Marie learned she had thyroid cancer the week before Christmas. She lived in Maine and had seen her doctor in Portland. Thyroid cancer was one of the less scary kinds but the doctor explained it appeared to be in her lungs. The cancer had been quiet and stealthy, but fast, so things were moving quickly and Marie needed more information. She and her family decided to find an oncologist in Boston where more thyroid cancers were treated. She started calling her own doctor to get her records. It didn’t go well.
If you have ever been a patient and tried to obtain your own medical records, chances are you were frustrated. More than 50% of health care providers are out of compliance with the HIPAA right of access according to a recent study. Not a surprise to many of us, but the details revealed in this study provide a blueprint for fixing the problem.
If you are are a covered entity (health care provider, health plan or health care clearinghouse) you may not understand the requirements, or have the right forms. Have you been trained? Is it a priority? Does red tape get in the way?
The HIPAA right of access has been required by the Privacy Rule since the beginning when HIPAA was first enacted in 1996. It was reinforced in the HITECH act in 2009, when Congress clarified that individuals have the right to digital copies of their records and may have them sent to a designated third party.
In spite of this history, the inability to obtain access has long been a complaint to the HHS Office for Civil Rights (OCR). In 2016 it was at the top of all complaints, surpassing inappropriate uses and disclosures for the first time, according to HHS.
What Does Right of Access Look Like?
It’s simple. Individuals should be able to view or obtain a copy of their medical information contained in a “designated record set.” That means a broad range of information used to make decisions about the individual, including medical, billing and payment records; insurance information; clinical laboratory test results; medical images, such as X-rays; wellness and disease management program files; and clinical case notes.
There are a few limited exceptions to the right of access. Examples include psychotherapy notes, records that are part of a research study still in progress, or information compiled for a legal proceeding.
Patients are entitled to their records no matter where they’re located. If the records are held by a business associate, the business associate agreement usually says whether the business associate may provide them directly to the patient, or should provide them to the covered entity to send to the patient.
It should be fast, easy and convenient. They may request the information from their health care provider or health plan who must provide it in the format requested – paper or electronic and delivered by mail or email. They may direct that the information go to a designated third party – a family member, or a personal health record service or mobile health application.
The provider or health plan should deliver promptly, but in no less than 30 days. When longer time is needed, they should inform the individual of the reason, but take no longer than an additional 30 days. Any fee for providing records should be reasonable and cost-based, e.g., minimal.
Right of Access Empowers Patients and Improves Outcomes
Gone are the days of paternalistic care, when doctors advised from behind a curtain and medicine was a mystery, better not to ask questions. Today we know that when patients have information about their condition and treatment they can participate in their wellness, obtain second opinions and contribute to research.
Knowledgeable patients are better able to stick to their treatment plans, coordinate with caregivers, and find and fix errors in their health records. They know when to seek care, and what to do to improve their care. They can monitor costs and help keep them down.
How is Right of Access Blocked?
We recently wrote about patient access to records and the confusion between “authorization” and “right of access.” In 2016, the OCR warned that requiring an individual to sign an authorization in order to obtain their records may create an impermissible obstacle and violate HIPAA.
This has been a common problem, but the new study has lots more information about what goes wrong.
The study evaluated two types of information: real requests to 51 providers from 30 cancer patients, and a phone survey of more than 3000 health care institutions. Based on the scores of each category, more than 50% were found to be out of compliance.
The most common problem was that providers do not send health records by email when patients requested. Responses to the phone survey showed that 24% are potentially noncompliant with HIPAA’s fee limitations. For the actual record requests from cancer patients, 71% of the providers complied only after supervisors and privacy officials were educated on HIPAA requirements.
Other obstacles included delay, re-routing requests to other departments, like Radiology, and refusing to send the records directly to the patient, but sending them instead to another provider.
If patients need to educate the staff they’re speaking with, something is gravely wrong. The provider may not have a right of access policy, or the person responding to the request didn’t know about the rule, or was so focused on maintaining privacy, they forgot about the right of access. Health care staff need regular training on HIPAA, with someone to ask – the Privacy Officer – to find answers to questions promptly.
Improving the Right of Access
Although recent improvements in electronic health record (EHR) technology should help, the benefit to patients is probably years away according to the authors of the study.
The pathway to better access today is knowledge, for both patients and health care staff. When patients know their rights, they can advocate for themselves and apply pressure. Efforts like those of Ciitizen Corporation, an organization dedicated to helping patients obtain and organize their health records, can help. But the burden should not be on the patient.
Health care organizations need to review and update their HIPAA policies around right of access. Their staff need to be educated about HIPAA requirements. They should be trained when they come on board, and receive training at least annually.
HIPAA enforcement should encourage patient access
OCR reacts when complaints pour in, so expect more investigations if patients are frustrated when they run into obstacles. More enforcement is also coming from lawsuits. Although patients don’t have a right to sue under HIPAA, smart lawyers are using HIPAA rules as a standard of care, and the courts are agreeing.
There is no reason to continue blocking patient access. Health plans and providers can follow HIPAA step-by-step if they know the rules and give their staff the tools to do the right thing.
Education about the right of access is easy to find in The HIPAA E-Tool®. Policy PR-4 contains the policy, explains the exceptions, provides forms for responses, and helps determine a reasonable cost-based fee. Questions and answers are at your fingertips, with legal citations and updates when the law changes. And we are a phone call or email away to guide you.