If a patient asks for their records, according to HIPAA, what records must you provide?
According to HIPAA you need to send the patient their medical (dental) records. And within 30 days in the format they want. Some states, such as California, have an accelerated timeline of 15 days.
OK, so, what are “patient records?” Here comes a long-winded answer. Health and Human Services has guidance.
What personal health information do individuals have a right under HIPAA to access from their health care providers and health plans?
With limited exceptions, the HIPAA Privacy Rule gives individuals the right to access, upon request, the medical and health information (protected health information or PHI) about them in one or more designated record sets maintained by or for the individuals’ health care providers and health plans (HIPAA covered entities). See 45 CFR 164.524. Designated record sets include medical records, billing records, payment and claims records, health plan enrollment records, case management records, as well as other records used, in whole or in part, by or for a covered entity to make decisions about individuals. See 45 CFR 164.501. Thus, individuals have a right to access a broad array of health information about themselves, whether maintained by a covered entity or by a business associate on the covered entity’s behalf, including medical records, billing and payment records, insurance information, clinical laboratory test reports, X-rays, wellness and disease management program information, and notes (such as clinical case notes or “SOAP” notes (a method of making notes in a patient’s chart) but not including psychotherapy notes as explained below), among other information generated from treating the individual or paying for the individual’s care or otherwise used to make decisions about individuals. In responding to a request for access, a covered entity is not, however, required to create new information, such as explanatory materials or analyses, that does not already exist in the designated record set. Further, while individuals have a right to a broad array of PHI about themselves in a designated record set, a covered entity is only required to provide access to the PHI to which the individual requests access.
If the patient asks for their full record, then billing records are included. If the patient just asks for records related to their diagnosis and treatment, then arguably, billing records are not included. You must provide what the patient asks for.
Next, what about ancillary records, for example a patient disputing their bill, etc.
We communicated with a point-person at Dept of HHS who stated a separate file can be created regarding any patient dispute and that is NOT included as part of the patient medical record. While a designated record set does include billing information, she said all communications regarding payment disputes, board complaints, etc. can be separated from the legal medical record into a patient dispute file. And a patient dispute file is not sent to the patient.
Now, is there a difference between a request for medical records versus a discovery request for all records? Yes, there is.
The definition of what records need to be sent is articulated in HIPAA (as above).
The scope of what is discoverable is virtually anything that is not privileged. So, what is discoverable is broader than just the HIPAA-defined medical record.
What is privileged? Communications with your attorney (attorney-client privilege). Documents prepared in anticipation of litigation, “work product” privilege, such as an expert report.
And what is discoverable is broader than what is admissible. To be admissible, it must also be “relevant.”
This can be confusing. In any event, most of the time, when a patient requests their medical records, they are focused on diagnosis and treatment. What the patient requests, may be different than what an attorney demands under subpoena, which may be different than what a court will allow as evidence.
What do you think?
