The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

AHIMA Publishes New Resource Confirming Patients’ PHI Access Rights under HIPAA

Posted By on Mar 2, 2017

The Health Insurance Portability and Accountability Act (HIPAA) permits patients to obtain a copy of their medical records in electronic or paper form. Last year, the Department of Health and Human Services released a series of videos and documentation to explain patients’ right to access their health data.

Yesterday, the American Health Information Management Association (AHIMA) also published guidance – in the form of a slideshow – further explaining patients’ access rights, what to expect when requests are made to healthcare providers, possible fees, and the timescale for obtaining copies of PHI.

AHIMA explains that copies will not be provided immediately. Under HIPAA Rules, healthcare providers have up to 30 days to provide copies of medical records, although many will issue designated record sets well within that timeframe. However, in some cases, provided there is a justifiable reason for doing so, a healthcare provider may request a 30-day extension. In such cases, it may take up to 60 days for patients to obtain copies of their health data.

AHIMA has explained to whom healthcare providers are allowed to disclose the information: Patients or a nominated personal representative. In the case of the latter, guidance has been issued on who that person may be.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

There are various models that can be adopted by healthcare providers for charging patients for copies of PHI. While the actual cost for providing copies of medical records may not be provided at the time the request is made, healthcare providers must advise patients of the approximate cost at the time the request is made. AHIMA points out that if electronic health data is being provided via a patient portal, a charge will not apply.

Since HIPAA serves to protect patient privacy, healthcare providers are required to verify the identity of the person making the request or a personal representative if one is used. A healthcare provider will therefore require a photographic ID to be produced prior to any records being released. A waiver will also need to be signed verifying identity.

AHIMA explains that obtaining copies of medical records is important. Access to health data improves patient engagement and empowers them to make more informed choices about their healthcare.

While providers should be able to obtain health data from other providers, that process is not always straightforward due to data incompatibility issues. It is therefore important that patients have complete copies of their medical records so they can provide complete sets to new providers. Doing so improves the coordination of care.

Patients should also check their health records for any errors and omissions – known allergies for instance. If an error or omission is discovered, a request to change the records should be submitted to the appropriate healthcare provider.

Penalties for Failing to Provide Patients with Copies of Their Medical Records

Healthcare providers should be aware that failure to provide patients with copies of their medical records can result in a financial penalty for non-compliance with HIPAA Rules.

41 patients of Cignet Health of Prince George’s County in Maryland were denied access to their medical records and complained to OCR. The investigation revealed that the HIPAA Privacy Rule had been violated. Cignet eventually settled with OCR for more than $4.3 million.

AHIMA recommends that healthcare providers regularly review their policies and procedures for providing patients with copies of their medical records. Many healthcare providers have unintended barriers in place that make it difficult for patients to exercise their right to access their health data. Only by understanding HIPAA Rules on patient PHI access rights – and ensuring HIPAA Rules are followed – will healthcare providers be able to ensure that their patients enjoy the benefits that come from them taking a more active role in their healthcare.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist