Gary Pritts, president of Eagle Consulting Partners Inc., of Cleveland, Ohio, teaches healthcare providers how to comply with HIPAA. When his wife’s physician denied her request for her records, he knew what to do. He threatened to file a HIPAA complaint. She received her records shortly thereafter.
Jim Hook, senior consultant at The Fox Group LLC, of Upland, California, receives emails on his contact page at least once a month from healthcare providers who are reticent to hand over patient records. Someone moved and wanted a copy of her records sent to the doctor in her new town. The provider wants to know his legal obligations to the patient.
“I want to smack myself in the head and tell them the most basic thing they can do is make a copy and send the records to them,” Hook said. “Some days I just despair why this is so hard. It is a puzzlement, and I think OCR [The US Department of Health and Human Services’ Office for Civil Rights] has decided to get their attention.”
In a press release, Roger Severino, OCR’s director, said the agency is attempting to empower patients and ensure providers take their HIPAA obligations seriously. Toward that end, OCR in 2019 announced its Right to Access enforcement initiative. The agency recently revealed settlements with these 5 organizations:
- Housing Works Inc., which provides services to people in New York City with HIV/AIDS. A complaint was filed in 2019 stating the organization denied a patient access to records. OCR investigated and found their records denial was a potential HIPAA violation and instituted a fine of $38,000.
- All Inclusive Medical Services, Inc., a family medicine clinic in Carmichael, California, which was fined $15,000 for a 2018 HIPAA violation. It denied a patient’s request to view and receive a copy of her records.
- Beth Israel Lahey Health Behavioral Services, which provides mental health services in eastern Massachusetts. In 2019, OCR received a complaint that a personal representative of a patient wanted her father’s medical records. OCR found the organization to be out of compliance and issued a $70,000 fine.
- King MD, a Virginia-based mental health provider, which was fined $3,500. A patient filed a complaint alleging the organization refused to provide her with medical records she requested. OCR offered the organization “technical assistance,” but a few months later received another complaint that the provider still had not given the patient her records.
- Wise Psychiatry PC, of Colorado, had a similar circumstance as King. A patient complained in 2018 that the provider would not provide him with the medical records for his son, a minor. OCR offered technical assistance, and 6 months later another complaint was filed. Wise was fined $10,000.
The law aside, Hook said supplying medical records on requests is good conduct. Some providers may be reticent to share records because they do not want patients to leave or to have their work used by other doctors.
Staff members need to know that practices are legally required to provide patients with their records and that organizations can be fined for not doing so. There are some important points to remember. Providers have 30 days to respond to a request and most practices should be able to get records out well before that deadline, Hook said. If a patient asks for information provided electronically, it must be given that way if possible. Staff should just remember to explain that if the information will be sent over unsecured email, once the document leaves the provider’s care, it is not their responsibility if it is intercepted or lost.
Patients do not have to fill out a records release form when they are asking for their own information. Most practices require this, but it is an unnecessary burden for patients, Pritts said.
Medical organizations should have a process in place for handling records requests. That process should be part of their HIPAA procedures. Hook said it should not be difficult for most offices to create a single-page document outlining the process for releasing information.
Record requests can be directed to the organization’s privacy officer, the person who would verify the identity of patients or their representatives who are requesting the health information.
“It really shouldn’t be too hard in most offices to say, ‘Here’s how we release information after we get a request,’” Hook said.
Organizations can charge fees for providing records, but these fees must be reasonable and comply with HIPAA guidelines.
Hold Off Saying ‘No’
Most importantly, Hook recommends using a take-a-breath approach when patients require their medical records. Patients should never be told “no” right away. If there is an issue, patients should be asked to fill out a records release request. This gives practices time to consult their procedures and determine the best way to proceed.
“I get calls from patients who say a practice told them it was against HIPAA regulations to send records in the mail,” Hook said. “That sounds like something someone made up instead of taking the time to ask. They [staff] don’t want to do it, or they have an imperfect understanding of the HIPAA laws, and they definitely don’t understand the potential consequences of their actions.”