HIPAA Privacy Rule Compliance: Patient Copies of Health Information

An important element of HIPAA Privacy Rule compliance is ensuring patient copies of health information are provided on request. The Health Insurance Portability and Accountability Act requires HIPAA-covered entities to provide either electronic or paper copies of patient health records to the patient, or their nominated representative, if they are specifically requested.

This week, the American Health Information Management Association (AHIMA) has published a slideshow and a blog post explaining the rights of patients to obtain copies of their health information, the reasons why this HIPAA right should be exercised, and what patients can expect when asking their healthcare providers for copies of their medical records.

Obtaining copies of health information is important for a number of reasons. Healthcare providers may make mistakes when recording health data. There may be omissions in medical records, or information could be recorded incorrectly. If patients do not check their medical records, those mistakes are likely to go unnoticed. Errors could have serious implications for patients. The failure to record an allergy to penicillin for example could result in serious health complications being suffered.

While a fully interoperable healthcare system is a goal, it is still a long way from becoming a reality. In theory, any healthcare provider should be able to obtain patient health records from another healthcare provider. In practice, that is not always possible and does not always occur. Patients who have received medical services at a variety of healthcare providers may find that no one provider has access to their entire medical history. If copies of patient health information are obtained from all healthcare providers, patients will hold their entire medical history. They can then provide that information to any current or new healthcare provider, thus improving the continuity of care.

However, not all patients hold a complete set of medical records and many individuals fail to exercise their right to obtain a copy of their health information. AHIMA wants to improve awareness of patients’ right to obtain copies of their medical records and is encouraging patients to take a more active role in their own healthcare.

AHIMA explains that when patient copies of health information are requested, a fee is likely to be charged. When a fee is charged for providing patient copies of health information, patients must be informed in advance. It may not be possible for an exact cost to be provided when the request is made, but healthcare providers must at least give an estimate. A flat fee may be charged, or patients may be charged individually depending on which payment model has been adopted by their healthcare provider. However, AHIMA notes that providers are not permitted to charge per page and providers are not permitted to charge if copies of health information are made available through a patient portal.

Covered entities are allowed up to 30 days to provide patient copies of health information, although an extension of 30 days is possible if there is a valid reason why the 30-day deadline cannot be met – The records are in storage for instance. Records will be provided as part of a designated record set, which is likely to include copies of medical records, billing and payment records, clinical case notes, lab test results and disease management program files.

AHIMA explains that information can be provided to a patient or a nominated personal representative, although due to HIPAA Rules on disclosure of patient health information, checks will be performed to confirm the identity of the person to whom medical information is being released. A photographic ID will therefore be required and a waiver will also need to be signed to verify identity.

If a patient is prevented from obtaining a copy of their medical records, a complaint should be filed with the Department of Health and Human Services’ Office for Civil Rights.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of NetSec.news