- Patients being able to access their own information is an essential right under HIPAA regulations, according to the American Health Information Management Association (AHIMA). However, patient data access is often misunderstood, and individuals can be unaware of what information they are able to obtain from their provider.
Journal of AHIMA Associate Editor Mary Butler explained in a recent post that there are numerous misconceptions surrounding patient data access.
“The laws and policies can add complexity, but their end goal is the same—to ensure a person’s sensitive health information remains private, while keeping the bar low for patients to access their information,” Butler wrote. “To ensure information is released according to the owner’s wishes, facilities are required to verify the identity of the requestor and confirm that he or she is authorized to access or transfer the records.”
To request records, a patient needs to contact their provider’s health information management (HIM) department, the post explained. The individual will then need to complete a “Patient Access Request (or similarly titled)” form.
“A growing number of healthcare facilities offer their Patient Access Request forms online so they can be completed ahead of time,” Butler stated. “Some facilities allow patients to mail or e-mail the form if requesting certain record services, such as transferring records to another provider or payer covered by HIPAA.”
It is important to note that HIPAA regulations also allow for a patient’s personal representative to complete patient access requests in the place of a patient. These representatives are allowed to make healthcare decisions on the patient’s behalf under state law.
Furthermore, if an individual was given power of attorney for a patient, then he or she has the right to request access to another person’s medical records.
The process is also not instantaneous, and providers have 30 days to complete a records request under HIPAA.
“Most facilities, however, do not require that much time—many can fulfill a request in five to 10 days. Individual state laws may also dictate how quickly a facility must fulfill a request,” wrote Butler. “Fulfilling requests takes time because facilities receive many of them and processing them requires individual review.”
There are also permissible fees that covered entities can charge an individual for copies of their own health information. HIPAA entities can calculate their own fees, even for ePHI requests, as long as it is within the limits of HIPAA’s Privacy Rule.
“Charging a flat fee not to exceed $6.50 per request is therefore an option available to entities that do not want to go through the process of calculating actual or average allowable costs for requests for electronic copies of PHI maintained electronically,” according to the Department of Health and Human Services (HHS) website.
HIPAA also explains that there are “allowable fees.” This includes charges associated with copying PHI (i.e. paper supplies, toner, electronic media, labor for creating an explanation of health information, postage).
Allowable labor costs include photocopying paper records, scanning PHI into electronic format, converting the format of PHI, transferring data to a web-based portal, or mailing and emailing.
If covered entities or business associates do not want to calculate the labor and supply costs for providing ePHI, they can charge a flat fee of $6.50 or lower, which includes labor, supplies, and postage fees.
The AHIMA post underlined the potential benefits of patients accessing their own data, saying that it could be beneficial if an individual is transferring to a new provider.
“Reviewing your record is an important way to ensure your provider has complete, correct, and up-to-date information, such as your known allergies,” Butler wrote. “If you find information in your record that is incorrect or that you disagree with, contact the provider’s HIM department.”
The Office of the National Coordinator (ONC) has also been working to ensure that patients fully understand their rights under HIPAA in terms of accessing their own information.
If patients have a false understanding of HIPAA rules and the HITECH Act, it can hinder patient data access, ONC explained in a 2016 report. Individuals “have a nearly absolute right to a copy of their own health records,” and the costs for access are limited by federal regulation.
“Health care providers often tell ONC and OCR that HIPAA makes it difficult to share electronic health information,” the report stated. “While erroneous, this misconception about HIPAA is widespread and unfortunate in that it places a needless burden on individuals.”
ONC also reiterated that patients have the right to access and obtain copies of their health information for their own purposes. A HIPAA covered health plan or provider can refuse access only in very limited circumstances.
Additionally, patients have access to data including laboratory results, images, prescription history, physician notes, diagnoses, and similar information.
“When individuals get, review, use and share copies of their health information, they are better able to monitor chronic conditions, make sure that their health information is accurate, and share their information with others ensuring that their health information is available at the right place and at the right time,” ONC wrote.