In this article, Robert A. Dowling, MD, addresses common questions and answers on patient access to protected health information-recently released by the government-to help your office manage this common task in a compliant fashion.
Robert A. Dowling, MDThe matrix of federal statutes, rules, and regulations regarding protected health information (PHI) has created a complicated and confusing landscape for health care providers on the front lines. The HIPAA Privacy and Security Rules, the HITECH Act, the EHR Incentive Program, and state laws and regulations all address certain aspects of PHI, including the rights of patients, the obligations of providers, access to information, and penalties for violations.
One practical challenge that urologists and other physicians face every day concerns “requests for medical records” that come from patients and their representatives. In this article, I address common questions and answers on this topic-recently released by the government-to help your office manage this common task in a compliant fashion.
Misunderstandings about the HIPAA Privacy Rule may be common among patients and their providers (http://bit.ly/PHIconfusion). On Jan. 7, 2016, the Office of Civil Rights (OCR) of the Department of Health and Human Services (HHS) issued an important clarification about the HIPAA Privacy Rule related to the rights of individuals to access their protected health information (http://bit.ly/PHIrights). Also included in this release is information and interpretation regarding the obligations of providers according to OCR-the investigation and enforcement arm of HHS. This website (http://bit.ly/PHIaccess), then, is a good source of rules of the road in this area and should be reviewed by anyone in your office who deals with receiving or fulfilling requests for medical records-physicians, clinical staff, and administrative staff.
Next: Types of information patients have a right to access/receive
The general right of a patient to access/receive their PHI is a fundamental principle of the HIPAA Privacy Rule. The information to which a patient has rights includes that found in “designated record sets” in paper or electronic form, examples of which include medical records, billing records, payment records, explanation of benefits, x-rays (including images), labs, health plan case management records, and any record category that could be “used to make decisions about any individuals.” Specifically excluded from this requirement are psychotherapy notes and information compiled for use in a civil, criminal, or administrative proceeding.
Further, the OCR has clarified important questions about patients’ rights concerning actual access. A provider may, but is not required to, compel the patient to submit a written request for access, provided they inform individuals of this requirement. HIPAA requires providers to take “reasonable steps” to verify the identity of persons requesting PHI, but OCR further clarifies that providers may use professional discretion as to the manner of verification in the context of the nature of the request.
OCR also gives examples of what physicians may not do in this regard: They cannot require a patient to physically come to the office, cannot force a patient to use a portal, and cannot force a patient to mail a request (because of delay). Providers must provide the patient access “in the manner requested by the individual, which includes arranging with the individual for a convenient time and place to pick up a copy of the PHI.” Finally, the right of patients to receive their PHI by unencrypted email is confirmed in this clarification-subject to the requirement that physicians warn their patients about risk of unencrypted data in transit.
Patients are entitled to receive the access to PHI “in the form and format requested, if readily producible in that form and format, or if not, in a readable hard copy form or other form and format as agreed to by the covered entity and individual.” If a patient wants a paper copy of PHI, the provider must be able to provide it. If a patient wants an electronic copy of electronic PHI (ePHI) or paper PHI, the provider must provide it in the requested format “if readily producible.” If the requested format is not producible, then the provider is directed to provide the patient an “agreed upon alternative, readable electronic format.”
Next: Timeliness question clarified
The OCR also clarifies timeliness regarding access to PHI. A provider “must provide access to the PHI requested, in whole, or in part (if certain access may be denied, as explained below), no later than 30 calendar days from receiving the individual’s request.” There are provisions for exceptions and extensions of this timeline, but HHS clearly intends for 30 days to be an outer limit in most cases. OCR also provides a helpful table outlining the distinctions between the HIPAA Privacy Rule and the EHR Incentive Program, some of which are relevant to the timing of access (table).
Clarification about what fees may be charged to a patient for access to PHI may surprise many urologists, and the language and original emphasis (as shown in italics) is quoted here in its entirety:
“The Privacy Rule permits a covered entity to impose a reasonable, cost-based fee if the individual requests a copy of the PHI (or agrees to receive a summary or explanation of the information). The fee may include only the cost of: (1) labor for copying the PHI requested by the individual, whether in paper or electronic form; (2) supplies for creating the paper copy or electronic media (e.g., CD or USB drive) if the individual requests that the electronic copy be provided on portable media; (3) postage, when the individual requests that the copy, or the summary or explanation, be mailed; and (4) preparation of an explanation or summary of the PHI, if agreed to by the individual. See 45 CFR 164.524(c)(4).
“The fee may not include costs associated with verification; documentation; searching for and retrieving the PHI; maintaining systems; recouping capital for data access, storage, or infrastructure; or other costs not listed above even if such costs are authorized by State law.”
Practices should consult their health care attorney for interpretation of this language in the context of their current policies, especially if it is founded in state law and may be trumped by HIPAA.
Bottom line: The HIPAA privacy rule governs many aspects of the relationship between patients and their providers, yet incomplete or even incorrect understandings persist. The OCR has released important clarification about the rights of patients and the obligations of providers in this regard, including answers to common scenarios in the office. Urologists and their health care attorneys should review their own policies regarding patient access to PHI in the context of the important information available on the OCR website.
Subscribe to Urology Times to get monthly news from the leading news source for urologists.