When a Patient Requests Access to their Medical Record

When a Patient Requests Access to their Medical Record

Establish policy to handle patient medical record access scenarios, legally.

Patients have a right to “request to view” their medical record. This right is conferred by the Standards for Privacy of Individually Identifiable Health Information, known as the HIPAA Privacy Rule of 2001 [45 C.F.R. § 164.524]. Let’s review legal details, so you can best formulate policy and practice for your medical setting.

A patient may ask to amend their medical record if they believe there is an error. For information on how to handle the request legally, read the article, “When a Patient Requests to Amend their Medical Record,” on pages 48-49 of the December 2017 issue of Healthcare Business Monthly.

Know the Laws and Process

Patients should submit a written request by completing a Release of Protected Health Information (PHI) form. A patient-authorized representative may also request access by completing a PHI release form. Your setting needs to establish policy on how to verify the identity of the patient or personal representative.
Per the Privacy Rule, a medical provider has 30 days to respond with written notification. The provider may deny access of the content if the medical record could “harm the patient.” If needed, the provider may request an additional 30 days with written notification.
Some patient records, such as psychiatric notes, workers’ compensation, and motor vehicle accident notes are HIPAA exempt. This means the Privacy Rule does not apply.
The provider may charge a customary fee for photocopying, postage, and for the cost of a CD or thumb drive. Limitations to this fee differ from state to state. In addition, whether the provider can charge a nominal fee for search and retrieval also differs by state. In Pennsylvania, for example, Act 26 limits the amount charged based on how many pages are generated. Act 26 also allows a maximum search and retrieval of records fee of $21.69. In contrast, Vermont statutes (18 V.S.A. § 9419) forbids a search and retrieval fee and limits access fees to $0.50 per page with a maximum fee of $5. Your compliance manual should reference the statute(s) for the state(s) in which your provider(s) practices medicine.

Consider Scenarios and Risks

To better understand access to the medical record, consider role-playing at a future compliance meeting with a few scenarios:

  • A patient requests access to the last office visit, which was a month ago.
  • An authorized personal representative requests access to a medical record.
  • A patient with severe and escalating depression requests access to the medical record at the family doctor’s office.

The first example seems straightforward, but the provider should know there is an option to review the request for access and potentially deny it, and the risk involved in exercising this right.
Ignoring a patient’s request to access their medical record can put the provider in legal jeopardy. The Office for Civil Rights (OCR) has an online complaint portal and a toll-free number to trigger investigations. The OCR may assign civil money penalties and, with the Department of Justice (DOJ), enforce criminal prosecutions to providers.
Patient portal access may someday alleviate issues associated with medical record access requests. But for now, most patient portals are still held to Meaningful Use Stage 2 standards, meaning patients are only able to view lists (medications, allergies, problems) and results (laboratory, imaging). When portal standards expand to reveal the entire note, the provider will need to adjust access settings for each patient through the electronic health record.

Chart and Track Patient Access

As you discuss patient access rules and role-play a few scenarios at your next compliance meeting, create a flowchart to track what happens and make a documentation trail for each scenario. Chart the course of patient access based on this summary of information:

  • The patient may request to access their medical record per the HIPAA Privacy Rule.
  • The medical provider has 30 days to respond with written notification.
  • The provider may deny access if content could “harm the patient.”
  • The provider may request an additional 30 days with written notification.
  • Psychiatric, workers’ compensation, and motor vehicle accident notes are HIPAA exempt.
  • Customary fee charges (photocopying, postage, CD, thumb drive) and medical record search and retrieval charges vary from state to state.
  • The OCR operates an online complaint portal
    (www.ocrportal.hhs.gov) and toll-free number (800-368-1019)
    to receive complaints.
  • Penalties skyrocket if there is evidence of retaliation against the patient.
  • The OCR may conduct compliance reviews and assign civil money penalties.
  • With the DOJ, the OCR can also assign criminal prosecution against medical providers.

Establishing a policy and using it consistently will ensure your office can handle patient medical record access requests to the letter of the law.


About Has 19 Posts

Michael Warner, DO, CPC, CPCO, CPMA, AAPC Fellow, is an associate professor at Touro University California, president of non-profit Patient Advocacy Initiatives, alternate advisor on AMA RUC, and an AAPC National Advisory Board member. At Touro, he is conducting a series of research projects with the online tool www.PreHx.com to determine evidence-based best practices to accommodate a patient-authored medical history and improve data gathering flow.

Comments are closed.