Patient Access: Seven Lessons About Patient Release of Information Requests

With more and more health information being stored and transmitted electronically, the demand for easier access to protected health information (PHI) has grown dramatically of late. At the same time, the need to protect that PHI from compromise and breach has also increased.

A recent MRO white paper explored the latest regulatory initiatives from the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR), including the HIPAA Audit Program and Guidance on Patient Access, and offered tips for healthcare organizations to stay compliant.

This article provides additional detail regarding the OCR’s Guidance on Patient Access, released in early 2016 to educate patients about their rights and to guide healthcare organizations on providing patients with timely access to PHI.

Here are seven things to remember about patient requests:

1)  Patient requests do not need to contain all the core elements and required statements necessary for authorizations under HIPAA.

Covered entities (CEs) can require that patient requests be made in writing and that patients use their own supplied forms; however, under HIPAA and the OCR FAQs, all a patient needs to provide in their request for access is enough information to verify the patient’s identity, what PHI is being requested, and where that PHI should be sent. Additionally, patients do not need to provide a purpose for their request. While asking a patient for a reason is not prohibited, denying access based on their answer is.

Access policies cannot create barriers or unreasonably delay patients from accessing their PHI.

CEs cannot require patients or their personal representatives to come on-site to the facility to request access to PHI in person, nor can they require patients to submit their requests via a Web portal or through the mail. 

2)  Patients’ personal representatives have the same access rights as patients.

Patients’ personal representatives have all the same rights to accessing PHI as the patients themselves, provided that the personal representative can supply information regarding their authority to act on behalf of the patient. Examples of personal representatives include healthcare powers of attorney and the parents/guardians of minors. Healthcare providers should make sure policies do not hinder personal representative access.

3)  Patients and their personal representatives may designate a third party to receive copies of PHI on their behalf. 

If a patient or personal representative wishes to send copies of requested PHI to a third party, providers must oblige, granted the request is in writing, signed by the patient or personal representative, and clearly identifies the designated recipient and where to send the PHI.

4)  Healthcare organizations need to provide access to designated record sets to patients who request access. 

HIPAA entitles patients to access their “designated record sets,” which consist of a broad array of health information, including medical and billing records, insurance information, clinical laboratory test results, medical imaging, wellness and disease management program files, and clinical case notes.

5)  Providers need to provide copies of PHI in patients’ preferred formats.

Patients are entitled to copies of their PHI in the form and format they request. However, providers are not required to purchase new software or equipment in order to accommodate every possible individual request; rather, healthcare providers must have the capability to distribute some form of electronic PHI (ePHI). Therefore, if the requested format is not feasible, PHI must be provided in a readable format agreed upon by both the provider and the patient. 

Additionally, healthcare providers are not required to take on an unreasonable level of risk to accommodate patient requests for copies of PHI in unsecure formats. If a patient asks for copies of his or her PHI in a format that poses an unacceptable level of risk to the provider’s information technology infrastructure – such as uploading PHI to the patient’s personal USB thumb drive – the healthcare provider is not required to oblige. Instead, the provider must deliver the PHI in another readable electronic format that is agreeable to the patient. Only if the patient does not agree to accept copies of the PHI in the electronic format proposed by the healthcare provider can copies be provided on paper.

However, the OCR has stated that the transmission of PHI via unencrypted email does not pose an unacceptable risk. Thus, if a patient requests access to PHI via unencrypted email, healthcare providers must comply, granted that the provider has warned the patient of the risks associated with unsecure transmission and the patient has accepted those risks.

6)  Access to PHI must be provided within 30 days or less.

Providers must grant patients and personal representative access to PHI without unreasonable delay, usually within 30 days of receipt of request. If a long turnaround is unavoidable, the provider must notify the patient of the delay, explain why the delay has occurred, and provide an expected date of arrival for the patient’s PHI. 

7)  Ensure that accounting of disclosure database is up to date for easy extraction of key data.

Part of the patient’s right of access under HIPAA is to obtain a copy of an accounting of disclosures (AOD) for their PHI. Therefore, healthcare providers should ensure that they maintain accurate AODs for all release of information (ROI) requests. AODs should include the name and address for the person or entity requesting the patient’s PHI, the date of request, what PHI was requested, what PHI was disclosed, and the date of disclosure. Additionally, it is recommended that facilities include information regarding turnaround times and delivery methods in their AODs.

Keeping these matters in mind will ensure that healthcare providers remain HIPAA-compliant, and in line with the OCR’s Guidance on Patient Access.

MRO White Paper

Increasing Enforcement of Protected Health Information Breaches and Patient Access Requires Healthcare Organizations to Scrutinize Process and Risk