Generally, a patient needs to sign a HIPAA authorization form to disclose their protected health information. Unless there’s an exception. Such as addressing Treatment, Payment, or Operations (“TPO”). No written authorization is needed for such exceptions – for example, to disclose limited protected health information to resolve a financial dispute (say, a credit card chargeback disputing whether you did the procedure at issue).
Still, if the patient wants you to send their records to another physician, or their lawyer, or their uncle, then you DO need a signed HIPAA authorization form.
But if the patient requests their own records, you do NOT need such a signed document. Why? You are not disclosing any protected health information. You are merely giving the patient what the patient already owns – “their data.” No actual disclosure took place.
The main thing you need to confirm is that the person requesting the records is actually the patient. And that’s a judgment call. But broadly, you cannot create unreasonable hurdles for a patient to access their own records.
Is it unreasonable to force the patient to show up to your office and present a photo ID? Dunno. Most people would say yes.
How long do you have to provide the patient a copy of their records? HIPAA (the federal law) mandates it be done within 30 days. 1
Some states have more aggressive timelines – California’s is 15 days. Cal. Health & Safety Code § 123110(b). Same with Louisiana – 15 days. La. Rev. Stat. Ann. § 40:1299.96(c). And Texas’s. Tex. Occ. Code Ann. § 159.006(d). And Virginia’s. Va. Code Ann. § 32.1-127.1:03 (E). And Washington’s. Wash. Rev. Code § 70.02.080.
Now, what if the patient wants you to email a copy of their records? Sure, you can do so. But you WILL need a signed authorization to do so since email is not considered a secure method of electronic transmission. If the file is encrypted with a password, then you do not need their signed authorization. But the patient will need to know the password.
Since many patients find email to be convenient, many practices have patients sign a broad authorization on first visit or updated visit, asking for agreement to send records by email (assuming that is the patient’s preference).
Delaying timely access can lead to monetary fines and publication on OCR’s metaphorical Wall of Shame.
Essex Residential Care, LLC, which does business as Hackensack Meridian Health and operates the skilled nursing facility West Caldwell Care Center in New Jersey, was found to have failed to provide a son with timely access to the medical records of his mother when the son was the personal representative of his mother. It took 161 days from the initial request for the records to be provided. OCR investigated and notified West Caldwell Care Center of its intention to impose a financial penalty but West Caldwell Care Center disagreed with OCR’s determination. West Caldwell Care Center accepted the records were not provided in 30 days, but submitted evidence of mitigating factors; however, they were rejected by OCR, which imposed a civil monetary penalty of $100,000.
And another.
Phoenix Healthcare, an Oklahoma multi-facility organization that provides nursing care, was found to have failed to provide a daughter with timely access to her mother’s medical records when the daughter was the personal representative of her mother. The requested records were provided 323 days after the initial request was made. OCR proposed a $250,000 financial penalty; however, the proposed fine was contested and a hearing was requested with an Administrative Law Judge (ALJ). The ALJ upheld OCR’s determination but reduced the financial penalty to $70,000. The fine was appealed but the Departmental Appeals Board did not reduce the fine. OCR then proposed a $35,000 settlement, on the basis that the penalty was not further contested.
And yet one more.
Optum Medical Care of New Jersey is a private multi-specialty physician group with approximately 150 locations in New Jersey and Southern Connecticut. In the Fall of 2021, OCR received complaints from 6 individuals who claimed not to have been provided with a copy of their requested records in a timely manner. OCR investigated and discovered the patients had not been provided with their records within the time frame permitted by the HIPAA Privacy Rule. The patients had to wait between 84 days and 231 days to receive their requested records. OCR determined this was a violation of the HIPAA Right of Access. The Case was settled for $160,000.
Finally, what if you run a laboratory, and it takes more than 30 days to run a specific test? And the patient is demanding a result. How can you comply with HIPAA regulations?
Department of HHS had the following Q/A.
In some cases, the 30-day timeframe from a request to provide an individual with access to her PHI may not be sufficient time for a clinical laboratory to complete the test report that is the subject of the individual’s request. What can a clinical laboratory do in these cases?
In those limited cases where, due to the nature of the test and the timing of the individual’s request, 30 calendar days may not be sufficient to complete a test report to which the individual has requested access, the laboratory may notify the individual in writing within the 30-day period of the need and specific reason for the delay in providing access to the completed test result and the date by which the laboratory will complete its action on the request, in accordance with § 164.524(b)(2)(iii) of the HIPAA Privacy Rule. The Privacy Rule allows only one extension on an access request and the extension may not exceed an additional 30 calendar days. In the rare circumstance where 60 calendar days is not sufficient to provide the individual with access to the completed test report requested by the individual, the covered laboratory may, at the end of the 60 day period, satisfy the access request by providing the individual with access to the PHI that does exist at the time (e.g., test requisitions, the underlying data being used to generate the reports, other completed test reports) in the designated record set.
However, to avoid this situation to the extent possible, in cases where the laboratory knows that a particular test report will take longer than the HIPAA access timeframes, we expect the laboratory to explain this circumstance to the individual. Upon informing individuals of this situation when they request access, the individuals may be willing to withdraw or hold their request until a later time to ensure that they get access to what they want or need. If an individual chooses not to withdraw his or her request for access, the individual will then have a right only to obtain the PHI in the designated record set at the time the request is fulfilled, which may not include the particular test report requested because it is not yet complete.
What’s the take home messages? Simple. If a patient asks for a copy of their records, and you are reasonably sure the patient is the one making the request, give them their records. And don’t delay. If it’s going to take some time, manage their expectations.
What do you think?
1)The entire HIPAA process that was thought to help patients, has done the opposite. Relatives cannot find out about their loved ones, and actual patients cannot get their records.
2)The whole purpose of HIPAA was to provide some degree of privacy for records.
3)The whole business of signing into an office and then having the staff cover up one’s name for fear that someone might infer why a patient was there is ridiculous.
4)The craziness of having to attest under penalty of perjury that your entire office now and forever more will be like the “Get Smart” TV series cone of silence, is absurd. We do not live in completely sound proof rooms. The very fact that a front office desk has glass to see people means it will never be sound proof.
5)Records requested are going to trigger a review in most practices to see if the physician did anything wrong before the records are released. It could result in attorney review, or even outside expert review of records.
Let’s get rid of HIPAA in its entirety. Whatever good it may have been designed to protect, has been wiped out by the unintended consequences of the law. People are even less protected now than they were before.