HIPAA requires more than security of protected health information. Patients have a right to review and obtain a copy of protected physical health information contained in a designated record set, which simply means a group of records maintained by the covered entity. Medical and billing records of a medical provider comprise the designated record set. Enrollment, payment and claims files typically comprise the designated record set of an insurer or benefit plan. Psychotherapy notes, information compiled for court or administrative proceedings, and clinical laboratory information subject to the Clinical Laboratory Improvements Amendments of 1988 are exempt from the HIPAA patient access rules. Other exceptions apply to correctional institutions, research records with the consent of the individual, and information obtained from sources other than a health care provider. 45 C.F.R. section 164.524.
The Health Information Technology for Economic and Clinical Health Act (HITECH) gives patients the right to obtain a copy of the information in an electronic format requested by the patient if the format is regularly producible. If the patient is warned about potential security risks, electronic records may be transmitted via unencrypted email. The covered entity must respond to a request for electronic records within 30 days of receipt of the request. The covered entity may request one extension for an additional 30 days. The patient may sign a written directive to transmit the electronic records to another clearly identified entity or individual, e.g. another medical provider, an attorney or agent.
Covered entities may charge a flat fee capped at $6.50 or charge the actual allowable costs for complying with a request for electronic protected health information. Actual costs include documented costs of labor, supplies (e.g. a USB drive or CD) and postage. A covered entity may not charge a retrieval fee for electronic records.
Within 30 days of the request for records, the covered entity must inform the patient of acceptance or denial of the request. Denials must specify the reasons for decision, explain the rights to review the denial, and describe the procedures to complain about the denial of the request. A determination that access to records is likely to harm anyone is subject to review by a designated licensed health care professional. The covered entity must notify the patient in writing of the reviewing professional’s decision.
Patients should review their medical records to ascertain the accuracy of the record. Ask the covered entity, whether provider or insurer, to amend the record to correct errors. A response to the request for an amendment is due within 60 days, unless an additional 30 day extension is required for an explicit reason disclosed to the patient in writing. Denials of a request to amend the record must be in writing. The patient then has a right to submit a written disagreement, which must be added to the medical record.
Access to medical records helps patients and their agents to make well-informed decisions about medical care. The HITECH Act removes financial obstacles to access to electronic records.