News, Developments, and Insights

high-tech technology background with eyes on computer display

HIPAA Right to Access PHI - TeachPrivacy 02

One of the biggest sore spots in HIPAA compliance has been providing individuals with their right to access their medical records. In addition to the countless anecdotal accounts about the painful process of getting medical records, a recent study demonstrated just how far there is to go for providers to be in compliance.  More than half of medical providers included in the recent medRxiv study did not meet the basic requirements in HIPAA for providing medical records.  A further 20% of the providers would not provide records until requests were escalated to supervisors.  Which means that more than 70% of the subjects studied would not have been in compliance had the supervisors not been involved.

HIPAA provides that “an individual has a right of access to inspect and obtain a copy of protected health information about the individual in a designated record set, for as long as the protected health information is maintained in the designated record set.” 45 CFR §164.524

I have written on numerous occasions about patient control of their own records and reforms needed to support this right.  Getting access to medical records doesn’t seem to have improved very much.  Despite HIPAA’s right of access, it doesn’t seem to be taken very seriously by providers.

Part of the problem is a lack of training and awareness of the law by healthcare providers.  Presumably, supervisors have a better understanding and experience with the requirements of the law so could authorize release of records that front line employees did not seem able to do.   Based on the study, on average, it took 2 escalation calls.  One provider even required 24 calls for the patient to gain access.

Fee structure in particular seems to be an area where many providers stumble.  The medRxiv’s phone survey showed that 24% of providers were not aware and/or in compliance with HIPAA’s “reasonable” fee limitations.  Despite the HHS attempt to provide clear guidance on allowable fees, another study from late last year found that costs could get as high as several hundred dollars for a large record – well above the $6.50 recommended by the HHS for electronic records.

Format is another area where providers stumble.  Despite the fact that HIPAA require records to be emailed if requested, providers in a study from June were only able to produce radiology records in CD format.  Another study showed that only 33% of hospitals studied included email as an option on their record release forms (although 47% of these same hospitals said they would provide emailed records when asked over the phone – the communication discrepancy is also concerning).

Authors of the medRvx study found that:

Providers and their copy services continue to send paper records, faxes and CDs – even when the patient explicitly requests records be sent electronically to a designee over email or uploaded to a portal. Healthcare providers are also hesitant to send records by standard (unsecure) email, even pursuant to specific patient requests that include acknowledgement and acceptance of security risks.

The medRxiv study concluded:

In conclusion, with more than 50% of providers either out of compliance or at significant risk of noncompliance, the rights of patients to their health records is still being violated by too many health systems. Although many entities, including ONC and OCR, are working to educate patients and providers, additional enforcement of the right of access by OCR is needed.

We engaged in this study not to name and shame but to educate hospitals and other providers on the extent of noncompliance with the HIPAA Right of Access that exists – and the need for all HIPAA covered entities to examine their processes and assure compliance with the HIPAA Right of Access.

While HHS released consumer-friendly guidance for patients to understand their rights, it seems that providers still are not taking HIPAA’s right of access seriously.  The only way to make the providers learn is for HHS to start bringing some high-profile enforcement actions with big fines.

Related Blog Posts

Daniel J. Solove, Patient Access to Medical Records Under HIPAA: Significant Reform Needed

Daniel J. Solove, HIPAA’s Failure to Provide Enough Patient Control Over Medical Records

Daniel J. Solove, The Persistent Problems with Access to Records Under HIPAA

Daniel J. Solove, Yes, HIPAA Requires Medical Records to Be Emailed to Patients if Requested


* * * *

This post was authored by Professor Daniel J. Solove, who through TeachPrivacy develops computer-based privacy and data security training. He also posts at his blog at LinkedIn, which has more than 1 million followers.

Professor Solove is the organizer, along with Paul Schwartz, of the Privacy + Security Forum and International Privacy + Security Forum, annual events designed for seasoned professionals. 

If you are interested in privacy and data security issues, there are many great ways Professor Solove can help you stay informed:
 LinkedIn Influencer blog

TeachPrivacy HIPAA privacy and security training 08