Ensuring that patients have access to their health information in a usable format empowers them to be better stewards of their healthcare and can enhance the physician-patient relationship.
With some exceptions, the 2003 HIPAA Privacy Rule establishes a legal, enforceable right for patients to review and receive copies upon request of the information in their medical and other health records maintained by their healthcare providers. The government subsequently released additional regulations which expanded and clarified these patient access rights. At the same time, physician practice adoption of health information technology (HIT) has opened new options for patients to access their medical records.
An Oct. 17 MGMA Stat poll, with more than 1,300 responses, asked if patients are asking for electronic access to medical records. About half (49%) of respondents answered no, with 46% responding yes. A further 5% answered unknown. While patients primarily request paper when transferring their medical records, there appears to be movement toward patients wanting their records to be accessible electronically.
Take part in a follow-up survey about patient access to medical records
Patient rights under HIPAA
In general, HIPAA affords patients with a wide-ranging set of rights regarding access to their health information. The patient is permitted to: inspect their medical record; obtain copies of some or all of their medical record; direct the practice to transmit a copy of the medical record to a designated person/entity; and amend their medical record. Facilitating this access is essential if the patient is to have more control over healthcare decisions and, ultimately, better health. Improved access to health information allows patients to better adhere to treatment plans, monitor chronic illnesses and track progress in programs such as wellness and disease management. Providing patients access to their medical information also permits them to identify and correct any errors in the record itself.
The transition to HIT
More and more physician practices have transitioned to HIT, especially EHRs and online patient portals, opening the door to patient access to electronic medical records. This can allow patients real-time access to their information and facilitate the transmission of that information to other appropriate providers or care settings. The Medicare and Medicaid EHR Incentive Program (Meaningful Use), a main driver of physician practice adoption of EHRs and online portals, required that successful participants provide the patient the ability to “view, download, or transmit” their medical record via a portal. EHRs certified to meet the Meaningful Use requirements must offer this functionality.
To further encourage electronic access to medical records, the Office for Civil Rights (OCR), the government agency that oversees and enforces the Privacy regulations, issued clarifying guidance in 2016 outlining the patient’s right to request their record in an electronic format. In its guidance, OCR detailed that patients may ask that their record be supplied to them on a personal storage device, such as a USB drive. However, should they have security concerns, practices can refuse and instead make the record available on a USB drive that they provide, or offer a paper copy if the patient and practice cannot reach an agreement. While patients can request the electronic format (e.g., Microsoft Word or Excel, PDF), the practice is not expected nor required to purchase new software to accommodate requests. If the practice and the patient cannot reach agreement on a specific electronic format the regulations stipulate that the practice must produce a human readable hard copy. In addition, should the patient request an electronic copy of a record that the practice maintains only on paper, the practice is required to provide an electronic copy if the practice can readily scan the paper record into an electronic format.
Sending medical records to patients via email
Patients generally have a right to receive copies of their medical record by email if they request that method. OCR contends that all practices today have the capability to transmit medical record by email and that transmitting medical records in such a manner does not present unacceptable security risks to practices. However, the agency recognizes there may be security risks to the medical record once it has left the practice’s system. Further, patients have a right to receive a copy of their medical record via unencrypted email if the patient requests access in this manner. In such cases, the practice must provide a brief warning to the patient that there is some level of risk that the patient’s medical record could be read or otherwise accessed by a third party while in transit, and confirm that the patient still wants to receive the medical record by unencrypted email. If the patient says yes, the practice must comply with the request.
While practices are responsible for adopting reasonable safeguards in implementing the patient’s request (e.g., correctly entering the email address), they are not responsible for a disclosure of the medical record while in transmission to the patient based on the patient’s access request to receive the medical record in an unsecure manner. Practices are also not responsible for safeguarding the health information once delivered to the patient. Finally, in situations where a practice is unable to email the medical record as requested, such as in the case where diagnostic images are requested and email cannot accommodate the file size, the practice is required offer the patient alternative means of receiving the medical record, such as on portable media that can be mailed to the patient.
It is expected that the number of patients requesting their medical record in an electronic format will continue to climb. With practices moving increasingly to HIT, the electronic exchange of the patient’s record will enable enhanced care coordination and facilitate improved communication between physicians and their patients.
Learn more