Authentication , Electronic Healthcare Records , HIPAA/HITECH

Tips on Giving Patients Access to Their Records

HHS Points to Ways to Improve Compliance With HIPAA Requirements
Tips on Giving Patients Access to Their Records

Under the HIPAA Privacy Rule, patients and their authorized representatives have the right to access electronic or paper health records. But that's still often easier said than done, and federal regulators want that to change.

See Also: True Business Costs & Risks in Underfunding Healthcare Cybersecurity

Leaders in the Department of Health and Human Services are again trying to drive home the message to healthcare providers that patients have the right to access their health records - including the right to request their data to be sent via unsecure means, such as via unencrypted email. To help, they've issued a new training module and a research report.

Top 5 Complaint

Complaints from patients about the lack of access to their records have remained consistently among the top five issues in HIPAA cases that are investigated and closed with corrective action by HHS' Office for Civil Rights.

"Patient access remains a tricky issue," says privacy attorney Kirk Nahra of the law firm Wiley Rein. "The policy is straightforward - give the patient his or her information. However, executing that is often harder. Providers often aren't sure what to do or how to do it."

Misunderstood Regulation?

Don Rucker, M.D., leader of the Office of the National Coordinator for Health IT, told reporters at a Tuesday media briefing that ONC and OCR are collaborating on work that includes trying to dispel the "HIPAA misconceptions" healthcare providers still have, especially as it relates to "patients' electronic right to access their records." (See ONC Leader: Privacy, Security Remain Top Priorities).

This isn't the first time HHS' agencies have worked together with the aim of helping to improve awareness of patients' right to access their records. Last June, ONC and OCR issued guidance, an engagement playbook and a few videos on the subject (see Patient Access to Records: The Requirements and Risks).

Training Module

OCR's latest training module notes that "an individual has the right to receive protected health information in the form and format requested if readily producible." And that depends on the entity's capabilities, "not its willingness." That means if an entity maintains information electronically, at least one type of digital format must be accessible by the individual, OCR points out.

The individual also has the right to specify the mode of transmission or transfer, including unsecure email, as long as the individual is warned about the security risks, OCR adds.

Patients can also ask for other modes of transmission if the request is within the capabilities of an entity "and the mode would not present unacceptable security risks to PHI on the entity's systems," the training module notes.

In addition, individuals also have the right to request a healthcare provider to transmit their health information to a third party, which could include a competing healthcare provider, family member or friend, research institution or mobile health application.

Physician Worries

This involves potential privacy risks, Nahra notes. "While it may be the case that OCR won't pursue sanctions against a provider that sends records in an unsecured way, that doesn't mean that the patient can't take action if there is a problem," he says.

"Physicians often are worried about the potential security breach, even if they are being overly cautious. It is the same reason why physicians don't like to email with patients, even if it is convenient for the patient," he says. "Patient portals - which are still being developed more broadly - are an important and useful option that may help solve this problem. The records are easily available in a secured way."

Patient Challenges

ONC's new report, "Improving the Health Records Request Process for Patients," outlines the combination of struggles that 17 consumers who participated in the research study had in accessing their own or their children's health records.

The problems included no or slow response from healthcare providers; conflicting information from office staff about the way to get records; and the lack of accessibility of complete or relevant requested records.

Nahra notes that among the issues that healthcare providers sometimes face in fulfilling patient requests is authenticating the person requesting the information. "There are, of course, concerns about confirming the identity of the individual," he says. "But that is typically not an enormous problem - although there certainly are situations where it is an issue."

Tips for Providing Access

The ONC report notes: "Healthcare practices have the opportunity now to improve their records request processes and reduce the burden on consumers."

Among the report's tips for improving their ability to provide patient access to records is creating "a streamlined, transparent, and electronic records request process" that may include:

  • Allowing patients to easily request and receive their records from their patient portal;
  • Setting up an electronic records request system outside of the patient portal;
  • Creating a user-friendly, plain language online request process;
  • Using e-verification to quickly confirm the record requestor's identity;
  • Including a status bar or progress tracker so consumers can see where they are in the request process - for example, indicate when the request is received, when their records are being retrieved, and when they're ready for delivery;
  • Making sure consumers know that they can request their record be provided in different formats - such as PDF or CD - and delivered in the way they choose, such as by email or sent to a third party;
  • Providing user-friendly, plain language instructions for patients and caregivers on how to request health records, what to expect and who to contact with questions;
  • Encouraging patients to use patient portals by promoting features such as online appointment scheduling, secure messaging and prescription refills.

Nonetheless, the report concedes: "Many of the actions identified won't solve larger-scale access and portability issues, but they have the potential to make the records request process less stressful for patients and health systems in the short-term."


About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity

Marianne Kolbasuk McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site, and played a lead role in the launch of InformationWeek's healthcare IT media site.




Around the Network