What challenges might you enounter, given HIPAA regulations?
[Part 2 of 2]
Part 1 of this blog described when you might want to get copies of your, or your parent’s, health records. It also discussed the critical federal law, HIPAA, and how the resulting privacy rule assures that patients have appropriate access. Part 2 gives you the practical details about getting access, including some options to consider, along with challenges you might encounter.
Getting access to records and making choices:
To take advantage of this right, you will be required to complete a form describing what information you wish to view or have copied or transmitted, and providing other details. Unfortunately, there is no standard form or process, and each healthcare organization across the country handles this differently. In all cases, the form should include options describing what information that organization has about the patient (their Designated Record Set) so that the patient, or representative, can know what is possible to request. Note that this may include information in different forms such as some electronic data in addition to some paper information.
Organizations are not required to provide access or copies on the spot, although they may. They generally have 30 days to get back to you to set a date for you to view the information, to send a copy of the information, or, in limited situations, to let you know they need another 30 days to access offsite information or to inform you that your request is denied for one of the limited exceptions. (The regulations include details about how exceptions are handled and patients’ right to dispute decisions.)
Healthcare consumers have a few decisions related to this access right. You need to decide what information you want, and then decide whether you just want to view it or obtain a copy of it or have a copy sent to someone else. If you want a copy, you need to decide on the form and format of the copy.
Patients typically choose either paper photocopies or electronic copies, with electronic copies becoming today’s norm. Patients, or their adult children, can compile this information from different sources in an electronic file or folder. Some people use commercial products on their devices or in the cloud, while others save the information on their own devices and storage media such as an encrypted USB drive.
If you decide to receive the information in electronic form, the organization should give you options such as sending it to you via email or putting it on a CD or USB drive that is mailed to you or that you can pick up. The organization also should tell you what format(s) will be used, and they must be common formats such as Word documents or PDFs that do not require you to buy special software to read the document or file.
Also, the organization should inform you about how the information will be secured. It will likely be encrypted so that no one outside the organization except you, the recipient, will be able to decrypt and read it. The organization will give you a code, the “key” you will use to decrypt the information. Note that once you receive the information, it is your responsibility, not the healthcare organization’s, to keep it secure and private according to the patient’s wishes.
Finally, there is the matter of cost. The government and some parts of the healthcare industry are at odds over charging fees for patients to obtain copies of their own information. The privacy rule does permit organizations to charge limited fees, as discussed below. However, HHS has stated their preference that patients should not have to pay, and some providers agree and do not charge patients for copies. Regardless, a patient’s financial limitations should never be a barrier to obtaining a copy of his or her own health information.
Healthcare organizations (or sometimes another business holding records for that hospital or other provider organization) must have a procedure for patients to view their information, paper or electronic, at no charge. Patients typically come to the facility where they are permitted to view their information. Note that patients are permitted to take photos of their paper records or computer screens showing their electronic information. This can be a workaround if an organization imposes unreasonable fees for copies.
The regulations for charging copy fees are somewhat complicated. Essentially, organizations may opt for a low flat fee of $6.50, or may calculate a reasonable fee for photocopying that is no more than actual cost as defined in the regulations and subsequent guidance from HHS. Organizations using electronic records must be able to provide electronic copies. Further, they may not charge a “per page” copying fee from electronic records.
Stumbling blocks you might encounter:
Patients and their representatives may face difficulties in exercising this important HIPAA privacy right of access. Sometimes the organization you are dealing with may not fully understand the regulations – this is especially true in small organizations. Sometimes staff lack formal procedures to follow and may be unable to answer your questions. Organizations may not understand their obligation to provide access to more than the medical record. They may not know that patients have the right to view information for free, or that viewing and copies must be provided within 30 days. Unfortunately, it is not uncommon for patients to be overcharged for copies in violation of HIPAA. (Note that HIPAA takes precedence over state laws that give permission to charge more for copies.) And finally, in hospitals and medical centers, there is rarely a centralized process for obtaining copies of patient data. That puts an unnecessary burden on patients and families, and it is contrary to the spirit of the HIPAA privacy rule.
If you encounter such stumbling blocks, you can reach out to the provider’s privacy officer who handles concerns about compliance with the HIPAA privacy rule. In situations that can’t be satisfactorily resolved, HIPAA gives patients the right to file a complaint with HHS. HHS’s Office for Civil Rights (OCR) handles complaints and investigations, and they are sensitive to cases in which patients are thwarted from exercising their privacy rights. (See HHS Regional Offices to file a complaint.)
More reasons to view or get a copy of health records:
The HIPAA access right is powerful and healthcare consumers should take advantage of it. Not only should we be well informed when we are responsible for others, such as a parent, but also we should review what organizations have on file to identify and correct omissions and even errors.
Health records may become corrupted accidently with another patient’s information, especially when patient names are similar or the same. This can happen with both paper and electronic records.
A major problem in healthcare is medical fraud, such as when a provider submits claims to be paid for services that were never provided. If that information is used by another provider to treat the patient, it could lead to excessive testing or procedures and even harm to the patient.
Although these situations are not common, they do occur and can lead to misdiagnosis and inappropriate patient care. Thus it is very important to identify the problem and have the information corrected. The privacy rule also requires organizations to have a record correction (“amendment”) process.
Best practice: get copies and review them:
Even if there is no particular reason to get a copy of your, or your parent’s, health records, it is a good practice to do so occasionally.
We usually assume we know what’s in our health record. But when we read through it, we may be surprised to find misleading statements. For example, when asked if you drink, you might have answered “occasionally,” but this information may have been recorded as “patient drinks,” implying a possible alcohol abuse problem to another professional reading the record. Or you may find omissions. For example, you had a flu shot or a pneumonia vaccination or a tetanus booster this year, but not through this provider. Ideally for comprehensive care, all our health information should be consolidated in a single system or a linked set of records so that our providers have all the information needed to keep us healthy.
Note: that HHS provides an explanation of the right to access and guidance regarding charging fees for copies (scroll down on the page) at: Health Information Privacy
With thanks to contributor, Kate Borten, CISSP, CISM, HCISPP, President, the Marblehead Group.
Kate is passionate about teaching people what constitute good security and privacy practices and why they’re relevant and valuable.
Kate worked in healthcare IT for many years before she was tapped to lead Massachusetts General Hospital’s first information security program. Then along came HIPAA, shining a light on security and privacy issues and solutions in the industry. In 1999 Kate formed The Marblehead Group, a security and privacy consultancy focused mainly on helping organizations protect patient information.
Disclaimer: The material in this blog is for educational purposes only. It is not intended to replace, nor does it replace, consulting with a physician, lawyer, accountant, financial planner or other qualified professional.