If a patient asks for their records, according to HIPAA, what records must you provide?
According to HIPAA you need to send the patient their medical (dental) records. And within 30 days in the format they want. Some states, such as California, have an accelerated timeline of 15 days.
OK, so, what are “patient records?” Here comes a long-winded answer. Health and Human Services has guidance.
What personal health information do individuals have a right under HIPAA to access from their health care providers and health plans?
With limited exceptions, the HIPAA Privacy Rule gives individuals the right to access, upon request, the medical and health information (protected health information or PHI) about them in one or more designated record sets maintained by or for the individuals’ health care providers and health plans (HIPAA covered entities). See 45 CFR 164.524. Designated record sets include medical records, billing records, payment and claims records, health plan enrollment records, case management records, as well as other records used, in whole or in part, by or for a covered entity to make decisions about individuals. See 45 CFR 164.501. Thus, individuals have a right to access a broad array of health information about themselves, whether maintained by a covered entity or by a business associate on the covered entity’s behalf, including medical records, billing and payment records, insurance information, clinical laboratory test reports, X-rays, wellness and disease management program information, and notes (such as clinical case notes or “SOAP” notes (a method of making notes in a patient’s chart) but not including psychotherapy notes as explained below), among other information generated from treating the individual or paying for the individual’s care or otherwise used to make decisions about individuals. In responding to a request for access, a covered entity is not, however, required to create new information, such as explanatory materials or analyses, that does not already exist in the designated record set. Further, while individuals have a right to a broad array of PHI about themselves in a designated record set, a covered entity is only required to provide access to the PHI to which the individual requests access.
If the patient asks for their full record, then billing records are included. If the patient just asks for records related to their diagnosis and treatment, then arguably, billing records are not included. You must provide what the patient asks for.
Next, what about ancillary records, for example a patient disputing their bill, etc.
We communicated with a point-person at Dept of HHS who stated a separate file can be created regarding any patient dispute and that is NOT included as part of the patient medical record. While a designated record set does include billing information, she said all communications regarding payment disputes, board complaints, etc. can be separated from the legal medical record into a patient dispute file. And a patient dispute file is not sent to the patient.
Now, is there a difference between a request for medical records versus a discovery request for all records? Yes, there is.
The definition of what records need to be sent is articulated in HIPAA (as above).
The scope of what is discoverable is virtually anything that is not privileged. So, what is discoverable is broader than just the HIPAA-defined medical record.
What is privileged? Communications with your attorney (attorney-client privilege). Documents prepared in anticipation of litigation, “work product” privilege, such as an expert report.
And what is discoverable is broader than what is admissible. To be admissible, it must also be “relevant.”
This can be confusing. In any event, most of the time, when a patient requests their medical records, they are focused on diagnosis and treatment. What the patient requests, may be different than what an attorney demands under subpoena, which may be different than what a court will allow as evidence.
What do you think?
For those of us who are non-attorneys, it is pretty clear that most of the records requests that come from patients are concentrated on the medical records. Patients are entitled to that.
Many years after I retired and left practice, I received a medical records request from a medical practice. However, the medical records no longer existed since after keeping them for an extended period of time, I no longer have them as they had been destroyed. One I informed the medical practice of the age of the records that they were seeking they realize that they were no longer relevant anyway.
As an ancillary discussion to the topic of medical record requests, is the issue about how long medical records need to be kept. When I close my practice long ago I asked the board of medical licensure how long records needed to be retained. I was referred to the state medical society. They referred me to the American Medical Association. The AMA gave me some different answers which were somewhat inscrutable. Medicare with electronic records would like physicians to keep medical records permanently. Even that is not practical because even though electronic medical record storage has become less and less expensive, there is still the issue of the software actually being able to retrieve the records after updates, and after the electronic medical records companies morph, are bought out, and evolve. For practical purposes and based upon the answers at the time, medical records were required to be kept for 6 to 7 years. Some sources indicate that pediatric medical records needed to be kept until the age of majority +2 years. That was more in the malpractice realm. All of these issues made determination of how long to keep medical records a significant problem.
In addition, for those of us who were in practice back in the day of paper records, storage of those records was a huge problem. It was frightfully expensive to consider electronically scanning in all paper records to store them electronically. It was expensive to rent a storage unit to keep the records in paper bankers boxes. The condition of those paper records as might well be considered, deteriorated over time. The best solution ultimately proved to be shredding the records professionally. Professional record destruction provides a chain of custody, as well as a certificate of destruction. That is about the best that can be done to safeguard any medical information on the way from storage to destruction.
From a medical standpoint when I was in practice, I wanted to see patient records going as far back as the hospital could provide them. In the days before E HR adoption, old charts for some patients could be stacked up 2 feet high on a desk.
Given how often medical billing companies have been bought out and sold to other entities, and how billing software upgrades eventually make obsolete earlier software, eventually it becomes impossible to retrieve even billing information.
I suspect that if you asked 10 different attorneys about the duration of preservation of medical records you would get 10 different opinions.
It interesting that state Physician “Health” Programs, who are indeed HIPAA and also CFR 42 Part 2 covered entities, keep records of intimate details about participants including presumed psychiatric diagnoses, social, mental and substance use histories. They then deny such records to participants claiming that they are “confidential business records” and not medical records, and that they are protected from discovery “for the protection of the partiicpant.” In some states, this has even been codified into state laws and regs, even though in contravention of federal law.
PHP’s “preferred” Evaluation and Treatment Centers likewise resist disclosure of medical records kept on PHP referees, who often pay $4-6K for forced multisystem evaluations, and up to $180K for inpatient rehabilitation.
Thank you for continuing to send your Medical Justice articles. Let me tell you about the results of a request for medical records that may bring smiles to your faces.
About 20 years ago our office received a request for medical records. The patient was a man about 60 years old well known in our community. He had received general medical care from us for at least 25 years and had been killed in an accident. His wife and the insurance company responsible for compensation for the accident were negotiating over a settlement based on the deceased’s estimated lifespan and general state of health.
The patient’s chart, loose leaf single hand-written and typed pages in a binder, was disassembled for copying. However, one page dated about 10 years before his death included medical information about a bacterial sexually transmitted disease which we had diagnosed and successfully treated.
For an unknown reason, this single page went missing from the chart on its way to the copying room. Copies of the otherwise complete medical record were supplied to the wife and the Insuror and the case was successfully settled. I do not know if this old medical chart has been destroyed or is archived somewhere.