With advancements in technology, individuals can now be more involved in their healthcare than ever before. Whether it is pulling results, requesting appointments, or transferring records, the way healthcare data is stored and shared has changed. This practice, often referred to as a right of access, allows for on-demand, and real-time access to personal health information (PHI) on the part of a patient, once requested and received.
The Health Insurance Portability and Accountability Act (HIPAA) has evolved to acknowledge new technologies and a patient's desire to manage their own PHI. So, what do patients' rights under HIPAA look like in this case? As is explained by the Department of Health and Human Services, "The Privacy Rule generally requires HIPAA covered entities (health plans and most health care providers) to provide individuals, upon request, with access to the protected health information (PHI) about them in one or more 'designated record sets' maintained by or for the covered entity." In this case, under HIPAA, patients have the right to medical record access which can include viewing, obtaining, or both.
Despite the added flexibility of right of access, it must still follow HIPAA guidelines, and failure to comply can be costly. Let us learn more about the proper procedures for patients and providers to follow when undertaking this venture.
What Information is Excluded from Right of Access Retrieval?
Patient control is improved under the right of access protocol. However, information that has little to do with decision-making regarding a patient's specific healthcare situation is usually off-limits.
Examples of information that is not accessible under the right of access protocol may include, but is not limited to:
- Business planning or development records. This category would also include any other general business decisions
- Patient safety activity records
- Quality assessment documents
In addition to indirect information, there are two other categories of direct-related data points that do not apply to the access retrieval process:
- Notes by a psychotherapist: These notes often include documentation of conversations between patient and provider. They are stored separately from other PHI
- Legal matters: Information cannot be provided when it is to be used in upcoming legal proceedings
If a patient believes they have followed all steps to obtain access to their PHI, but are still being denied, they may file a complaint with the U.S. Department of Health and Human Services.
Under What Circumstances Can a Doctor Refuse to Release Medical Records?
Under HIPAA right of access, healthcare providers must legally provide a patient with PHI within 30 days of the request (delays up to 60 days are permitted). However, we know that from reading this far, certain scenarios do not allow for a right of access to occur. So, it begs the question, can a doctor refuse to release medical records? The answer to this question is that "it depends." A healthcare provider can refuse to provide a patient access to medical records for several reasons, including:
- Availability: Information may not be available
- Process: Ask your doctor about their specific retrieval process. Simply calling and asking for your records might not be suitable
- Payment: You may need to make a payment before accessing your records
- Discretion: If a healthcare provider determines that the patient may endanger themselves or others based on information within a healthcare record, they may withhold rights to release the PHI. They may also refuse to provide access to PHI if there is someone else deemed the primary caregiver
Patient Rights to Medical Records
Who Can Request Medical Records?
In most cases, two parties can request PHI records. One is the patient or caregiver, and the other is a healthcare provider. In the case of the latter, let us think about healthcare specialists. They often request PHI from a principal provider to get a better scope of a patient's condition and next steps. In the case of caregivers, they can be parents, patient advocates, or other legal guardians. These individuals are usually required to prove that a patient has permitted them to request PHI on their behalf.
Each healthcare provider is likely to have a different process for requesting PHI. The difference can vary depending on whether it is a patient or a provider making the request.
Giva is not in a position to provide legal advice on obtaining PHI in any scenario. When looking for information on laws regarding medical records, it is best to inform yourself on the parameters by visiting or contacting the US Department of Health and Human Services.
Benefits of Keeping Records of Your PHI
What motivates an individual to want to obtain their medical records? There are many reasons, and we likely could not name them all here. However, keeping records of your PHI can hold a useful purpose - let us list some key benefits:
- Patients can review their records to ensure there are no errors. Doctors are highly-skilled and knowledgeable individuals, however, they are human and can still make mistakes
- Reviewing data on your PHI can allow you to ask critical questions. Do you need to be undergoing certain tests? Do you really need to be on specific medication?
- Provides you a comprehensive list of your immunizations
- Match your billing to your appointments
Case Study: Denver Retina Center
Right of access is seen as a serious component to provider-patient transparency. Providers must ensure they are up to speed on the rules surrounding HIPAA release of information, as a failure to comply can be costly. Still not convinced? Let us take a look at a recent situation involving the Denver Retina Center.
The Denver Retina Center provides patients with care as it relates to diseases and disorders of the eye. A patient alleges that she requested her PHI from the provider in December of 2018, only to receive it more than a year later in July of 2019. The Office for Civil Rights (OCR) opened an investigation into the case after receiving a complaint from the patient. They found that the delay was part of a larger issue that involved non-compliant access policies and procedures as it relates to the HIPAA Privacy Rule (45 C.F.R. § 164.530(i). These issues resulted in a fine of $30,000, compliance monitoring and a 12-month corrective action plan.
As was displayed in this case, non-compliance, even involving a delay in sending records, can result in hefty fines, corrective action and regular monitoring of a provider in question.
Learn more about the OCR's findings in this case.
The Bottom Line: Develop and Follow Process
Right of access has significantly improved a patient's involvement in their healthcare journey, allowing them to request and store their PHI on demand.
Healthcare providers should familiarize themselves with the right of access protocol to avoid hefty penalties administered by the OCR. Determining what type of PHI can be shared and the timeframe they have to do so is critically important. As was seen in the case study above, even a slight delay can be costly. Financial penalties, corrective action, and regular monitoring are the most common penalties - all of which can create discomfort for a healthcare provider trying to run their practice. Developing a plan for the right of access protocol is key to remaining compliant.