The U.S healthcare industry is making a speedy transition to a more patient-centred system, and in this movement patient access to health data is a significant consideration. Electronic health record systems that are efficient and facilitate processes such as medical record review for medical and legal processes are being implemented across the nation’s healthcare systems with a view to coordinate care, improve care and improve provider reimbursement. Data privacy is a primary requirement and it has to be ensured that the records are not accessed by the wrong individual. Numerous foolproof security measures are being implemented to prevent data compromise/loss – however, those measures often make it difficult for patients themselves to access their own health data. This could be a violation of the HIPAA rule.
The HIPAA Privacy Rule mandates that covered entities must provide patients access to medical records upon request. OCR (Office for Civil Rights) guidance issued in February 2016 states that patients have the right to obtain copies of their medical records and have their records forwarded to a person or entity of their choice for a reasonable cost-based fee. The HIPAA holds that patients can access any PHI (protected health information) that comes under a specified record set, or is specifically pertinent to a patient’s health, such as the following.
- Medical records and billing records maintained by or for a covered healthcare provider, insurance information, clinical lab test results, wellness and disease management program files, and clinical case notes.
- Enrolment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan
- Other records that are used (in whole or in part) by or for the covered entity to make decisions about individuals. This may include records used to make decisions about any individuals, irrespective of whether the records have been used to make a decision about the particular individual requesting access.
Further, according to a guidance released in January this year, the HHS further clarified that:
- Providers must respond ASAP to patient requests, and they cannot insist that patients come in person to collect their health information or the use of regular mail.
- If the patient requests for the records to be given in a particular electronic format such as PDF, healthcare providers must do so, if they are able to readily produce a copy in that format.
- The turnaround time for patients to receive their records remains 30 calendar days, but with the modern electronic health systems available, that can be shorter and providers are encouraged to treat the 30-day mark as an “outer limit.”
One of the main challenges patients face are the high fees some medical record custodians demand to release the records. Patients also admit that they have a lack of understanding regarding their rights under HIPAA to access their own records. High fees become a real concern when the patient has severe medical issues and a large number of corresponding medical records. Cases such as patients being asked to pay an annual subscription fee to access their medical records, and being charged a retrieval fee by hospital release-of-information (ROI) vendor for a copy of the medical records in spite of retrieval fees being prohibited under HIPAA have been reported.
The HHS allows providers to set some of their own strictures for requests for medical record access.
- They can require patients to submit a written request for their medical data, it is important though that this requirement is made well-known.
- Providers must verify the identity of an individual requesting patient data though HIPAA does not specify the form of identification required.
Providers must not set up unreasonable barriers such as the following to data access:
- Insist on the patient being physically present at the doctor’s office to request access and provider proof of identity in person (when the patient has requested the medical records to be mailed to her home address)
- Insist on using a web portal for requesting access
- To mail an access request – this could cause unwanted delay in the covered entity’s receipt of the request and consequent delay in medical record access for the applicant.
Providers on their part are concerned about non-compliance with HIPAA when releasing patient medical records.
- With information being scanned into EHRs, there is always the concern of incorrect merging of some records. Providers/vendors have to be fastidious and ensure that only the correct medical records are being released.
- Providers are also concerned about sending PHI using unsecured email or providing it on a patient’s USB stick, which increases the risk of malware infection for the provider’s system.
- Providers are concerned that they will be held accountable for the privacy and security of patient data they no longer have control over.
Allowing patients to access their health data is a great step forward in the healthcare sector; alongside, the issue of healthcare data privacy remains a major consideration. The EHR is undoubtedly a good option, as medical record retrieval companies would agree, but to enjoy all the benefits it offers, patients must be well informed and stay engaged.