With the click of a button, any one of your patients can file a complaint against you for failure to grant them easy and timely access to their medical records. However, the complaint alone isn’t what you should be concerned about – it’s what comes next.
patient access to medical records
Complaints about patient access to medical records fall under HIPAA Privacy Rule requirements. Although you can’t completely control whether a patient will complain or not, you can control your adherence to state and federal HIPAA laws. Your compliance with these laws will help protect you should the patient’s complaint result in an audit of your practice – which is typically the next step.
You can help avoid the ramifications of a patient’s access to medical records complaint with the information below.
HIPAA Privacy Rule Fundamentals patient access to medical records.
The mandates related to patient access to medical records state that you must provide access to patients with the right to inspect their records, obtain a copy or ask you to send a copy to any person or entity they name – and they don’t need to give you a reason for any of these requests. The mandates also set response deadlines that you must adhere to (many of which are state-specific).
According to the HIPAA Privacy Rule, patients are entitled to access data found in a “designated record set” (their medical record) related to their personal medical information as follows:
- Medical and billing records
- Any enrollment, payment, claims, case or medical management records
- Other records that you use to make decisions about their care. This includes records that are used to make decisions about any patients, whether the PHI has been used to make a decision about the patient requesting access or not.
Patient Requests for PHI
HIPAA rules allow patients to request copies of their records in a variety of formats, including email, secure web portal or in writing (at your discretion) — and you must comply.
You can require the use of your own medical records request form if it doesn’t create a barrier or cause an unreasonable delay. For example, if your patient sends a compliant request to your office for a copy of their medical records, you cannot refuse it simply because they didn’t utilize your specific form. Doing so can mean you may have to pay a penalty for causing an unreasonable patient access to medical records delay.
Note: If your practice is still using paper records, you’re not required to provide patient access to medical records electronically. Currently, there is not a national mandate for practices to use electronic medical records.
Verifying Patient Identities
Once a patient makes a request to access their medical records, it is imperative that you confirm their identity. Even if you know the patient, you should have a process in place to confirm the patient’s identity and document your findings.
The identity verification method you use is up to you, but it cannot create a barrier that keeps your patient from receiving their information: it’s a tricky balance.
So, what works to verify patient identity?
- In-person, via phone, or in writing – Regardless of how the patient requests the information (phone, in-person or in writing), it is very important that you confirm their identity. If you have your own patient access to medical records request form, consider including qualifying questions that confirm the identity of your patients.
- Via fax – Don’t rely solely on a fax to fulfill medical records requests. To satisfy the HIPAA rule’s verification requirement, pick up the phone and call your patient to ensure it was them making the request – and be sure to document the time, date and details of your call in their record.
- Secure web portal – You must have authentication controls in place to confirm that a patient access to medical records request is really coming from your patient. If you utilize an electronic portal, be sure yours include electronic records encryption, auditing functions, backup and recovery routines, unique user IDs, strong passwords and roles or user-based access controls. You can find a full list of security requirements in the Department of Health and Human Services’ Guide to Privacy and Security of Electronic Health Information.
IMPORTANT: Regardless of the medium, be sure to document all identity verifications that you receive. If you get audited, it will be the only way to protect yourself if the source gets called into question. Remember, if you don’t have a record of it, it never happened.
Removing Access Barriers
You can’t require the format of a patient access to medical record request. Also, you must have more than one option when you fulfill a medical records request. For example, you cannot require that your patients physically come to your office to fill out a request form, present a photo ID or pick up their file.
The key is to NOT just have one request option. You must provide your patients with a variety of ways to request and gain access to their medical records. The rule of thumb is to keep your process simple.
- Requests: Offering multiple options for how you receive requests for patient access to medical records should not create more work for your practice. Having more options means that more patients will have access, in a variety of situations. For example, you can’t require your patients to use your web portal. Believe it or not, there are still a handful of patients who don’t have reliable Internet access to request medical records, especially now with public libraries and community centers closed due to the public health emergency (PHE). The web portal is one viable option if the patient chooses it, it just can’t be your only option.
- Fulfillment: Additionally, you should not have a policy that offers just one fulfillment option (i.e. mailing patient records). In this example, having mail as your only fulfillment option could be considered a barrier to access. You don’t want the U.S. Postal Service’s slowed speed to cause a time lag for patients awaiting personal information.
Ultimately, how patients are allowed to request their personal medical information and how you fulfill their requests must be convenient to them and must not unreasonably delay their access.
Easy Access Is Key
The HIPAA Privacy Rule mandates that you must provide your patients with access to their personal medical information in the form and format in which they request. You must not specify the form and format. You should always work with the patient and come to some agreement regarding what they are willing to accept.
Below are some access options for your practice to consider:
- Paper copies: If your patient requests it, you are required to provide them with a paper copy of their records regardless of how they requested it (i.e. electronic request).
- Electronic copies:
- Paper Records: If a patient requests to receive their medical records in an electronic format, you must make this option available – as long as you can reasonably make it happen. Your patients may also request that you provide them with their electronic information in a variety of formats. For example, patients may ask for their records via encrypted e-mail, or that you put their files on a thumb drive. Most likely each of these requests would seem reasonably plausible if you are ever audited.
- Electronic Records: If your records are kept electronically, regardless of the format or software you use, you would be required to comply with patient access to medical records requests in an electronic format.
While you are not required to purchase resources to accommodate every possible request, you must provide the information in some format. Also, it would be prudent to document why you couldn’t comply with the patient’s original request, just in case they file a complaint.
Timely Access Answers
When you receive a patient access to medical records request, you must comply within 30 calendar days. The HIPAA Rule cautions that you should grant access as soon as you can, but clearly states that you only have 60 days from start to finish to fulfill patient access to medical records requests.
If you’re unable to provide the patient access within the 30-day timeframe – for example, if the information is archived offsite and not readily available – you can extend the due date an additional 30 days. To make your extension compliant, you must inform the patient in writing why there’s a delay. This notification must be done within the (first) 30-day timeframe and include the date your patient will receive access to their records.
IMPORTANT: Although the federal HIPAA rule sets clear patient access to medical records guidelines, your state may have different timeliness laws you must comply with.
Understanding both federal and state patient access to medical records laws is essential to your practice’s survival. It could just take one patient complaint to get you audited, and if they find a violation, auditors can expand it to your entire practice. You can get a handle on these complex and confusing rules. Healthcare attorney, Joseph Lazzarotti, Esq., CIPP, can help. His 90-minute online training session Stop Cures Act and Patient Access Fines, Federal Deadline has Passed will help you comply with HIPAA right to access rules. You’ll learn how to compliantly manage patient access to medical records and protect your practice from complaints, audits, law violations, and hefty penalties. Sign up for this must-attend training now!
|Subscribe to Healthcare Practice Advisor|
|Get actionable advice to help improve your practice’s
reimbursement, compliance, and success in this weekly eNewsletter.