Patient Access: Seven Lessons About Patient Release of Information Requests

With more and more health information being stored and transmitted electronically, the demand for easier access to protected health information (PHI) has grown dramatically of late. At the same time, the need to protect that PHI from compromise and breach has also increased.

A recent MRO white paper explored the latest regulatory initiatives from the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR), including the HIPAA Audit Program and Guidance on Patient Access, and offered tips for healthcare organizations to stay compliant.

This article provides additional detail regarding the OCR’s Guidance on Patient Access, released in early 2016 to educate patients about their rights and to guide healthcare organizations on providing patients with timely access to PHI.

Here are seven things to remember about patient requests:

1)  Patient requests do not need to contain all the core elements and required statements necessary for authorizations under HIPAA.

Covered entities (CEs) can require that patient requests be made in writing and that patients use their own supplied forms; however, under HIPAA and the OCR FAQs, all a patient needs to provide in their request for access is enough information to verify the patient’s identity, what PHI is being requested, and where that PHI should be sent. Additionally, patients do not need to provide a purpose for their request. While asking a patient for a reason is not prohibited, denying access based on their answer is.

Access policies cannot create barriers or unreasonably delay patients from accessing their PHI.

CEs cannot require patients or their personal representatives to come on-site to the facility to request access to PHI in person, nor can they require patients to submit their requests via a Web portal or through the mail. 

2)  Patients’ personal representatives have the same access rights as patients.

Patients’ personal representatives have all the same rights to accessing PHI as the patients themselves, provided that the personal representative can supply information regarding their authority to act on behalf of the patient. Examples of personal representatives include healthcare powers of attorney and the parents/guardians of minors. Healthcare providers should make sure policies do not hinder personal representative access.

3)  Patients and their personal representatives may designate a third party to receive copies of PHI on their behalf. 

If a patient or personal representative wishes to send copies of requested PHI to a third party, providers must oblige, granted the request is in writing, signed by the patient or personal representative, and clearly identifies the designated recipient and where to send the PHI.

4)  Healthcare organizations need to provide access to designated record sets to patients who request access. 

HIPAA entitles patients to access their “designated record sets,” which consist of a broad array of health information, including medical and billing records, insurance information, clinical laboratory test results, medical imaging, wellness and disease management program files, and clinical case notes.

5)  Providers need to provide copies of PHI in patients’ preferred formats.

Patients are entitled to copies of their PHI in the form and format they request. However, providers are not required to purchase new software or equipment in order to accommodate every possible individual request; rather, healthcare providers must have the capability to distribute some form of electronic PHI (ePHI). Therefore, if the requested format is not feasible, PHI must be provided in a readable format agreed upon by both the provider and the patient. 

Additionally, healthcare providers are not required to take on an unreasonable level of risk to accommodate patient requests for copies of PHI in unsecure formats. If a patient asks for copies of his or her PHI in a format that poses an unacceptable level of risk to the provider’s information technology infrastructure – such as uploading PHI to the patient’s personal USB thumb drive – the healthcare provider is not required to oblige. Instead, the provider must deliver the PHI in another readable electronic format that is agreeable to the patient. Only if the patient does not agree to accept copies of the PHI in the electronic format proposed by the healthcare provider can copies be provided on paper.

However, the OCR has stated that the transmission of PHI via unencrypted email does not pose an unacceptable risk. Thus, if a patient requests access to PHI via unencrypted email, healthcare providers must comply, granted that the provider has warned the patient of the risks associated with unsecure transmission and the patient has accepted those risks.

6)  Access to PHI must be provided within 30 days or less.

Providers must grant patients and personal representative access to PHI without unreasonable delay, usually within 30 days of receipt of request. If a long turnaround is unavoidable, the provider must notify the patient of the delay, explain why the delay has occurred, and provide an expected date of arrival for the patient’s PHI. 

7)  Ensure that accounting of disclosure database is up to date for easy extraction of key data.

Part of the patient’s right of access under HIPAA is to obtain a copy of an accounting of disclosures (AOD) for their PHI. Therefore, healthcare providers should ensure that they maintain accurate AODs for all release of information (ROI) requests. AODs should include the name and address for the person or entity requesting the patient’s PHI, the date of request, what PHI was requested, what PHI was disclosed, and the date of disclosure. Additionally, it is recommended that facilities include information regarding turnaround times and delivery methods in their AODs.

Keeping these matters in mind will ensure that healthcare providers remain HIPAA-compliant, and in line with the OCR’s Guidance on Patient Access.

MRO White Paper

Increasing Enforcement of Protected Health Information Breaches and Patient Access Requires Healthcare Organizations to Scrutinize Process and Risk

Print Friendly, PDF & Email

Michael Rosen, Esq.

Michael Rosen brings more than 20 years of experience in founding and leading service-oriented businesses. He co-founded Background America, Inc., which was acquired by Kroll Inc. He was promoted to president of the Background Screening Division, which employed 1,000 people in seven countries. He is now the co-founder of ProviderTrust, Inc. a national healthcare compliance service that helps facilities stay in compliance. He has received numerous accolades, including the Inc. Magazine 500 Award, Nashville Chamber of Commerce Small Business of the Year award, and the Music City Future 50 Award.

Related Stories

Remain Compliant – and Take the Money

Remain Compliant – and Take the Money

Our first topic today is local coverage determinations (LCDs) and variation. I have written in the past about national and local coverage determinations, and I

Read More

Leave a Reply

Please log in to your account to comment on this article.

Featured Webcasts

Leveraging the CERT: A New Coding and Billing Risk Assessment Plan

Leveraging the CERT: A New Coding and Billing Risk Assessment Plan

Frank Cohen shows you how to leverage the Comprehensive Error Rate Testing Program (CERT) to create your own internal coding and billing risk assessment plan, including granular identification of risk areas and prioritizing audit tasks and functions resulting in decreased claim submission errors, reduced risk of audit-related damages, and a smoother, more efficient reimbursement process from Medicare.

April 9, 2024
2024 Observation Services Billing: How to Get It Right

2024 Observation Services Billing: How to Get It Right

Dr. Ronald Hirsch presents an essential “A to Z” review of Observation, including proper use for Medicare, Medicare Advantage, and commercial payers. He addresses the correct use of Observation in medical patients and surgical patients, and how to deal with the billing of unnecessary Observation services, professional fee billing, and more.

March 21, 2024
Top-10 Compliance Risk Areas for Hospitals & Physicians in 2024: Get Ahead of Federal Audit Targets

Top-10 Compliance Risk Areas for Hospitals & Physicians in 2024: Get Ahead of Federal Audit Targets

Explore the top-10 federal audit targets for 2024 in our webcast, “Top-10 Compliance Risk Areas for Hospitals & Physicians in 2024: Get Ahead of Federal Audit Targets,” featuring Certified Compliance Officer Michael G. Calahan, PA, MBA. Gain insights and best practices to proactively address risks, enhance compliance, and ensure financial well-being for your healthcare facility or practice. Join us for a comprehensive guide to successfully navigating the federal audit landscape.

February 22, 2024
Mastering Healthcare Refunds: Navigating Compliance with Confidence

Mastering Healthcare Refunds: Navigating Compliance with Confidence

Join healthcare attorney David Glaser, as he debunks refund myths, clarifies compliance essentials, and empowers healthcare professionals to safeguard facility finances. Uncover the secrets behind when to refund and why it matters. Don’t miss this crucial insight into strategic refund management.

February 29, 2024
2024 SDoH Update: Navigating Coding and Screening Assessment

2024 SDoH Update: Navigating Coding and Screening Assessment

Dive deep into the world of Social Determinants of Health (SDoH) coding with our comprehensive webcast. Explore the latest OPPS codes for 2024, understand SDoH assessments, and discover effective strategies for integrating coding seamlessly into healthcare practices. Gain invaluable insights and practical knowledge to navigate the complexities of SDoH coding confidently. Join us to unlock the potential of coding in promoting holistic patient care.

May 22, 2024
2024 ICD-10-CM/PCS Coding Clinic Update Webcast Series

2024 ICD-10-CM/PCS Coding Clinic Update Webcast Series

HIM coding expert, Kay Piper, RHIA, CDIP, CCS, reviews the guidance and updates coders and CDIs on important information in each of the AHA’s 2024 ICD-10-CM/PCS Quarterly Coding Clinics in easy-to-access on-demand webcasts, available shortly after each official publication.

April 15, 2024

Trending News

Happy National Doctor’s Day! Learn how to get a complimentary webcast on ‘Decoding Social Admissions’ as a token of our heartfelt appreciation! Click here to learn more →

Happy World Health Day! Our exclusive webcast, ‘2024 SDoH Update: Navigating Coding and Screening Assessment,’  is just $99 for a limited time! Use code WorldHealth24 at checkout.

SPRING INTO SAVINGS! Get 21% OFF during our exclusive two-day sale starting 3/21/2024. Use SPRING24 at checkout to claim this offer. Click here to learn more →