The HIPAA Privacy Rule grants patients the right to access their health information in a way that is easy and affordable for them. Providers are required to give patients access to their health information. There are some exceptions, of course, so getting the process right can be as confusing as being in a house of mirrors.
Patients are entitled to receive all information a provider maintains about them in one or more designated record sets. A designated record set is any information the provider uses to make decisions about a patient and includes medical, dental, and billing information. It also includes any information in the patient’s file received from other providers or the patient themselves and includes all electronic systems and paper files, not just the patient’s information in an EHR system. A patient may not always ask for their entire record, but it is always a requirement to provide what is requested.
The OCR has been focusing on investigating complaints from patients experiencing issues getting access to their own health information, the health information of their children, or those in their care for the past 2.5 years. During that time, there have been 27 enforcement actions issued as part of these investigations that the OCR calls its HIPAA Right of Access Initiative. So far, the average penalty has been $60,000, with the highest reaching $200,000. Each comes with a 1 or 2-year corrective action/monitoring plan.
A leading cause of the OCR’s enforcements in the HIPAA Right of Access Initiative is the failure to provide all the information a patient has requested and is entitled to receive.
There are a few circumstances where providers are permitted to deny a patient’s request for records. Two of them are:
- When records contain psychotherapy notes, or psychotherapy notes are specifically requested, they can be omitted or the specific request for the notes can be denied. Psychotherapy notes are only those taken by a mental health professional during therapy sessions and are used to recall details and the provider’s personal observations about the session specific to their personal analysis.
- Any information a provider’s office has collected in preparation for or that will be used in a civil, criminal, or administrative action or proceeding can also be denied if requested by the patient.
However, the most common violation that has led to patient complaints and enforcements is a slow or lack of response to record requests. Some providers have ignored multiple requests from a patient for their health information for several years, which causes the patient to file a complaint and leads to an OCR investigation. Providers are required to respond to a patient’s request as soon as possible, but no later than 30 days from the date of request. Under certain circumstances, the provider can notify the patient in writing that they will need a 30-day extension but must provide the patient with the reason for the extension, and the date the patient can expect their records.
It is easy to see how quickly this process can become complex. There are several other important considerations such as fees, the format of requests, or patient requests to review access denials, to name a few.
It’s important to have the right resources to ensure your process follows the proper guidelines. TMC clients not only have immediate access to forms and guidance in our Client Portal but have a personal consultant as well as easy access to expert support by contacting Client Services at firstname.lastname@example.org.