One of the misunderstood aspects of HIPAA is handling patients requesting their records. In fact, this has been a major area where the Department of Health and Human Services Office of Civil Rights has focused the majority of its fines on practices that didn’t handle these requests properly.
Let’s go over just what the law says about these requests.
The Privacy Rule specifies the patient’s right to access their own PHI known as Rights of Access. This allows the patient to gain access to their records when requested. It should also be released to the patient in the form they request. This can be paper or electronic. However, if one is not possible, you may work with the patient to find a more agreeable format.
45 CFR 164.524(c)(2)(i)
These requests must be fulfilled within 30 calendar days of the request by the patient.
From the HHS website:
“The 30 calendar days is an outer limit and covered entities are encouraged to respond as soon as possible.”
Ideally, you would want to supply the records as soon as you could after receiving the request.
A Covered Entity may charge a fee for the records. However, there are very specific guidelines for this.
From the HHS website:
The fee may include only the cost of:
(1) labor for copying the PHI requested by the individual, whether in paper or electronic form;
(2) supplies for creating the paper copy or electronic media (e.g., CD or USB drive) if the individual requests that
the electronic copy be provided on portable media;
(3) postage, when the individual requests that the copy, or the summary or explanation, be mailed; and (4)
preparation of an explanation or summary of the PHI, if agreed to by the individual.
The fee may not include costs associated with verification; documentation; searching for and retrieving the PHI;
maintaining systems; recouping capital for data access, storage, or infrastructure; or other costs not listed above
even if such costs are authorized by State law.
Key Points:
You have 30 days to comply with a request.
You should supply the data in the format the patient requests.
You cannot force them to use a portal as not everyone has access to a portal.
You can require the patient to prove their identity as required by Covered Entities. But you may not place unreasonable
hurdles to them getting their records – such as forcing them to come to your office or signing a release authorization.
Sorry. You must be logged in to view this form.