OCR launched the Right of Access Initiative in 2019, promising to vigorously enforce the provision, which gives patients the right to get access to their medical records promptly, without being overcharged, and in the readily producible format of their choice. HIPAA rules generally require that covered health care providers provide medical records within 30 days of the request and only charge a reasonable cost-based fee.
Since the initiative launched, there have been two enforcement actions and settlements by OCR under HIPAA. The first case involved Bayfront Health St. Petersburg (Bayfront), which paid $85,000 to OCR and adopted a corrective action plan to settle a potential violation of the right to access provision of HIPAA in which Bayfront failed to provide a mother with timely access to records about her unborn child.
The second case, involving Korunda Medical, LLC (Korunda), resulted in the same fine and corrective action as the case against Bayfront. Korunda was found to have failed to provide timely records in electronic format to a third party and charged more than the reasonable cost-based fees permitted under HIPAA.
A Better Way?
Phillip Eskew, D.O., J.D., physician, founder of DPC Frontier, and policy advisor to The Heartland Institute, which publishes Health Care News, says he believes the right of access provision is good for patients, but that there are better ways to provide patients with meaningful access to their medical records.
“I wish all practices took the ‘open notes’ approach,” Eskew said. “Open notes is a national movement in the United States that encourages clinicians to offer patients ready access to their encounter notes.”
By receiving ready access, patients will be able to promptly notify physicians about any missing or inaccurate areas. Additionally, states, rather than the federal government, would be in a better position to encourage the timely release of medical records to patients, Eskew says.
“I’ve always believed that patients should have total access to their medical records,” Eskew said. “Even if HIPAA were not in place many states have similar laws regarding the timely release of medical records to patients upon their request.”
A patient’s right to access his or her medical records should be treated like other goods or services, says Kimberly Legg Corba, D.O, a direct primary care physician who is certified in HIPAA compliance.
“Good or bad, one could argue that HIPAA’s ‘right to access’ should not be something the government should mandate,” Corba said. “Patients should not have to be granted a ‘right to access’ their protected health information (PHI). It should just be theirs to begin with. They are paying for medical care, which is a product or service. When you pay for food in your refrigerator, do you have to ask for permission to “access” it?”
Electronic Health Record Change Landscape
Most physicians are employed by large health systems, so access to patient medical records and their preparation essentially becomes the duty of the organization and the electronic health record system (EHR) that is used, says Corba.
“Large entities like these have entire departments staffed by individuals who are trained to handle transfer of medical records,” Corba said.
Large organizations may also hire outside venders to handle records, Corba says.
HIPAA and other legislation designed to regulate health technology have changed the landscape surrounding medical records and health information, says Corba.
“Prior to HIPAA and HITECH (Health Information Technology for Economic and Clinical Health), no one was trying to ‘steal’ PHI, no one was gathering data for the purposes of quality analyses for payment purposes or cost containment, and entities were not hesitating in the sharing of a patients’ own, personal health records, particularly at the patient’s request,” Corba said.
But there has been pushback by providers, says Corba.
“Now EHRs [vendors] are claiming concerns with patients being able to screen shot and share their own PHI due to potential damage to the company’s ‘trade secrets,'” Corba said.
This is what has made EHR companies hesitant to share PHI, Corba says.
“Perhaps moving the storage and ‘ownership’ of patient PHI away from the medical-industrial complex and to the patient themselves is a solution,” Corba said.
“I think if patients could choose to have instant access to all of their medical records and PHI at all times, and choose themselves when and with whom they want to share, it would make the flow of information and resulting continuity of care much more efficient and improve the quality of care,” Corba said.
Kelsey E. Hackem ([email protected]) writes from Washington.
Esch, Tobias, et.al., “Engaging Patients Through Open Notes: An Evaluation Using Mixed Methods,” BMJ Journals, January 2016: https://bmjopen.bmj.com/content/6/1
U.S. Department of Health and Human Services, Individuals’ Right under HIPAA to Access their Health Information 45 CFH 164.524: https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html