Today we are talking about a growing trend in HIPAA enforcement by the Department of Health and Human Services, and by extension, the Office of Civil Rights that enforces HIPAA and all of its regulations.
HHS has recently announced its 19th enforcement action on patients' right to access. For the past year or so, they have put a big emphasis on patients having the right to access their PHI or their designated record set. Therefore, you should be aware of some of the basic rules. This should serve as a refresher or reminder, and if you're currently unaware of these rules, you will need to pay close attention as well, and update your policies and procedures accordingly. If you don't already have written policies and procedures for HIPAA privacy and security rules, it is a requirement under HIPAA, so if you don't have that yet, reach out to us. We have a template at FunctionalLawyer.com, so get your procedures in place as soon as possible because that is a requirement, no matter the size of your entity.
The subject we are covering today is the patient's right to access their records. Now, as you should know, your patient doesn't have an absolute right to every record, for example, psychotherapy notes. Another example would be any notes or records you’ve prepared if you have reasonable anticipation of a pending lawsuit or another claim pending against you, and you're preparing for litigation or for the other adjudications that may happen at the state level in front of the medical board. Then, you don't have to show them those notes. Those would not be included in the information that they have a right to access.
Now let's go over what patients have a right to view and have, and what that includes. We’ll also cover how you need to respond and in what time frame you need to respond, in addition to in what form and in what manner. Firstly, know that when a patient requests their medical records, whether they want them sent to themselves or to a third party, you have up to 30 days to respond. HHS and the rules state that 30 days is the upper limit. Ideally, you'll respond as soon as you can reasonably do it, and they even say that if you have an EMR or EHR, you should respond as soon as possible and almost immediately. That being said, you’ll have up to 30 days to respond. If you know that it's going to take you longer than 30 days, you should reach out to the patient and simply tell them, “Hey, we're storing those records at an off-site storage facility. It's going to take two weeks to get out there and then we've got to sift through the boxes for a long time in case of older records, etc.” Once you reach out to them and let them know, there'll be another 30 days added to your time, so you have up to 60 days before you have to really give them a substantive response. But, again, ideally you will want to respond as soon as possible, within two weeks or maybe sooner. And you should also just do it as soon as you can so that you don't forget, and all of a sudden, it's day 31. This is a very easy mistake to make, so you will have to train any staff you may have to remember that any requests for access need to be completed promptly and responded to as immediately as possible. Remember, your patients don't have an absolute right to all records, and you can deny their request. You’ll have to respond in writing if it's one of the examples listed previously.
Generally, you're going to give your patient their PHI, and that's basically their designated record set, according to the rules. They have a right to request it in electronic form and/or hard copy form. Electronic form can take lots of different formats: PDF, CD/CD ROM, jump drive, USB flash drive, or another portable storage device. Just be aware that depending on the patient, they may have a variety of requests for format. Many patients will request it via PDF or MS Word, or another word processor, which you can oftentimes add to the portal. If you are able to comply with the requested format, you should comply with that format. If you can't, reach out to the patient and say something along the lines of, “We don't have access to that,” or “I don't even know where to buy writable CDs these days,” or “My computer can't write CDs because I don't even have the CD drive.” Then you should ask, “Would you mind having a PDF?” or “Would you mind logging into the portal to download everything there?” It's okay to have some back and forth there as long as the patient agrees. If you keep paper charts, they can request their PHI in electronic format, and if you have access to a scanner, you are obligated to scan it if it's readily accessible to you. You would then need to scan it and send it to them.
How you send it to them is another question. You will want to send it to them via an encrypted method, but many times patients request unencrypted methods. HHS says explicitly that patients have a right to request their PHI through unencrypted means, including the US mail and through electronic mail or email. If that's the case, particularly through email, you want to let the patient know, “Hey, even though I pay for the HIPAA compliant version of Gmail, or I pay for a third party encryption software to encrypt my email, and maybe you do as well patient, you should know that in transit, there's a security risk that the records could be read by a third party or stored by a third party that way.” And if they say “Yeah, that's great,” then you can email it to them, and that is fine for HIPAA purposes as long as the patient consents.
Of course there's a lot more to it than that, but just be aware that an average fine for this can be anywhere from $5,000 to $25,000, on average for smaller companies. So if someone makes a request for their records, respond promptly and say, “Yes, we can honor your requests; we'll get it to you by next week,” or, “No, we can't honor that request because it includes psychotherapy notes.” If for whatever reason you can't comply, then respond with something like, “We have them off site, and it'll be 21 days,” or, “We don't have an EMR, so I can't give them to you via CD ROM. I can scan them and send them to you via PDF if that is acceptable.”
Just know that HHS is putting a great deal of emphasis on patients' right to access their records, and while it is easy to do, it's also very easy to not respond and make that mistake. Then, if the patient is not that understanding, or if they're going to see another doctor and they need those records in a reasonable amount of time before that next appointment, you could be in some trouble if you don't get the records over. The patient may have taken a day off work, and then the fees go to that doctor without their records present, so they could then get upset and file a claim with OCR. Just pay attention to your patients' requests for access to their PHI and respond promptly. If you can give it to them in a format that they request, do so.
You can charge some reasonable fees, although there are a lot of exclusions to what you can charge. If you're going to charge some fees, you should let them know in advance. You can say, “Hey, if you want to use a USB drive, we have them, and it'll cost you $2 plus the hourly rate for our staff to put your record on the USB drive and for our staff to actually do the copying or do the scanning." You're not allowed to charge for the time it takes them to find the records and locate them, and make sure that they don't include any privileged information or content that is like psychotherapy notes. Let the patient know there's some fine print there. If they’ve requested a CD ROM version or writable CD and you'd like them to purchase it, you’ll need to let them know in advance.
In conclusion, HHS is really focusing on patients’ rights to their records. You’ll need to respond to a patient's requests for access to their records promptly. If you can give it to them in the format they request, and in the form that they request, you should do so. To the extent possible, get their consent for fees in advance, and if they request their records via unencrypted means, also get their consent to send it to them via unencrypted means, such as email. Just know that HHS also explicitly states that email and postal mail are readily producible for covered entities. Those are two things that you are allowed to do, but specifically for email, you want to let your patient know it's unencrypted, so pay attention to that, and avoid a bunch of headaches and corrective action plans from OCR and HHS. But, most importantly, avoid hefty fines for your practice so that you can stay open and serve the people in your community.
If you have any further questions or concerns regarding HIPAA, HHS, patient access, or anything else, reach out to me at Functional Lawyer. Keep following us on all platforms for more guidance and to make sure you're protected.