What is a HIPAA Compliant Medical Records Request Response?
The first step in providing a HIPAA compliant medical records request response, is to determine that the request for medical records is properly made.
Under HIPAA, an individual is permitted to inspect or obtain a copy of his or her PHI that is maintained in a designated record set. The covered entity must permit an individual to request access to inspect or to obtain a copy of the protected health information about the individual that is maintained in a designated record set.
A “designated record set” is defined at 45 CFR 164.501 as a group of records maintained by or for a covered entity that comprises the:
- Medical records and billing records about individuals maintained by or for a covered health care provider;
- Enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or
- Other records that are used, in whole or in part, by or for the covered entity to make decisions about individuals.
Failure to provide patients access to their medical records can result in hefty fines under the HIPAA Right of Access initiative.
Make sure you’re compliant with Compliancy Group.
What Can a Covered Entity Require an Individual to Do Before Obtaining Access to PHI?
As part of the process of making a HIPAA Compliant medical records request response, the covered entity may require individuals to make requests for access in writing, provided that it informs individuals of such a requirement. In addition, a covered entity may require individuals to use the entity’s own supplied form, provided the use of the form does not create a barrier to or unreasonably delay the individual from obtaining access to his or her PHI.
In addition, as part of a HIPAA Compliant medical records request response, the Privacy Rule requires a covered entity to take reasonable steps to verify the identity of an individual making a request for access. The type and manner of the verification is left to the covered entity’s professional judgment. Verification may be done orally or in writing and, in many cases, the type of verification may depend on how the individual is requesting and/or receiving access – whether in person, by phone (if permitted by the covered entity), by faxing or emailing the request on the covered entity’s supplied form, by secure web portal, or by other means.
For example, if the covered entity requires that access requests be made on its own supplied form, the form could ask for basic information about the individual that would enable the covered entity to verify that the person requesting access is the subject of the information requested or is the individual’s personal representative. For those covered entities providing individuals with access to their PHI through web portals, those portals should already be set up with appropriate authentication controls, as required by the HIPAA Security Rule, to ensure that the person seeking access is the individual or the individual’s personal representative.
How Must Covered Entities Respond to a Request for Medical Records?
As part of a HIPAA Compliant medical records request response, covered entities must respond to requests for access in a timely manner. Generally, under the HIPAA medical records release rule, covered entities must notify individuals of the covered entity’s decision on access, within 30 days of the covered entity’s receipt of the request.
According to guidance from the Department of Health and Human Services, the 30 calendar days is an outer limit and covered entities are encouraged to respond as soon as possible. Indeed, as HHS notes, a covered entity may have the capacity to provide individuals with almost instantaneous or very prompt electronic access to the PHI requested through personal health records, web portals, or similar electronic means. Further, individuals may reasonably expect a covered entity to be able to respond in a much faster timeframe when the covered entity is using health information technology in its day to day operations.
If a covered entity is unable to provide access within 30 calendar days – for example, where the information is archived offsite and not readily accessible — the covered entity may extend the time by no more than an additional 30 days. To extend the time, the covered entity must, within the initial 30 days, inform the individual in writing of the reasons for the delay and the date by which the covered entity will provide the information.
These timelines apply regardless of whether:
- The PHI that is the subject of the request is maintained by the covered entity or by a business associate on behalf of the covered entity, or the covered entity uses a business associate to fulfill individual requests for access. The 30-day clock starts on the date that the covered entity receives a request for access, so any delay in obtaining the necessary information from a business associate or forwarding the request to the business associate for action “uses up” part of the allotted time. Alternatively, the 30-day clock starts when, instead of the covered entity, a business associate receives a request directly from an individual because the covered entity instructed the individual through its notice of privacy practices (or otherwise) to submit the access request directly to its business associate for processing.
- The covered entity negotiates with the individual on the format of the response. Covered entities that spend significant time before reaching agreement with individuals on format are depleting the 30 days allotted for the response by that amount of time.
- The PHI that is the subject of the request is old, archived, and/or not otherwise readily accessible.