- Many hospitals failed at HIPAA compliance in response to simulated patients’ requests for medical records, according to a study by Yale researchers published in the JAMA Network Open.
The researchers surveyed 83 top-ranked US hospitals with independent medical records request processes and medical records departments reachable by telephone.
According to HIPAA, patient requests for medical record must be fulfilled within 30 days of receipt in the format requested by the patient if the records are readily producible in that format. OCR guidance says that hospitals can charge a cost-based fee to provide those records.
The researchers conducted scripted interviews with medical records departments in a simulated patient experience and also collected medical records release authorization forms. There was wide variation in the information provided on the authorization forms and from the telephone calls in terms of what data could be requested, release formats, costs, and processing times.
On the authorization forms, only 44 hospitals (53%) provided patients the option to acquire the entire medical record. On telephone calls, all 83 hospitals stated that they were able to release entire medical records to patients.
There were discrepancies in information given in telephone calls versus authorization forms among the formats hospitals said that they could use to release information: 69 versus 40 for pick up in person, 20 versus 14 for fax, 39 versus 27 for email, 55 versus 35 for CD, and 21 versus 33 for online patient portals. These results demonstrated noncompliance with HIPAA in refusing to provide records in the format requested by the patient, the study noted.
There were 48 hospitals that had costs of release above the federal recommendation of $6.50 for electronically maintained records. In one case, a hospital charged $541.50 for a 200-page medical record. At least seven of the hospitals were noncompliant with state requirements for processing times.
“Discrepancies in information provided to patients regarding medical records request processes and noncompliance with regulations appear to indicate the need for stricter enforcement of policies relating to patients’ access to their protected health information,” the researchers concluded.
The study is timely because the Trump administration has launched the MyHealthEData initiative, which is designed to improve EHR patient data access and use. MyHealthEData is intended to break down the barriers that prevent patients from having electronic access and control over their own health records from the device or application of their choice.
In 2017, President Donald Trump issued an executive order in which he directed government agencies to “improve access to and the quality of information that Americans need to make informed healthcare decisions, including data about healthcare prices and outcomes, while minimizing reporting burdens on affected plans, providers, or payers.” The order was part of a broader effort to increase market competition in the healthcare market.
“The MyHealthEData initiative will work to make clear that patients deserve to not only electronically receive a copy of their entire health record, but also be able to share their data with whomever they want, making the patient the center of the healthcare system. Patients can use their information to actively seek out providers and services that meet their unique healthcare needs, have a better understanding of their overall health, prevent disease, and make more informed decisions about their care,” explained a March 2018 CMS press release.
While the goals of MyHealthEData are lofty, the results of this Yale study call into question the ability of private healthcare organizations to fulfill the Trump administration’s initiative, never mind comply with existing HIPAA patient access requirements.