Is your practice compliant with patient record access rules?

Robert A. Dowling, MD

On November 30, 2021, the Office for Civil Rights (OCR) at the US Department of Health and Human Services (HHS) announced the resolution of its latest investigations in its Health Insurance Portability and Accountability Act (HIPAA) Right of Access Initiative.¹ Under the HIPAA Privacy Rule (1996), individuals have the right to timely access to their medical records at a reasonable cost, and the OCR has settled over 20 such cases/complaints since September 2019.

Separately, in 2020, the Office of the National Coordinator for Health Information Technology (ONC) issued a final rule implementing Section 4004 of the 21st Century Cures Act. Among other things, this rule implements interoperability requirements, defines information blocking, and seeks to give patients “more power in their health care.” Health care providers are affected by both rules, and adherence to a few simple principles will keep the busy practitioner compliant. Here is what you need to know.

What is contained in the Privacy Rule

Most urologists are familiar with the basics of HIPAA. The Privacy Rule gives people the right to see and/or get copies of their health information from their health care providers and health plans. After receiving a request, an entity has 30 days to provide an individual or their representative with their records, which expressly include medical records, billing records, clinical case notes, medical image files, insurance and claims records, and clinical lab results. Specifically excluded from this designated record set are psychotherapy notes, records compiled for use in an administrative, civil, or criminal proceeding, and records not used to make health care decisions. Entities may require that the patient submit a written request and take reasonable steps to verify the identity of the requestor. Doctors may not impose unreasonable measures, such as requiring individuals come to the office to make the request or requiring the individual to mail the request.²

The Privacy Rule also describes how the access to records should be provided, when it should be provided, and at what cost it may be provided. In general, the records must be provided in a form and format requested by the individual if it is readily producible. It is expected that a physician office can readily produce an electronic or paper copy of an electronic health record (EHR) if requested. It is also expected that, if requested, a practice can produce an electronic copy of a paper record (for example, from a physician’s office that only has paper records). Covered entities may not require a patient come to their physical location to pick up the records, and both mail and email are acceptable delivery methods if agreed to by the patient. Some entities may be able to deliver electronic copies through a website or portal.

The rule provides that the access must be provided within 30 calendar days unless a reasonable exception applies (for example, records archived off-site). Finally, entities may charge only a reasonable fee that is based on the cost of labor, supplies, postage, and preparation of a summary if requested. The entity may charge an individual based on the actual costs to fulfill the request, an average calculated cost to fulfill similar requests, or a flat fee of $6.50 if they do not want to do the aforementioned calculations. If your practice is in the habit of charging a flat fee in excess of $6.50, it would be prudent to develop proof of the actual or average cost of fulfilling requests (labor, supplies, and postage).

Patient access to records is also part of the interoperability rule of the Cures Act. In that rule, information blocking is described as “a practice by a health information technology [IT] developer of certified health IT, health information network, health information exchange, or health care provider that, except as required by law or specified by the Secretary of HHS as a reasonable and necessary activity, is likely to interfere with access, exchange, or use of electronic health information (EHI).”³ The information that constitutes EHI aligns with the designated record set in the HIPAA Privacy Rule and has the same exclusions. The information blocking provisions and technicalities relating to which elements of an EHR must be made available for access, exchange, or use are most relevant to IT developers. Where physicians need to pay attention is how they have configured (or failed to configure) their particular system and/or policies to avoid invoking potential information blocking. For example, ONC clearly states, “It would likely be considered an interference for purposes of information blocking if a health care provider established an organizational policy that, for example, imposed delays on the release of lab results for any period of time in order to allow an ordering clinician to review the results or in order to personally inform the patient of the results before a patient can electronically access such results.”⁴ Progress notes in an EHR are clearly considered EHI that can be accessed, exchanged, and used by patients. It would likely be considered information blocking to systematically delay the availability of those notes to a patient through a portal, and it would almost certainly be considered information blocking to fail to respond to a patient request for that access in a timely fashion. Note that a claim of information blocking does not require a request for access. Information blocking is any practice that is likely to interfere with, prevent, or materially discourage the access, exchange, or use of EHI.

Potential scenarios to consider

Let’s consider a few possible scenarios in a typical urology practice with a contemporary EHR/patient portal that might invoke 1 or both rules. Scenario 1: A patient undergoes an uncomplicated prostate biopsy and is scheduled for follow-up in 1 week. The final pathology report comes back a day later and shows high-grade prostate cancer. The patient calls the following day, requesting an electronic copy of their procedure note and biopsy results to share with their personal doctor and possibly get another opinion. A nurse calls the patient back and explains the doctor hasn’t yet signed their procedure note or reviewed the pathology results and encourages the patient to keep their scheduled appointment. Failure to make this EHI accessible to the patient would likely be considered information blocking. Indeed, this patient may well have seen their pathology results from a commercial lab vendor, who is subject to the same rules.

Scenario 2: A long-time complicated kidney stone patient is relocating to another city and wants their complete records in electronic format emailed to them, including some you have in paper format stored off-site. Your office policy is to require a written request and charge a flat rate of $30 plus $0.10/page (for paper records), which will amount to over $50 for this request. As defined in the Privacy Rule, the patient is well within their rights to a copy of their entire medical and billing records in the format they request if it can be reasonably produced. The practice is permitted to make a reasonable charge that is based on labor, supplies, and postage. In this case, it might be prudent to charge the patient the actual labor costs to scan the paper records or an average amount based on well-documented costs to the practice. The practice must inform the patient about requirements for written requests and fees ahead of time. The Privacy Rule also allows the covered entity to reasonably extend the time to respond to the request if the records are not readily accessible, as in this case.

Scenario 3 (Nightmare Scenario): You are the leader of a 10-physician single-specialty practice, and one of the partners is chronically delinquent with signing notes, returning patient calls, and reviewing labs. Although widely considered to be a good clinician with good patient rapport, this physician has not embraced the workflows that characterize modern medical record keeping and encourage patient engagement, such as using a patient portal. Anecdotal complaints and informal counseling have not led to improvement. A new complaint has been lodged by an established patient with gross hematuria, alleging their phone calls have not been returned, they cannot get their urine test results or a prescription, and they have developed a low-grade fever. The patient tried accessing their information via portal, and there is nothing there. They want to transfer their care immediately. You are on call, manage the crisis, and speak to the physician again the next day. Unfortunately, the patient becomes septic, requires hospitalization, is diagnosed with an obstructing stone, and ultimately retains an attorney alleging failure to diagnose a complicated urinary tract infection. In addition, the patient files a complaint with the OCR, alleging the practice violated their rights to access their health information, as well as with the ONC alleging the physician was engaged in information blocking. The practice pays a $40,000 fine and enters a 3-year settlement agreement with the OCR. The ONC complaint is still being investigated. This scenario is fabricated but is not far-fetched.

The bottom line, and why it matters

Numerous federal laws and regulations empower patient access to their health information and impose significant penalties for violations. Compliance with these rules is straightforward but requires a shift from the traditional concept of medical record ownership and a physician audience to the contemporary concept of shared access with the patient and others they designate. As you create and curate your clinical notes, phone messages, letters, and other information related to patient care, you should do so with the full expectation that the patient can and will access this information. Be sure you actively encourage or incentivize enrollment in the portal. Your practice should configure the EHR to promptly release all information to the portal unless it meets 1 of the very narrow exceptions. Your policies for record requests should be refreshed and checked against both HIPAA and the Cures Act for compliance. Update any fee structure and rationale you may have had in place for years. With these building blocks in place, it is likely you will be compliant with these rules and provide the same access to records that you would expect if you were the patient.

References

1. Resolution agreements and civil money penalties. US Department of Health and Human Services. Updated November 30, 2021. Accessed November 30, 2021. https://bit.ly/3EkroRd

2. Individuals’ right under HIPAA to access their health information 45 CFR § 164.524. US Department of Health and Human Services. Updated January 31, 2020. Accessed November 30, 2021. https://bit.ly/3Gozlpp

3. Information blocking. Office of the National Coordinator for Health Information Technology. Updated March 19, 2021. Accessed November 30, 2021. https://bit.ly/3daOuxO

4. Information blocking FAQs. Office of the National Coordinator for Health Information Technology. Accessed November 30, 2021. https://bit.ly/3ruiEnX