by Daniel J. Solove
Recently, I wrote about the challenges in accessing health information about family members. In this post, I will explore patients’ access to their own medical records.
HIPAA doesn’t handle patient access to medical records very well. There are many misunderstandings about patient access under HIPAA that make it quite difficult for patients to obtain their medical information quickly and conveniently.
Getting records is currently like a scavenger hunt. Patients have to call and call again, wait seemingly forever to get records, and receive them via ancient means like mail and fax. I often scratch my head at why fax is still used today — it’s one step more advanced than carrier pigeon.
Many covered entities do not send records by email, and getting electronic copies can be quite difficult. Many healthcare providers still maintain paper records in handwriting, and healthcare lags far behind most other industries in the extent to which it has moved to digital records.
If a person has a rare or complicated condition, or a number of interrelated conditions, requiring seeing many different doctors at different facilities, then collecting all the records will be a nightmare.
What HIPAA Says
HIPAA, at 45 CFR §164.524, provides that “an individual has a right of access to inspect and obtain a copy of protected health information about the individual in a designated record set, for as long as the protected health information is maintained in the designated record set.”
A “designated record set” is broadly defined as a group of records maintained by or for a covered entity that involves medical records, billing records, or various health plan records – or any record “used, in whole or in part, by or for the covered entity to make decisions about individuals.” A “record” means “any item, collection, or grouping of information that includes protected health information and is maintained, collected, used, or disseminated by or for a covered entity.” 45 C.F.R. § 164.501
Requests for access don’t have to be in writing, but HIPAA states that covered entities are permitted to have a requirement that access requests be in writing.
As to the form and format of the records, HIPAA states that covered entities “must provide the individual with access to the protected health information in the form and format requested by the individual, if it is readily producible in such form and format.”
HIPAA also states that if the information is maintained electronically and the individual asks for an electronic copy, then “the covered entity must provide the individual with access to the protected health information in the electronic form and format requested by the individual, if it is readily producible in such form and format; or, if not, in a readable electronic form and format as agreed to by the covered entity and the individual.”
The information must be within 30 days of receiving the patient’s request. But covered entities can obtain a 30-day extension if they provide written notice to the requester.
HIPAA’s rules for access are fairly flexible. Yet there remain extensive problems with access. According to HHS, the five most investigated compliance issues are:
- Impermissible uses and disclosures of protected health information;
- Lack of safeguards of protected health information;
- Lack of patient access to their protected health information;
- Lack of administrative safeguards of electronic protected health information; and
- Use or disclosure of more than the minimum necessary protected health information.
Why is access such a problem?
One possible reason is that some doctors still aren’t keen on sharing records and don’t want to make it easy for patients to obtain them. As HIPAA was being formulated in the 1990s, some doctors were outraged at HIPAA’s allowing patients to see their notes. In a piece I wrote a few years ago, I relayed an example I learned when speaking with Jodi Daniel at HHS:
When Daniel spoke about patient rights to access health data under HIPAA at a physician conference, the audience did more than “boo.”
“Some physicians actually started yelling at me ‘But these are my notes!’” Daniel says. “I realized that we were making some very big changes. We were changing the expectations of both patients and healthcare providers.”
The article in which I wrote about this story HIPAA Turns 10: Analyzing the Past, Present, and Future Impact, 84 Journal of AHIMA 22 (April 2013)
Today, attitudes have improved, and physicians aren’t stonewalling. But HIPAA doesn’t push them to go out of their way to make records easier for patients to obtain or to encourage patients to obtain their records.
Another problem is confusion. Healthcare providers might not fully understand the rules. Part of this problem could be addressed through better HIPAA training.
The main problem, though, is that accessible health information isn’t a sufficient enough priority. Our health information is still captured and stored in clunky ways that not only make it hard for a patient to access the information but also a costly pain to transfer the information to other providers as well as to aggregate the information and use it to improve patient health.
Reforming Patient Access to Health Information
Patient access to medical records should be more than merely tolerated and dealt with – it should be actively encouraged and facilitated. The current state of affairs is that many patients don’t access their records.
As Dr. Pauline Chen has noted in the New York Times:
In fact, few patients have ever consulted their own records. Most do not fully grasp the extent of their legal rights; and the few who have attempted to exercise them have often found themselves mired in a parallel universe filled with administrative regulations, small-print permission forms, added costs and repeated delays.
Many physicians also remained hesitant to share their notes, part of the patient’s records, because of concerns that such openness might have harmful effects on both their patients’ well-being and their own practices. Some worried that mention of minor abnormalities in laboratory values — for example, a slightly elevated prostate specific antigen or white blood cell count — could cause patients to worry unduly about some dread disease.
According to a study in the Annals of Internal Medicine, several medical centers allowed patients to have complete access to the notes that doctors wrote about them.
Within days of seeing their doctors, patients received an e-mail inviting them to read the doctor’s signed note on a secure patient Web site. Two weeks before their return visit, patients received a second e-mail inviting them again to review their doctor’s note from the previous encounter.
After a year, almost all the patients were enthusiastic about the OpenNotes initiative.
Surprisingly, so were the majority of doctors.
Approximately three-quarters of all the doctors said that such transparency had none of the dreaded impacts on their practice. Many felt there was more trust, better communication, more shared decision-making and increased patient satisfaction.
None of the doctors chose to stop sharing the notes with their patients after the study had concluded. The patients benefited greatly from the increased access:
While many said they felt more in control of their own care, up to almost 80 percent of the patients said that reading their doctors’ notes helped them to take their medications more regularly and better follow their doctors’ treatment recommendations. Furthermore, having access to their doctors’ notes became so important that nearly all of the patients said any future decisions regarding doctors or hospitals would be predicated on being able to access their records easily.
We’re well into the 21st Century now, and access to our health data should be much easier. HIPAA should do more than provide a right to access. It should encourage access and improve the ease of access. Perhaps the default should be that patients are provided with their medical records and will not receive them only if they request not to. The information should be much easier to compile and consolidate if a patient wants it.
● HIPAA Privacy Rule, 45 CFR § 164.524: Access of Individuals to Protected Health Information
● Daniel J. Solove, HIPAA’s Friends and Family Network: Access to Health Information
● Daniel J. Solove, HIPAA Training FAQ
● Daniel J. Solove, HIPAA Turns 10: Analyzing the Past, Present, and Future Impact
* * * *
This post was authored by Professor Daniel J. Solove, who through TeachPrivacy develops computer-based privacy training, data security training, HIPAA training, and many other forms of awareness training on privacy and security topics.
Professor Solove is the organizer, along with Paul Schwartz of the Privacy + Security Forum (Oct. 21-23 in Washington, DC), an event that aims to bridge the silos between privacy and security.