A long time ago (in internet years), the original HIPAA regulations were promulgated. (The final Privacy Rule was published in 2000.) They’ve been tweaked and updated over the years, most notably in the “mega-reg” promulgated a few years back in order to implement the updates included in the HITECH Act. For purposes of the present discussion, I am interested in the patient right to medical record information included in HIPAA, rather than privacy and security protections for patient data. The core elements of the HIPAA rule relevant to patient access to medical records have not changed since the rule was originally promulgated. That original rule did not expand all that much on the access to records rules in some of the more enlightened states in the Union, though it has pulled up some of the laggards. The HITECH “mega-rule” made only a minor change to this rule with respect to records stored off-site.
In essence, the rule requires that if a patient requests a medical record, the “covered entity” (health care provider or health plan) must provide the record, in the format requested (if it is reasonably possible to do so, or in another format acceptable to the patient if it is not), within 30 days. (Meaningful Use regulations governing health care providers with certified electronic health records require much quicker responses for a certain percentage of patients, so in a perfect world a request could be acted on within 48 hours.) Federal and state rules differ with respect how much a patient may be charged for a copy, and state rules control in this instance, sometimes leading to significant fees charged for paper copies. Given the current environment, a “per-page” charge does not make much sense, particularly if a requested record is transmitted electronically to a repository of the patient’s choosing. (In fact, the official commentary on the draft Meaningful Use Stage 3 regs noted that when records are available via APIs — the notion of the federales designing standards for certification of APIs is a topic for another day — perhaps no copying fees should be permitted since there is effectively no cost to sharing an individual record.)
The U.S. Dept. of Health and Human Services, Office for Civil Rights (OCR) enforces the HIPAA regulations and recently issued a new fact sheet and series of FAQs entitled Individuals’ Right under HIPAA to Access their Health Information 45 CFR § 164.524. This is the first in a promised series of issuances. It’s dense reading, but it lays out individuals’ rights clearly. (OCR has a global collection of HIPAA FAQs which is a good resource as well.)
So far, so good – right?
Well, while the new issuance may be helpful, and while it is easier than ever to file a complaint with OCR about health data privacy or security violations, the substance of the publication has been posted before, with annual cover letters by current and former OCR directors (patients get to get copies of their records; it’s the law), yet many readers of this post are likely shaking their heads, thinking about a close encounter with the medical-industrial complex where a simple record request was not responded to adequately.
It is disturbing that fifteen years after the promulgation of the HIPAA Privacy Rule many health care organizations are less than fully compliant, and that the federales seem not to have done much to move the dial on compliance. Pro Publica recently ran a series of stories on the issue of lax HIPAA enforcement (related to data breaches), accompanied by HIPAA Helper, which is an enhanced version of the Wall of Shame (the public government database of HIPAA breaches). We have heard from a number of OCR directors over the years that important steps are being taken to improve compliance, to ensure that individuals are able to avail themselves of their HIPAA-guaranteed right of access to their medical records. Unfortunately, while we all want to believe the current crop of promises, the proof is in the pudding: so let’s reserve judgment for a bit and see how the current team at OCR manages to improve compliance with record requests overall.
And OCR — Director Jocelyn Samuels and Deputy Director for Health Information Privacy Deven McGraw — we e-patients stand ready to help in whatever way we can … let us know what we can do to help you help us get our records whenever we need them.
David Harlow is a health care lawyer and consultant at The Harlow Group LLC, serves as general counsel to Flow Health, and chairs the Society for Participatory Medicine’s public policy committee. Check out his home blog, HealthBlawg. You should follow him on Twitter: @healthblawg.