When Patricia Flatley Brennan, RN, wanted to see the doctor’s report from her colonoscopy, she had to call her physician’s office 5 times to request the information. Her doctor kept explaining the results to her, but Brennan wanted the information in hand.

Eventually, she found out her physician didn’t know how to get the report to her because it was held by the pathologist, whose responsibility it was to release it.  

Since the inception of HIPAA, physicians have been required to disclose patient information to 2 places – the patient and the Department of Health and Human Services.

Continue Reading

“If a patient requests it, doctors need to provide records, and they don’t have to ask why,” said Jane Hyatt Thorpe, JD, an associate professor of health policy and management at the Milken Institute School of Public Health at the George Washington University.

Increasing numbers of people are keeping online personal health records and they are more engaged in their own healthcare. Additionally, they are more aware they can access their records upon request. Though the law has been around for a while, some patients, like Brennan, still have difficulty getting their records. Here’s what physicians need to know about making this a smoother process.

Policies and procedures

Part of the reason Flatley Brennan had such a challenge getting her records was that her physician didn’t know the protocol for releasing them. Flatley Brennan, from the Wisconsin Institute for Discovery at the University of Wisconsin’s School of Nursing, said each clinician should know the process for his or her institution if a request is received. It is not, however, a physician’s responsibility to get the records.

“There is no reason why an individual patient should have to have explicit approval from a physician to see their record,” she said. “It makes it difficult for patients to get access to the information and there is no legal reason for it.”

A good habit to get into is to mark records as acceptable for release in some way so a physician doesn’t even have to be involved in the process, Flatley Brennan said. The process works best when it is assigned to a logistics person and is not the responsibility of the physician to track.

Each office should have a written set of procedures in place for providing patients’ health records. The first step is an authorization to be completed by the patient that has specific criteria set out by HIPAA. This includes who the record will go to, the purpose, and what type of information the patient is seeking. If there is sensitive information involved, states often have an additional authorization, said Angela Rose, director of health information management practice excellence at the American Health Information Management Association.

Once the authorization form is signed by the requestor, the identity of the person should be verified. Legal papers should be provided if the request is from an executor of a will or a divorced parent of a child to prove they have access to the records.

Physician offices typically have 30 days to get the record to the patient. Offices can charge “reasonable” fees according to HIPAA regulations for providing records. The law allows offices to include the cost of copying and postage for records, if mailed. If a summary of the record is requested, the office can charge a fee for preparation of the summary. Fees for searching and retrieval of the records cannot be included. 

It is also important to remember that physicians only need to provide necessary information. Patients often ask for their entire record, not knowing that they may only need a certain date of service. One way to avoid this is to provide a list of what is in the records so a patient can check off just the information they need.


The move from paper to electronic medical records (EMRs) can pose a bit of a challenge for patient access. Flatley Brennan recommends working with an office’s IT person to create solutions. When an office transitions to EMRs, paper versions are sometimes moved offsite for storage. A protocol should be set up for timely retrieval and shipping of records that are stored elsewhere.

Alterations in HIPAA in 2009 were focused on information held in electronic form. The regulations require offices provide records in a .pdf, Word or Excel file electronically to the patients if they request it in that form and if the provider maintains the records in that form. If an office has paper records, the files don’t have to be transferred into electronic format.

If a patient wants a copy sent to him or her via email, physicians have to explain that is an unsecured path of transmission and it is the patient’s responsibility to keep the record safe.