Healthcare Information Security

HIPAA and Compliance News

Does EHR Patient Access Fall Short of HIPAA Compliance?

Patients and healthcare organizations face numerous challenges when providing EHR patient access for HIPAA compliance, according to a recent GAO report.

HIPAA compliance

Source: Thinkstock

By Fred Donovan

- Patients and healthcare organizations face numerous challenges when providing EHR patient access for HIPAA compliance, according to a report released May 14 by the Government Accountability Office (GAO).

Among the challenges faced by patients are high fees when requesting medical records and a lack of understanding about their rights under HIPAA to access their records. High fees are particularly worrisome in the case where the person faces severe medical issues that generate a high number of medical records.

The HIPAA Privacy Rule requires that covered entities provide patients with access to medical records upon request. According to OCR guidance issued in February 2016, patients have the right to obtain copies of their medical records and to have their records forwarded to a person or entity of their choice for a reasonable cost-based fee.

One patient advocacy organization, which collects information on patients’ access to their medical records, provided GAO with the following examples of apparently unreasonable fees reported to them by patients:

• Two patients said they were charged fees of more than $500 for a single medical record request

• One patient was charged $148 for a PDF version of her medical record

• Two patients were required to pay an annual subscription fee to access their medical records

• One patient was charged a retrieval fee by a hospital’s release-of-information (ROI) vendor for a copy of her medical records, even though retrieval fees are prohibited under HIPAA

In turn, healthcare providers and other stakeholders told GAO that they face high costs in responding to patient record requests because of staff time, records being in multiple places and formats, and other challenges.  

For example, retrieving medical records often requires providers or their ROI vendors to go through multiple EHR systems to compile the requested information. Printing a complete record can sometimes result in a document that is hundreds of pages long due to the amount of data stored in EHR systems.

As healthcare providers have transitioned from using paper records to EHR systems, information has been scanned into electronic medical records. This has resulted in some records being incorrectly merged. When responding to a medical record request, providers or their vendors must carefully go through each page of the record to ensure only the correct patient’s medical records are being released.

While patients can request electronic copies of their records, providers may have security concerns about sending information using unsecured email or providing electronic information on a patient’s USB stick, which increases the risk of a provider’s system becoming infected with malware.

When a patient gives permission for a third party to request copies of the patient’s medical record, the HIPAA reasonable cost-based fee standard does not apply, and those fees are usually regulated by state law.

GAO examined laws in four states—Kentucky, Ohio, Rhode Island, and Wisconsin—to determine how much providers can charge for third-party requests. The government watchdog found that the fees charged for third-party requests are generally higher than those charged to patients.

Three of the states—Ohio, Rhode Island, and Wisconsin—have per-page fees for patient and third-party record requests. These three states have also established specific fees for requesting media such as x-ray or MRI images.

Ohio has established a different per-page fee for third-party requests. The other three do not authorize a different fee for patient and third-party requests.

Rhode Island specifies a maximum allowable fee if the provider uses an EHR system. The other three do not differentiate costs for electronic or paper records.

Kentucky entitles individuals to one free copy of their medical record and up to $1 per page for additional copies.

“When asked about the reported distinction between fees for patient-directed and third-party requests, OCR officials told us that they are in the process of considering whether any clarification is needed to their 2016 guidance,” the report noted.


SIGN UP and gain free access to articles, white papers, webcasts and exclusive interviews on

HIPAA Compliance
Data Breaches

Our privacy policy

no, thanks

Continue to site...