture us saying “pick me!”) who can help you manage the intricacies of access laws before winding up on the next OCR HIPAA settlement announcement.