There was a time when getting a copy of your medical records was a hit-or-miss proposition. Depending on your health history and how your provider documented it, a complete medical file could be inches thick or just a few pages. The healthcare provider had much control over how much you would be permitted to access or if you could access it at all.
The passage of the Health Insurance Portability and Accountability Act (HIPAA) was supposed to level the playing field for patients seeking access to their medical records. Today, can patients request medical records, and how difficult is it to do so?
The Process of Patient Requests for Medical Records
Can patients request medical records? Under HIPAA, patients have the right to have complete access to all of their medical records. The HIPAA Privacy Rule guarantees this right, specifically under the right of access provision.
Before HIPAA’s rules and regulations, healthcare providers often treated patient records like they were the provider’s property. The healthcare provider had almost total control over how much a patient could access.
However, with HIPAA’s passing, patient requests for medical records must be met within 30 days. Patients can be charged for a copy of their records, but the key phrase is “reasonable and customary.” Providers are not permitted to charge excessive or punitive fees for copies of documents.
That’s all patients have to do. Once the request is made, the clock is ticking for the provider to respond.
The HIPAA Right of Access Initiative: Penalties for Not Honoring Patient Requests
HIPAA provides a few reasons a provider can deny a patient part or all of a medical record. Protecting a patient or another person from the reasonable likelihood of harm is one example of a situation that could result in a denial of records.
Outside of these limited reasons, a healthcare provider must provide a patient’s record when they request it. It does not matter if there is an outstanding balance on the patient’s account. The records must be provided.
Although the right of access is part of HIPAA law, many providers still fail to meet its requirements. This is why, in 2019, Office for Civil Rights (OCR) launched its HIPAA right of access initiative to highlight the importance of meeting patient requests.
Since announcing its initiative, OCR has reached at least 41 settlements resulting in fines for those who have violated the standard. In at least one instance, a provider’s refusal to provide records because money was still owed on an account resulted in a $100,000 fine.
Earlier this year, after settling eleven enforcement actions under the HIPAA right of access initiative, OCR Director Lisa J. Pino stated, “It should not take a federal investigation before a HIPAA covered entity provides patients, or their personal representatives, with access to their medical records. Health care organizations should take note that there are now 38 enforcement actions in our Right of Access Initiative and understand that OCR is serious about upholding the law and peoples’ fundamental right to timely access to their medical records.”
OCR obviously takes this seriously. Organizations should have clear HIPAA policies and procedures to address handling medical record requests, which should reflect the standards established by HIPAA.