EXECUTIVE SUMMARY

Research continues to show that patients are denied access to medical records because of HIPAA-related restrictions and processes. Sometimes, the problem is overzealous compliance efforts; other times, it is a mundane operational issue.

• Some hospitals charge too much for records.

• HHS has clarified that patients must be granted access to their records.

• HIPAA compliance is subject to the same operational limitations as other hospital functions.


Despite warnings from the Department of Health and Human Services’ Office for Civil Rights (OCR) that patients must be provided access to their medical records without undue restrictions or burdens, healthcare providers still are charging excessive amounts and making it difficult to obtain copies.

New research indicates a substantial number of hospitals are not compliant with HIPAA guidance on patient requests for records. (The study is available to view online at: https://bit.ly/2RoS0sp.)

Healthcare providers are not meeting OCR’s expectations for patient access to protected health information (PHI), says Harlan M. Krumholz, MD, SM, professor in the Institution for Social and Policy Studies at Yale University.

“Patients in the real world encounter substantial obstacles and, often, costs in their efforts to access their medical records,” he says. “A lot of hospital policies are out of alignment with federal regulations. There is a lot of vulnerability at these institutions that are out of alignment because they are basically violating people’s rights.”

HIPAA Requires Access

The HIPAA Privacy Rule states that patients can obtain copies of their medical records from their healthcare providers, and those copies must be provided no later than 30 days from when the request is made. In 2016, OCR clarified that right to access and recommended a flat fee of no more than $6.50 for providing electronically maintained medical records to a patient. The recent Yale study determined that 48 of 83 hospitals charged patients more than that, with one hospital charging a patient $541.50 for a 200-page medical record. Researchers conducted a cross-sectional analysis of medical records request processes between Aug. 1 and Dec. 7, 2017, in 83 top-ranked U.S. hospitals with independent medical records request processes and medical records departments reachable by phone. Previous research had indicated delays and high costs, but this was a larger study of prominent hospitals with robust HIPAA compliance programs.

Forty-three percent of hospitals did not state on request forms how much patients would be charged for copies of the records. Only 35% provided that information on the release form or the download webpage. Eight percent did not comply with the maximum processing time of 30 days.

OCR Penalized Hospitals

OCR has addressed these problems in the past. In 2011, it issued a $4.3 million civil monetary penalty to a hospital system in Prince George’s County, MD, for refusing on 41 occasions to provide patients with a copy of their own medical records.

Some of the fault lies with overzealous compliance efforts, Krumholz says, which can happen when the organization emphasizes the consequences of improperly releasing PHI without also educating staff on patients’ rights to access their own data.

“It seems a lot of institutions are anchored in a predigital era and are unfamiliar with HIPAA rules regarding people’s ability to access their own data. When someone says, ‘Sorry, I can’t email your own records because that would violate HIPAA,’ that’s wrong. Sometimes, the patient knows that’s wrong and says so,” Krumholz says. “But they just tell you no. They’ve been so trained to comply with HIPAA that they’re protecting people from their own records. That’s just backward.”

Krumholz recalls an incident in which a physician needed to access his own lab result for a life insurance application and used the hospital’s electronic medical record to look up his own lab result.

“The institution slapped his hand for violating HIPAA,” Krumholz says. “That’s crazy. Just because he used the medical record instead of going through the patient portal, they said he violated HIPAA and put him on probation.”

Better Education Needed

Policies and processes on HIPAA regarding patient access to records can be inconsistent even within the same institution, Krumholz notes.

“The institution might have a form for requesting records and then when you call the number on that form they tell you something entirely different,” he says. “Some places also say they charge the same for digital copies as they do for paper, but of course the law says you should have a different pay structure for digital.”

Krumholz recommends better education for staff on patients’ rights regarding access to their records, along with a review of the processes in place that could be thwarting that access. He notes that the Health Information Technology for Economic and Clinical Health Act, which spurred implementation of electronic medical records in 2009, positively asserts people’s rights to their health data.

“This is important to understand not just in terms of avoiding overcompliance, but in terms of simply complying with equally important parts of the law,” Krumholz says. “The law states that you have to keep people’s data safe from people who aren’t supposed to see it, but it also says you must make it available to people who want to see their own data. That second part is not any less important than the first, and institutions have to start seeing that in an affirmative way.” Better education of staff on this issue may not be as easy as simply explaining what the law says, notes Alisa L. Chestler, JD, shareholder with the Baker Donelson law firm in Nashville, TN. HIPAA compliance sometimes involves judgment calls that can be taught as black and white matters, she says. A simple request from a patient for his or her own medical record may be straightforward, but staff encounter more nuanced situations, too, Chestler says. For instance, requests for data to be used in research can be more complex.

“It’s very hard to teach the staff on the frontline of these issues the smell test, how to make those calls in which a HIPAA issue is not so clear,” she says. “We’ve all had employees who understand these issues better than others. When you’re training your employees, you’re going to the lowest common denominator. I have a lot of sympathy for the hospitals and understand why they say no sometimes.”

The hospitals’ failure to provide medical records in a timely manner, and at a reasonable cost, also may not be strictly the fault of their HIPAA compliance programs, Chestler says. Requests may be held up because of concerns over what is in the medical record, particularly if there might be litigation, she says. Those concerns do not necessarily justify a delay or trump HIPAA, Chestler notes, but they may explain how some of the problems patients encounter are not the result of overzealous HIPAA compliance.

May Be a Resource Issue

Chestler also notes that some of the problems cited in the Yale study do not appear to be related to HIPAA compliance policies.

For example, the study authors said they placed a maximum of five calls to the hospital’s medical records department, and the hospital was considered unreachable on each attempt if the call was not answered, went to voicemail, or an automated system did not allow the option to reach a representative. After leaving voicemail, the researchers allotted seven days to receive a return phone call. If the hospital did not return the call in that time, the hospital was classified as unreachable.

“That’s not a HIPAA issue. That’s a resource issue,” Chestler says. “People might have that experience and blame HIPAA, or the way the hospital restricts data access under HIPAA. The reality might be that this is just about the hospital having the resources to answer phones and respond to requests.”

In that regard, HIPAA compliance may not be any different than a lot of areas of healthcare, Chestler offers. Perfect compliance and customer service are admirable goals, but the realities of staffing, funding, and resources often get in the way, she says.

A good tactic may be to see HIPAA as more of an operations issue than a compliance issue, Chestler says. She notes how CMS recently pushed for healthcare organizations to get away from reliance on fax machines, especially requiring patients to fax document requests and receive documents by fax. During the Office of the National Coordinator for Health Information Technology’s Interoperability Forum in Washington, DC, in August, CMS Administrator Seema Verma said that “one of my main missions is to break down barriers to interoperability.” Health information technology remains far behind all other major industries, she added. Physicians still record their notes on paper. Often, patients are told that their data cannot be shared with another provider, or provided to them digitally, because of the fear the patient data will be intercepted by a third party, Verma said.

“We can keep data secure while making it available to patients,” she offered.

Chestler says telling patients they have to send a records request by fax is “one step above telling them to hammer it out on a rock” and interferes with efforts to properly comply with HIPAA.

“The compliance team and the operations team need to have a better mechanism for communicating,” she says. “People are just used to doing things the way they’ve always done it. The frontline staff are afraid to do it any differently for fear of getting in trouble. Nobody is pausing to ask if this is the most efficient way we can handle this issue.”

One of the problems cited in the Yale study was hospitals telling patients that their records could be faxed only to a physician and not the patient. Chestler wonders why that happens in 2018 when other means of delivery are used so commonly. Still, even when that problem occurs, it is not really an issue of HIPAA compliance, Chestler notes.

“Any time someone has trouble getting their records, it is easy to assume it is a HIPAA issue,” Chestler says. “HIPAA may be involved somewhere, but the real problem might be that the people in charge of HIPAA compliance created policies that made sense to them without following through with whether there are processes and resources in place in the organization to carry out those policies in an effective way. It’s not enough to make HIPAA policies if you don’t have a system that can do what you’re requiring.”

Chestler recommends reviewing HIPAA compliance with an eye toward improving the processes that underlie it. Keep in mind that the old way of handling records requests and other HIPAA matters may not be the best, she says.

“This is such a prime area for efficiencies that could save the organization money in the long run as well as improving how you comply with HIPAA and satisfy these requests,” she says. “It’s about being smart and going beyond the policies you put on paper.”