In a study conducted by Ciitizen Corp (www.ciitizen.com), a consumer health technology company that helps patients collect and share medical records, researchers reached out directly to health care providers requesting records for patients and surveyed more than 3000 institutions to find out if they complied with HIPAA’s right to access provision. The study found that most failed, which was not a surprise to Allen Killworth, a partner at Bricker & Eckler LLP, based in Columbus, Ohio.
“I believe this is an issue where there’s more than the usual lack of compliance,” Killworth said. “It’s not quite as easy as you think it is. Even with this straightforward rule, there are a lot of regulatory and legal exceptions and processes they [providers] have to follow to make sure they are doing it correctly.”
The Department of Health and Human Services (HHS) found this out during their audits, after which they released 36 pages of guidance meant to clarify the patient right-of-access rule. Issues tended to center on the format by which records can be sent, fees, and the kind of authorization needed.
Because of these findings, the Office for Civil Rights (OCR), which enforces HIPAA regulations, created a Right of Access Initiative earlier this year. In early September, OCR had its first settlement stemming from these efforts. Bayfront Health St. Petersburg, had to pay an $85,000 fine after it took more than 9 months to send records to a patient who requested them. They were sent after OCR received a complaint from the woman and opened an investigation into the matter.
Although providers do need to protect patient information, they must remember that the information belongs to the patient. “We continuously remind [doctors], ‘It may be your chart, but it is patients’ information,’” said Karen Beard, senior associate with Medical Management Associates, Inc., in Vinings, Georgia. “It is what they have chosen to give you to get care from you, and it is their information.”
Helping patients get access
Ciitizen realized there was “widespread noncompliance” with HIPAA’s right of access when the organization began working to help cancer patients obtain records for second opinions, clinical trials, and donating data for research. They undertook this study to determine the extent of the issue.
During the spring and summer of 2019, Ciitizen submitted written medical record requests to 51 health care providers. To cover HIPAA requirements, the patients signed the forms and included an image of their driver’s license as proof of identity. They submitted the documents by email or fax, indicated the records were for continuity of care, and listed whether the patient was releasing sensitive health information (like HIV status). Patients requested the information be sent to Ciitizen by email and acknowledged and accepted security risks of email transmission. They also requested an estimate of fees associated with the request.
Ciitizen analyzed providers’ responses according to major HIPAA regulations, examining whether the providers accepted the request by email or fax, sent records in the patients’ requested format, responded to patients’ request in a timely manner, and the fees were reasonable.
The study found that 18% of the organizations allowed patients to use their own request form, provided records in 5 days, and did not charge fees. Another 12% honored the request without escalation to a supervisor. All the others either involved at least 1 call to a supervisor to get the records or would not provide them. According to the survey, 56% of providers were out of compliance with HIPAA.
Not sending records electronically was among the major issues. Beard said there are not a lot of reason providers cannot provide records by email. She said she believes the main issue is physician concern about sending documents to unsecured emails. There is no problem, she said, as long as patients know providers are only controlling their end of the transmission. “The provider can document that and then send it to them.”
Fees were another major issue, and Killworth understands confusion here. In essence, HIPAA allows providers to charge only cost-based fees, including labor to copy or find the records and associated supplies. HIPAA allows organizations to calculate the actual fee, establish a fee schedule based on the size of the records requested, or charge a flat rate of $6.50 for digital copies of electronic medical records (which cannot include per-page fees).
Beard said health care groups need to be prepared to outline their fees if they do not use a flat rate. They cannot charge for pulling from off-site storage, but they can charge for copying paper records. They can also include costs of a disc drive or fees for sending a record via the mail.
The issue of fees is further complicated by state laws governing medical record production. However, providers should know that if state laws result in higher fees, HIPAA supersedes. “That is consistent with all of HIPAA rules,” Killworth said. “If HIPAA provides the most security, it trumps the state.”
Killworth noted that when a records request is initiated by a patient, and not a third party, an authorization form is not required.
HIPAA requires providers to send the requested information to a patient within 30 days. If records are off site or will take more time for another reason, the provider must let the patient know within 30 days what the issue is and then get the information to them within another 30 days.
In addition, Beard noted that providers cannot withhold records from patients who have a balance on their account. “They have to be careful about putting undue barriers on people asking to get their information,” she said.
Beard encourages practices to fully train whomever is dealing with records requests to be able to authenticate identity (one good test is the last 4 digits of their Social Security Number and date of birth). Then, staff should glance through the information to make sure nothing requires additional authorization. If a patient is unhappy with how a request is handled, staff should document the process in case of a later inquiry.