A patient has a legal right to access his or her health record under HIPAA and state law. An oral, handwritten, faxed or emailed request from the patient or patient representative should be honored. Time Allowed to Complete Request The California timeline is shorter than the HIPAA timeline, so all practices must comply with the state timeline:
- Inspection: Within 5 working days of receiving request. A staff member shall be with the patient while the records are viewed, and the patient is allowed to be accompanied by only one other individual while viewing the records.
- Copy, paper and electronic: Within 15 calendar days of receiving request.
- Summary: Within 10 working days of receiving written request. If records are voluminous and the office notifies the requestor that more time is needed, then the summary must be provided within 30 days of receiving request.
Prohibitions A practice may not require as a condition of providing access:
- Payment of an outstanding bill.
- The physical presence of the patient.
- That the patient uses a web portal.
- Any action that may cause an unreasonable delay in providing access.
HIPAA Compliance HIPAA-covered entities must retain each access request for 6 years. It can be kept in the patient record or with other patients’ requests for access. HIPAA-covered entities also are required to maintain a log of record access requests and responses to those requests.
Questions and Answers
What does “right to access record” mean? It means a health care provider must:
- Allow a patient to inspect his or her record.
- Provide a copy or summary of the record if requested by the patient.
- Transmit a copy of the record to a person or entity of the patient’s choosing. Requests for this type of access must be written.
Can a practice deny a patient access to his or her record? A HIPAA-covered entity may deny an individual access in limited circumstances. If a request for access is denied, the practice must notify the requestor in writing. The individual has the right in some circumstances to have the denial reviewed by another health care provider for another opinion. Certain protected information related to mental and reproductive health and drug and alcohol treatment require specific authorization from the patient. Examples of grounds for denying access:
- The covered entity believes access may cause harm to the individual or another person.
- The information is not part of the designated record set.
- The request is for psychotherapy notes.
- The requestor is an inmate; an inmate may view his or her information but is not permitted a copy.
- The requested information is part of a research study still in progress.
Must the access request be in writing? California law requires health care providers comply with written requests for access, but does not expressly require only written requests. A HIPAA-covered entity may require a request be written and that its own form be used. The requirement to use a written access request must be noted in the covered entity’s Notice of Privacy Practices. A covered entity may offer electronic options for making the request (for example, a web portal or email) but it cannot require the use of those options. Any requirement to use a covered entity’s form may not create a barrier or unreasonably delay a patient from obtaining access. What is considered to be the patient’s record? HIPAA gives a patient the right to review or obtain a copy of his or her information maintained in a covered entity’s “designated record set.” The designated record set is that group of records maintained by or for a covered entity that is used, in whole or part, to make decisions about an individual, or that is an entity’s billing and payment records for that individual. The designated record set may include information generated by other health care providers that is maintained by the covered entity. The record also includes images if they have been used to make decisions about an individual’s treatment. What may I charge? The Department of Health and Human Services (HHS) clarified its regulations in a guidance issued March 2016. The guidance made clear that the fee for access may include only the cost of:
A covered entity may either calculate actual labor costs to fulfill a request or develop a fee schedule based on average labor costs to fulfill a request. The fee may not include costs associated with verification of the request, documentation, searching for and retrieving the record, maintaining systems, recouping capital for data access, storage or infrastructure, or anything not included in the above paragraph. A per-page fee may not be charged for records maintained electronically. If a practice collects fees, it should prepare a document listing the fees and provide it to the patient with the Patient Request to Access Records form. A covered entity may charge a flat fee for standard requests for electronic copies of electronic records, provided the fee does not exceed $6.50, inclusive of all labor, supplies and postage. The fee for providing a summary must be agreed to by the patient in advance. If a patient requires a copy of a portion of his or her record to support an appeal regarding eligibility for a public benefit program, such as Medi-Cal, the copy shall be provided by the practice at no charge. The patient is entitled to no more than one copy free of charge, but may not be limited in the number of requests for copies. Practices that are not HIPAA-covered entities must follow the state’s rules and may charge no more than:
- 25 cents per page for copying paper documents.
- 50 cents per page from microfilm.
- Actual cost for duplicating X-rays, photos, models, impressions, etc.
- Actual postage cost.
- A fee for reasonable clerical costs incurred in locating and making the records available for inspection.
What are acceptable methods of verifying the access request is from a patient or patient’s representative? All practices must take reasonable steps to verify identity of the person making the request for access. There is no one required method of verification. A patient may not be required to be present to make an access request. Methods of verifying identity include:
- Checking identification of individual making the request in person.
- Emailed request was sent from the same address as the one collected from the patient at first appointment.
- Signature and information on a written request matches that in the record.
- Legal documents.
What is a personal representative? A personal representative is a person who, under the authority of state law, can make health care decisions for an individual or is a deceased individual’s legal representative. A personal representative also has the right to access a patient’s record. Examples of personal representatives are:
- Parent or legal guardian of a minor patient.
- Social worker acting within the scope of his or her job with regard to a minor or dependent patient.
- Deceased patient’s beneficiary or executor of the estate.
What do I tell the patient who thinks his/her records (or imaging records) belong to him/her? The information and images in a patient record are the work product of the practice. HIPAA and state law allow a patient to have access to the information in the record and require a patient’s authorization prior to a health care provider using or disclosing the information for purposes other than treatment, payment for treatment and the provider’s business operations. The law does not recognize patient ownership of the information. May a minor patient have access to his or her record? A minor has no right to access his or her record unless she or she is (1) emancipated or (2) has a parent or guardian’s authorization. A parent has no right to access the records of an emancipated minor. An emancipated minor is an individual under 18 years old and is either (a) married or divorced; (b) is on active duty with the U.S. armed forces or (c) received a declaration of emancipation from the court. The patient is requesting an electronic copy, but I keep paper records. Am I required to provide an electronic copy? If the practice is a HIPAA-covered entity, the answer is yes. In its March 2016 guidance, HHS clarified several issues related to the form and format of copies. Generally speaking, a covered entity must comply with a patient’s request for a specific form and format unless it is not readily producible. Examples of form and format are:
- Paper
- Film
- Electronic/PDF
- Electronic/JPG
- Electronic/DICOM or .dcm
If the form and format requested by the patient is not readily producible by the covered entity, both parties should agree on an acceptable format. A practice that is not a HIPAA-covered entity is not required to provide electronic copies. We always use a secure method to send patient information electronically. A patient is requesting we send his information to him via unencrypted email. What do we need to do to comply with the patient’s request? A practice must (1) advise the patient of the risks of unsecure electronic transmission of information and (2) the patient must consent to the unsecure electronic transmission of information before the practice can send the information via unencrypted email. Language to do so is included on the sample form. I want to transmit a patient’s information to a specialist via unencrypted email — do I need to get the patient’s authorization to do so? HIPAA allows a covered entity to share patient information with another covered entity without the patient’s authorization if the purpose of sharing the information is the patient’s treatment. HIPAA requires this information sharing be done securely, so a patient’s authorization to share the information via unsecure methods is insufficient to waive the covered entity’s obligation. The patient would need to make a request to access records and direct you to send the information to the specialist via unencrypted email. This table, copied from the HHS guidance, describes the differences between a HIPAA authorization and a patient’s right of access. The patient is requesting an electronic copy be sent to her new healthcare provider via unencrypted email — may I do that? If the practice is a HIPAA-covered entity, the answer is yes. HHS, in the March 2016 guidance, states the patient’s right to receive information via unsecured electronic communication extends to sending it to a third party at the patient’s request. HHS further states:
“… if the individual requested that the covered entity transmit the PHI in an unsecure manner (e.g., unencrypted), and, after being warned of the security risks to the PHI associated with the unsecure transmission, maintained her preference to have the PHI sent in that manner, the covered entity is not responsible for a disclosure of PHI while in transmission to the designated third party, including any breach notification obligations that would otherwise be required. Further, a covered entity is not liable for what happens to the PHI once the designated third party receives the information as directed by the individual in the access request.”
The patient requests that I mail the copy to an individual. May I ask the patient to pick up the copy instead? No, you may not. Such a request may be viewed as a barrier to the patient’s right to access the record. A new patient has requested a copy of his records from his former healthcare provider but the provider is refusing to provide them. What can the patient do? Suggest that the patient submit to the other practice a written request for records, or if it is not a California practice, the HHS March 2016 guideline (see Resources section below for the web links). If the other practice does not comply with the request, the patient can file a written complaint with the Medical Board and with the Department of Health and Human Services. Who else may have a patient’s information, and under what circumstances? Requests from others for patient information for purposes not permitted without patient authorization by HIPAA or California Confidentiality of Medical Information Act (CMIA) (California Civil Code section 56 et seq.) must be submitted on a valid authorization form that meets CMIA and HIPAA requirements. Situations for which a practice may want to use the “Consent Form for Use and Disclosure” are:
- To obtain an adult child’s consent to share information as often as needed over a period of time with the parents who are the payers (refer to the table comparing authorization and right of access).
- To market products or services to a patient.
- To participate in research.
Resources Individuals’ Right Under HIPAA to Access Their Health Information 45 CFR § 164.524, U.S. Department of Health and Human Services March 2016 – hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html Patient Access to Records, California Health & Safety Code section 123100 et seq. – leginfo.legislature.ca.gov/faces/codes_displayText.xhtml?lawCode=HSC&division=106.&title=&part=1.&chapter=1.&article= California Confidentiality of Medical Information Act, California Civil Code section 56 et seq. – leginfo.legislature.ca.gov/faces/codes_displayexpandedbranch.xhtml?tocCode=CIV&division=1.&title=&part=2.6.&chapter=&article=
SAMPLE FORM
Request for Access to Patient Health Records
[Practice Letterhead]
Instructions to the patient: Please complete and provide to the above practice. Applicable fees may be collected in advance. You may request a copy of this completed form. For questions or to make a complaint, ask to speak with the practice’s privacy officer. Print Patient’s Full Name: ______________________________________________ Requested by: [ ] Patient [ ] Parent/legal guardian [ ] Personal representative of the patient Photo ID and other proof of representation may be required If requestor is not the patient, print full name, address and telephone number of the requestor: ________________________________________________________________ I request: (check one only; complete another form for each additional request) [ ] Inspection of requested patient record. [ ] A copy of requested patient record: [ ] for myself [ ] to be sent to another — name & address: [ ] An electronic copy of requested patient record: [ ] for myself [ ] to be sent to another — name & address: ________________________________________________________________ Electronic format requested: (We can discuss an acceptable electronic format if the requested electronic format is not available at our practice). [ ] Please send requested record to me via unencrypted email. I recognize that email is not a secure form of communication. There is some risk that any individually identifiable health information and other sensitive or confidential information that may be contained in such email may be misdirected, disclosed to or intercepted by, unauthorized third parties. Email address: [ ] A written summary of requested patient record. I agree to pay in advance a fee in the amount of $ ________. Describe the requested records, including the approximate dates of the records: __________________________________________________________________ __________________________________________________________________ Any and all information may be released including, but not limited to, mental health records protected by the Lanterman-Petris-Short Act, drug and/or alcohol abuse records and/or HIV test results, if any, except as the patient has specifically provided below: _________________________________________________________________ _________________________________________________________________ I hereby authorize this practice to release information contained in the health record of (patient name) as described on this form. Signature: ________________________________________ OFFICE USE ONLY Date request received _______________ Received by________________________ Type of identification and documentation reviewed to verify requestor’s status as parent, legal guardian or personal representative* of the patient: * Guardian or conservator of the patient, or beneficiary or representative of a deceased patient [ ] Date access was provided _____________________ [ ] Request denied. Date notice mailed___________________