Tips on Giving Patients Access to Their RecordsHHS Points to Ways to Improve Compliance With HIPAA Requirements
Under the HIPAA Privacy Rule, patients and their authorized representatives have the right to access electronic or paper health records. But that's still often easier said than done, and federal regulators want that to change.
Leaders in the Department of Health and Human Services are again trying to drive home the message to healthcare providers that patients have the right to access their health records - including the right to request their data to be sent via unsecure means, such as via unencrypted email. To help, they've issued a new training module and a research report.
Top 5 Complaint
Complaints from patients about the lack of access to their records have remained consistently among the top five issues in HIPAA cases that are investigated and closed with corrective action by HHS' Office for Civil Rights.
"Patient access remains a tricky issue," says privacy attorney Kirk Nahra of the law firm Wiley Rein. "The policy is straightforward - give the patient his or her information. However, executing that is often harder. Providers often aren't sure what to do or how to do it."
Don Rucker, M.D., leader of the Office of the National Coordinator for Health IT, told reporters at a Tuesday media briefing that ONC and OCR are collaborating on work that includes trying to dispel the "HIPAA misconceptions" healthcare providers still have, especially as it relates to "patients' electronic right to access their records." (See ONC Leader: Privacy, Security Remain Top Priorities).
This isn't the first time HHS' agencies have worked together with the aim of helping to improve awareness of patients' right to access their records. Last June, ONC and OCR issued guidance, an engagement playbook and a few videos on the subject (see Patient Access to Records: The Requirements and Risks).
OCR's latest training module notes that "an individual has the right to receive protected health information in the form and format requested if readily producible." And that depends on the entity's capabilities, "not its willingness." That means if an entity maintains information electronically, at least one type of digital format must be accessible by the individual, OCR points out.
The individual also has the right to specify the mode of transmission or transfer, including unsecure email, as long as the individual is warned about the security risks, OCR adds.
Patients can also ask for other modes of transmission if the request is within the capabilities of an entity "and the mode would not present unacceptable security risks to PHI on the entity's systems," the training module notes.
In addition, individuals also have the right to request a healthcare provider to transmit their health information to a third party, which could include a competing healthcare provider, family member or friend, research institution or mobile health application.
This involves potential privacy risks, Nahra notes. "While it may be the case that OCR won't pursue sanctions against a provider that sends records in an unsecured way, that doesn't mean that the patient can't take action if there is a problem," he says.
"Physicians often are worried about the potential security breach, even if they are being overly cautious. It is the same reason why physicians don't like to email with patients, even if it is convenient for the patient," he says. "Patient portals - which are still being developed more broadly - are an important and useful option that may help solve this problem. The records are easily available in a secured way."
ONC's new report, "Improving the Health Records Request Process for Patients," outlines the combination of struggles that 17 consumers who participated in the research study had in accessing their own or their children's health records.
The problems included no or slow response from healthcare providers; conflicting information from office staff about the way to get records; and the lack of accessibility of complete or relevant requested records.
Nahra notes that among the issues that healthcare providers sometimes face in fulfilling patient requests is authenticating the person requesting the information. "There are, of course, concerns about confirming the identity of the individual," he says. "But that is typically not an enormous problem - although there certainly are situations where it is an issue."
Tips for Providing Access
The ONC report notes: "Healthcare practices have the opportunity now to improve their records request processes and reduce the burden on consumers."
Among the report's tips for improving their ability to provide patient access to records is creating "a streamlined, transparent, and electronic records request process" that may include:
- Allowing patients to easily request and receive their records from their patient portal;
- Setting up an electronic records request system outside of the patient portal;
- Creating a user-friendly, plain language online request process;
- Using e-verification to quickly confirm the record requestor's identity;
- Including a status bar or progress tracker so consumers can see where they are in the request process - for example, indicate when the request is received, when their records are being retrieved, and when they're ready for delivery;
- Making sure consumers know that they can request their record be provided in different formats - such as PDF or CD - and delivered in the way they choose, such as by email or sent to a third party;
- Providing user-friendly, plain language instructions for patients and caregivers on how to request health records, what to expect and who to contact with questions;
- Encouraging patients to use patient portals by promoting features such as online appointment scheduling, secure messaging and prescription refills.
Nonetheless, the report concedes: "Many of the actions identified won't solve larger-scale access and portability issues, but they have the potential to make the records request process less stressful for patients and health systems in the short-term."