Hospitals Failing to Fully Comply with HIPAA Requirement for Providing Patients with Copies of Medical Records
The HIPAA Privacy Rule gave patients the right to obtain a copy of their medical records from their healthcare providers. Under HIPAA, copies of medical records should be provided to patients as soon as possible, but no later than 30 days from when the request is made.
Even though compliance with the HIPAA Privacy Rule has been mandatory since April 14, 2003, there have been several cases of hospitals failing to provide patients with copies of their medical records. In 2011, the Department of Health and Human Services’ Office for Civil Rights (OCR) sent a message to healthcare providers about this aspect of HIPAA compliance when it issued a $4,300,000 civil monetary penalty to Cignet Health of Prince George’s County.
Even though it has now been 15 years since compliance with the HIPAA Privacy Rule became mandatory, there is still widespread noncompliance when it comes to providing patients with copies of their medical records.
According to a new study published in JAMA Network Open, healthcare providers are not providing patients with copies of their full medical records, many are charging excessive amounts, and some hospitals are making it hard for patients to find out about and exercise their right to obtain a copy of their health records.
The study was conducted by Yale University School of Medicine researchers who evaluated processes for releasing medical records to patients at 83 of the leading hospitals in the United States. According to the study, only 53% of hospitals provided patients with the option of obtaining their entire medical record.
HIPAA requires patients to be provided with copies of their medical records in the format of their choice, yet many hospitals were failing to comply with this requirement and there were discrepancies between information provided over the phone and what was detailed on release forms.
For example, over the telephone, 83% of hospitals said copies of medical records could be picked up in person, yet only 48% stated this on the release forms. 66% said electronic medical records could be provided on a CD over the telephone, but this was only an option on 25% of forms.
In 2016, OCR clarified patients’ right to access their medical records and the amounts that healthcare providers can charge for providing patients with copies of their health information. A flat fee of no more than $6.50 was recommended to release electronically maintained medical records to a patient. However, the study revealed that 48 of the 83 hospitals charged patients more than this amount. One hospital charged $541.50 for a 200-page medical record.
43% of hospitals did not state on the request forms how much patients would be charged for exercising their right to obtain a copy of their medical records and only 35% of hospitals disclosed exact costs on the release form or the web page where the form could be downloaded.
At least 7 hospitals (8%) were non-compliant with the maximum processing time of 30 days, with each of those hospitals providing a time range with the upper limit outside the 30-day maximum.
Information on forms was found to be incomplete or incorrect and patients were required to call the medical records department to find out the full parameters for releasing medical records. Some hospitals were unwilling to provide paper and electronic copies of medical records and there was no consistency in processes for releasing medical records to patients across the 83 hospitals that were studied.
“The lack of a uniform procedure for requesting medical records across US hospitals highlights a systemic problem in complying with the right of access under HIPAA,” wrote the researchers. “Because every institution creates its own process and implements its own regulations, variability in what and how records can be received occurs.”
Co-author of the report, Harlan Krumholz, MD, said, “If we really want to move to a healthcare system where patients are at the center, then we need to find ways to ensure that they have agency over their own data. We’re far from that right now.”