Pen checking "I AGREE" box.

Patient Access to Medical Records

Say “YES” to Access and “NO” to Obstacles.

If you are using one of these forms you could be creating a barrier for patients:

  • Authorization to Release
  • Consent to Release of Information
  • HIPAA Release Form

Authorizations (sometimes called a “Consent” or “Release”) are detailed forms, required when protected health information (PHI) is disclosed to a third party, like a lawyer, but a patient asking for their own information should not have to jump through hoops. If you charge more than a minimum cost, or don’t respond promptly, or send patients to multiple locations you may be violating HIPAA. If they just want to view the records in an office, or access them electronically, there should be no charge.

It’s not enough to have HIPAA policies in place. You must implement the policies correctly. Last month, the Director of OCR, Roger Severino, said there has been “a significant amount of ignorance and flouting of regulations” related to providing patients with access to their health information. As a result, OCR is pursuing these cases “vigorously this year”. More here.

Individual Right of Access vs. Third Party Authorization

OCR warned in 2016 that requiring someone to execute an authorization in order to exercise the right of access may create an impermissible obstacle. OCR explained the significant differences between a disclosure of PHI to an individual under the right of access which is required by the Privacy Rule and a disclosure by valid HIPAA authorization which is permitted by the Privacy Rule.

Electronic Transmission of PHI

Patients may choose the form and format of information they request. The explosion of health care apps recently has made access to information easier and faster for patients but raises questions for covered entities about their liability for non-secure transmission. Last month OCR published five new FAQs on the topic to help guide decisions about sharing PHI with patients through apps while following HIPAA.

Stay tuned for future changes in the electronic exchange of information. HHS is spearheading an effort to streamline sharing health information across networks nationwide through a “Trusted Exchange Framework and Common Agreement” (TEFCA).

Whatever the information sharing framework looks like in the end, basic HIPAA requirements are unlikely to change. Stay on top of HIPAA with the right policies and the right implementation steps. If you have questions about how to comply with HIPAA, we have answers.

The chart below illustrates the differences between “right of access” and “authorization”.

infographic describing differences between

Share This Post

Maggie Hales

Maggie Hales is a lawyer focusing on health information privacy and security. As CEO of ET&C Group LLC she advises health care providers and business associates in 36 states, Canada, Egypt, India and the EU, using The HIPAA E-Tool® to deliver up to date policies, forms and training on everything related to HIPAA compliance.

Copyright © 2024 ET&C Group LLC.

The HIPAA E-Tool® and Protecting Patient Privacy is Our Job®
are registered trademarks of ET&C Group LLC

Terms of Use | Privacy Policy | Cookies Policy | Privacy Settings | HTML/XML Sitemap

Mailing Address
The HIPAA E-Tool
PO Box 179104
St. Louis, MO 63117-9104

8820 Ladue Road Suite 200
St. Louis, MO 63124

Powered by JEMSU