There was a time when many believed that patient records, captured and stored by clinicians, were the sole property of a practice. Only reluctantly, and sometimes at great expense to the patient, would the practice relinquish the information. Times, however, have changed and with the move toward a more patient-centric healthcare ecosystem, patient access to his or her medical record is now a right. The question is whether your practice is helping or hindering that access.
Providing patients with unfettered access to their health information is not just good compliance policy, it is also good business policy. Patients are more aware of their access rights, and streamlining their ability to view, get copies of or send their medical records to third parties could result in happier patients, improved satisfaction scores and additional patient referrals.
Patient rights outlined
The 2003 HIPAA Privacy final rule, 2013 Omnibus final rule and guidance from the Office for Civil Rights issues this year paint a clear picture of the rights patients and the practice have when it comes to requesting and receiving patient records. In general, the law affords patients a wide-ranging set of rights regarding access to their medical records and the ability to do the following:
- Inspect their health records.
- Obtain copies of some or all of their records.
- Direct the practice to transmit a copy of their records to a designated person or entity.
Patients have a right to access and inspect their medical records for as long as the information is maintained by the practice or by a business associate on behalf of the practice regardless of the date the information was created; how it is stored (on site/off site, paper/electronic, etc.); or where it originated (with the practice, another provider, the patient, etc.).
Practices may not charge patients a fee for inspecting their medical records.
Form and format
As the industry continues to embrace technology, practices must provide patients access to their medical records upon request. Patients can request their information in a specific electronic format and a practice must comply if the data is readily producible in that format. While patients do not have an unlimited choice in the form of electronic copy requested, they may request a record in Microsoft Word or Excel, as a PDF or as structured, machine-readable data. Even if the practice only maintains paper records, patients have the right to ask the practice to scan records and make them available electronically. The practice is not, however, required to purchase new software or other equipment to accommodate every patient format request.
Patients can also ask the practice to save their medical records on a medium of their choosing. For example, a patient might ask you to save the record on a personal storage device, such as a USB drive, but you do not have to agree to use this if you believe the USB drive poses a security risk.
In this scenario, we recommend that you provide a clean, safe USB drive to comply with the request. If, however, the medical record is not readily producible in electronic form or a patient refuses the electronic format(s) offered, the law requires you provide a “human readable” hard copy of the information. In other words, you cannot just send medical jargon that cannot be deciphered by a patient.
It is important to note that while patients have the right to receive copies of their medical records, they do not have a right to keep the original records. Learn more about a patient's rights to access their medical records here.
Practices are also required to email health records to patients when requested. In limited situations when a practice is unable to email some or all of the information requested, due to large diagnostic image files or other issues, practices must offer alternative means for patients to receive the information, such as portable media that can be mailed.
Patients also have a right to receive records through unencrypted email if they request them. In these cases, a practice must provide a warning that information could be read or otherwise accessed by a third party while in transit, and confirm that a patient still wants to receive records this way. We recommend that you ask patients to sign an acknowledgment of this risk.
What if the practice maintains a paper record?
If patients request electronic copies of medical records that are only maintained on paper, a practice must provide an electronic copy if it can be produced. However, the practice is not required to purchase a scanner if it doesn’t have one.
Requested formats can be an issue. For example, if a patient requests medical records in a Microsoft Word version and your practice maintains paper medical records, you might be able to scan documents and create a PDF but not a Microsoft Word version. In this case, the practice can offer the patient a PDF version of the record or provide a paper version if the patient does not want the PDF.
Patient-requested amendments
Practices must act on a patient’s request to amend his or her medical record within 60 days of a request. A one-time extension of up to 30 days is available to practices if they send the patient a written statement with the reason for the delay and the date by which the amendment will be processed.
Practices can require patients to request amendments in writing and provide a reason to support the amendment as long as it informs individuals in advance of such requirements. Practices must also document the titles of people or offices responsible for receiving and processing individual requests for record amendments.
If a patient’s request for amendment is granted, the practice must make efforts to provide it “within a reasonable time frame” to all providers and others who have the medical record that is subject to an amendment and might rely on the information to the potential detriment of the patient’s health.
Practices may deny patient access without providing an opportunity to review a designated record set in a number of circumstances including when:
- The information is contained in psychotherapy notes
- The information has been compiled in reasonable anticipation of use in a civil, criminal or administration action or proceeding
- The information was obtained from someone other than a healthcare provider under a promise of confidentiality and access would likely reveal the source of the information
- A licensed healthcare provider has determined that access is likely to endanger the life or physical safety of the patient or another person
- The information requested to be amended was not created by the practice (unless the originator is no longer available to act on the request)
The practice may prepare a written rebuttal to a patient’s statement of disagreement. Whenever such a rebuttal is prepared, the practice must provide a copy to the patient who submitted the statement of disagreement. If the practice denies the requested amendment it must provide the patient with a timely, written denial.
We recommend that practices develop an internal process to handle patient requests to amend his or her record that includes a review of the requested language by a clinical staff member.
Third parties
Patients have the right to have their medical records transmitted directly to other people or entities they designate, such as family members, caregivers or other providers. A patient must submit a signed request that clearly identifies the designated person or entity and where to send information. Practices are then required to take action within 30 days.
To protect information, practices must implement “reasonable safeguards” to carry out requests, such as verifying the identity of a patient who requests access and entering the correct information into the practice system prior to transport.
The same requirements for providing a medical record to a patient, such as timeline requirements, fee limitations, prohibition on imposing unreasonable measures, and form and format requirements also apply when patients ask for records to be sent to third parties. Timing and fee limitations do not apply to third parties (i.e., lawyers) that request medical records from practices.
Charging patients for copies
Practices are permitted to impose a “reasonable, cost-based fee” for the medical record that can include:
- Labor for copying information, whether in paper or electronic form (i.e., labor to scan records, prepare an email, transfer information from one format to another and other activities).
- Labor to prepare an explanation or summary of the information. The patient must choose to receive an explanation (or summary) and agree to the fee that might be charged by the practice in advance.
- Supplies for creating the paper copy (paper, toner) or electronic media (CD, USB drive) if a patient requests an electronic copy on portable media.
- Postage, when a patient requests the practice mail a copy or the explanation (or summary).
Practices must inform the patient in advance of the approximate fee for the copy and cannot charge for labor associated with reviewing requests for access or searching for and retrieving information.
The Department of Health & Human Services Office of Civil Rights has issued guidance for any request for PHI from an individual, a practice (or its business associate operating on its behalf) may calculate the allowable fees for providing individuals with copies of their PHI:
- By calculating actual allowable costs to fulfill each request
- By using a schedule of costs based on average allowable labor costs to fulfill standard requests
In the case of requests for an electronic copy of PHI maintained electronically, practices may charge a flat fee that cannot exceed $6.50 (inclusive of all labor, supplies and postage). Therefore, practices that do not want to go through the process of calculating actual or average allowable costs for requests for electronic copies of PHI maintained electronically can charge a flat fee that does not exceed $6.50 per request.
Practices can calculate [and charge] actual costs for requests that do not fall into a practice’s customary cost structure. However, you must—as in other cases—inform the individual of the approximate fee for providing the copy requested in advance.
Practices may not:
- Withhold a patient’s medical record (even if the patient has an outstanding account balance)
- Withhold the medical record and apply the fee charged to the outstanding account balance
- Charge a patient who takes notes or pictures to capture information during an inspection of his or her health record
Intersection of HIPAA and state laws
Practices must comply with any additional requirements under state law or regulation if these are more stringent than those outlined under federal standards. For example, practices must comply with state law if it requires practices to provide patients with one free copy of their medical records. HIPAA does not override state laws that provide individuals with greater rights of access to their information.
Search and retrieval costs or other costs not permitted by the privacy rule may not be charged to patients even if authorized by state law. Example: If state law limits costs to 25 cents a page and the actual cost is 4 cents per page, the practice is only allowed to charge 4 cents. Similarly, if the cost is 30 cents per page and state law allows for 25 cents, the practice may charge no more than 25 cents.
Important considerations
While the privacy rule does permit practices to charge patients a cost-based fee for copies of medical records, practices should consider a policy of providing a no-cost option for the first request. This can lead to higher patient satisfaction levels and improve the patient-clinician relationship.
If costs are passed on to patients, practices might want to ask which aspects of the record patients want. They might only be interested in accessing the records for a certain period or for specific test results. Limiting the scope of the request could reduce the time needed to compile information and might reduce patient costs.
Adapting staff perceptions and organizational workflow can help you meet federal requirements, improve patient relationships, generate higher patient satisfaction rates and, most critically, help deliver better healthcare.
Explore Related Content
Member Tool
Medical Record Compliance Audit Risk Assessment
Online Course
Medical Practice Evaluation Tool
Online Course
HIPAA Essentials for Medical Practices
More Insight Articles
