In a study conducted by Ciitizen Corp (www.ciitizen.com), a consumer health technology company that helps patients collect and share medical records, researchers reached out directly to health care providers requesting records for patients and surveyed more than 3000 institutions to find out if they complied with HIPAA’s right to access provision. The study found that most failed, which was not a surprise to Allen Killworth, a partner at Bricker & Eckler LLP, based in Columbus, Ohio.
“I believe this is an issue where
there’s more than the usual lack of compliance,” Killworth said. “It’s not
quite as easy as you think it is. Even with this straightforward rule, there
are a lot of regulatory and legal exceptions and processes they [providers] have
to follow to make sure they are doing it correctly.”
The Department of Health and Human Services (HHS) found this out during their audits, after which they released 36 pages of guidance meant to clarify the patient right-of-access rule. Issues tended to center on the format by which records can be sent, fees, and the kind of authorization needed.
Because of these findings, the Office
for Civil Rights (OCR), which enforces HIPAA regulations, created a Right of
Access Initiative earlier this year. In early September, OCR had its first
settlement stemming from these efforts. Bayfront Health St. Petersburg, had to
pay an $85,000 fine after it took more than 9 months to send records to a
patient who requested them. They were sent after OCR received a complaint from
the woman and opened an investigation into the matter.
providers do need to protect patient information, they must remember that the
information belongs to the patient. “We continuously remind [doctors], ‘It may
be your chart, but it is patients’ information,’” said Karen Beard, senior
associate with Medical Management Associates, Inc., in Vinings, Georgia. “It is
what they have chosen to give you to get care from you, and it is their information.”
Helping patients get access
Ciitizen realized there was
“widespread noncompliance” with HIPAA’s right of access when the organization
began working to help cancer patients obtain records for second opinions, clinical
trials, and donating data for research. They undertook this study to determine the
extent of the issue.
During the spring and summer of
2019, Ciitizen submitted written medical record requests to 51 health care
providers. To cover HIPAA requirements, the patients signed the forms and
included an image of their driver’s license as proof of identity. They
submitted the documents by email or fax, indicated the records were for
continuity of care, and listed whether the patient was releasing sensitive
health information (like HIV status). Patients requested the information be
sent to Ciitizen by email and acknowledged and accepted security risks of email
transmission. They also requested an estimate of fees associated with the
Ciitizen analyzed providers’
responses according to major HIPAA regulations, examining whether the providers
accepted the request by email or fax, sent records in the patients’ requested
format, responded to patients’ request in a timely manner, and the fees were
The study found that 18% of the
organizations allowed patients to use their own request form, provided records in
5 days, and did not charge fees. Another 12% honored the request without
escalation to a supervisor. All the others either involved at least 1 call to a
supervisor to get the records or would not provide them. According to the
survey, 56% of providers were out of compliance with HIPAA.
Not sending records
electronically was among the major issues. Beard
said there are not a lot of reason providers cannot provide records by email. She
said she believes the main issue is physician concern about sending documents
to unsecured emails. There is no problem, she said, as long as patients know
providers are only controlling their end of the transmission. “The provider can
document that and then send it to them.”
Fees were another major issue,
and Killworth understands confusion here. In essence, HIPAA allows providers to
charge only cost-based fees, including labor to copy or find the records and
associated supplies. HIPAA allows organizations to calculate the actual fee, establish
a fee schedule based on the size of the records requested, or charge a flat
rate of $6.50 for digital copies of electronic medical records (which cannot include
Beard said health care groups
need to be prepared to outline their fees if they do not use a flat rate. They cannot
charge for pulling from off-site storage, but they can charge for copying paper
records. They can also include costs of a disc drive or fees for sending a
record via the mail.
The issue of fees is further
complicated by state laws governing medical record production. However,
providers should know that if state laws result in higher fees, HIPAA
supersedes. “That is consistent with all of HIPAA rules,” Killworth said. “If
HIPAA provides the most security, it trumps the state.”
Killworth noted that when a
records request is initiated by a patient, and not a third party, an
authorization form is not required.
HIPAA requires providers to send the
requested information to a patient within 30 days. If records are off site or
will take more time for another reason, the provider must let the patient know
within 30 days what the issue is and then get the information to them within
another 30 days.
In addition, Beard noted that
providers cannot withhold records from patients who have a balance on their
account. “They have to be careful about putting undue barriers on people asking
to get their information,” she said.
Beard encourages practices to fully train whomever is dealing with records requests to be able to authenticate identity (one good test is the last 4 digits of their Social Security Number and date of birth). Then, staff should glance through the information to make sure nothing requires additional authorization. If a patient is unhappy with how a request is handled, staff should document the process in case of a later inquiry.