Why Is Providing Patients Access to Records So Challenging?Study Shows Hospitals Inconsistent in Presenting Access Options
Although HIPAA gives patients the right to access their health records in their preferred format - on paper or electronically - a new study finds discrepancies in the information hospitals provide to patients regarding the release of their records.
"Requesting medical records remains a complicated and burdensome process for patients despite policy efforts and regulation to make medical records more readily available to patients," the researchers noted in the study.
The study points to the need for privacy officers, records managers and others to educate hospital staff on what HIPAA requires and make sure that the organization has the right procedures in place to offer access to records, privacy and security experts say.
"Far too many hospitals are wildly out of compliance with the HIPAA Privacy Rule right of individual access."
—Deven McGraw, Ciitizen
"Far too many hospitals are wildly out of compliance with the HIPAA Privacy Rule right of individual access because they have not done the necessary work of making sure their medical records departments - or the vendor they are using for release of information - are in compliance," says privacy attorney Deven McGraw, general counsel and chief regulatory officer at Ciitizen, a health IT provider.
"For example, we have learned that some hospitals house the records department in revenue cycle management vs. compliance, which may make it harder for the hospital's privacy official to oversee what's going on," says McGraw, who was formerly deputy director of health information privacy at the Department of Health and Human Services' Office for Civil Rights, which enforces HIPAA.
83 Hospitals Studied
The study conducted by Yale School of Medicine researchers between August and December 2017, which was published in the Oct. 5 Journal of the American Medical Association, examined 83 "top ranked" U.S. hospitals in 29 states with independent medical records request processes and medical records departments reachable by telephone.
Study researchers collected medical records release authorization forms from each hospital and then telephoned each hospital's medical records department to collect data on patient requestable health information.
The researchers found discordance between information provided on the hospitals' authorization forms and that obtained from the simulated patient telephone calls in terms of requestable information, formats of release and costs.
For example, 47 percent of hospitals, during phone calls, said they provided for the release of health information via email, versus 33 percent that indicated that on their authorization forms. Some 66 percent said via the phone that they provided for release of records via CD, vs. 42 percent on authorization forms. And 25 percent said on the phone that they released records via online patient portals, while 40 percent listed that option in authorization forms.
The JAMA study did not dig into what caused these discrepancies.
The researchers, however, noted that "stricter enforcement" may be required to ensure more transparent and less burdensome medical records processes for patients - especially in light of legislation, including the recent 21st Century Cures Act, and HHS initiatives, including MyHealthEData, which continue to stipulate the importance of improving patient access to and control over their health records.
"Patient access issues remain a source of challenge for covered entities and a source of enormous frustration for patients and other healthcare advocates," says privacy attorney Kirk Nahra of the law firm Wiley Rein.
"Some of these points are issues with the flexibility of the [HIPAA] rules - which are designed to set standards but also give covered entities some leeway based on their own practices," he says. "Some organizations may take advantage of this or use it as an excuse. Most, however, generally are trying hard. There are still interoperability issues between systems. There are some concerns about security."
Under HIPAA, medical record requests must be fulfilled within 30 days - with the possibility of a single 30-day extension - in the format requested by the patient if the records are readily producible in that format.
The study notes, however, that despite HIPAA's guarantee of patient access to their records, and the pervasiveness of electronic health records, "patients may not be able to easily request, receive and manage their medical records."
There are continuing tensions between some aspects of HIPAA and other goals of the healthcare system, Nahra notes.
"The rules tend to draw a balance, but there is increasing concern that the balance on access needs to favor patients more than it does today, and that convenience and cost for the covered entities should be given less deference," he says. "Patient portals may be a good option for security purposes, but may not always work if a patient wants to transfer the information to someone else."
McGraw suggests that HHS should also continue to focus on enabling individuals' access to their health information via application programming interfaces. "But it is also essential for hospitals to have a unified strategy for patient access, which includes ensuring access via APIs and via medical records offices, because it will be years before the entire HIPAA 'designated record set' is available via APIs," she adds.
Several factors contribute to some hospitals being reluctant to provide patients access to their health information via email, says privacy attorney David Holtzman, vice president of compliance at consultancy CynergisTek.
"The HIPAA privacy and security rules call for organizations to safeguard PHI transmitted in an electronic form," he says. "Not all health information is created equal. In carrying out their responsibility, these organizations could reasonably conclude that there is patient information that is too sensitive to transmit by unsecured email services or they do not have the technology in place to securely send the patient record.
"HHS could consider modifying the HIPAA rules to set standards providing covered entities and business associates a safe harbor for sending PHI to patients or their designated recipients in an unsecured electronic format."
HHS already provides some flexibility to organizations using email to provide patients access to their health information. For instance, in 2016, HHS issued guidance material telling covered entities that they need to provide patients - or a chosen third party - with access to health information in the format the patient requests - even if that request instructs the healthcare entity to electronically transmit health records via unencrypted email. But the entity should forewarn patients of the related risks, HHS says.
"When I was at the HHS Office for Civil Rights, we knew that the hospital's security officials would balk at releasing records to patients via email - but this is why OCR emphasized it in the Omnibus Rule and the 2016 Access Guidance, to make it clear that patients have the right to get their information in the way that is most convenient for them," McGraw notes.
Providers and patients can securely exchange health information via email by using encrypted messaging, such as by using the Direct protocol.
At the very least, the study shows that many healthcare organizations need to make sure their staff members understand patients' rights to access their health information and then accurately communicate to patients how they can comply with records access requests.
"Healthcare organizations must ensure that everyone who has direct patient contact can accurately provide information on how patients can acquire their health records, the available form and format for the release of the health information and any costs for those records," Holtzman says.
"It is an issue of ensuring an organization's culture of patient service extends to ensuring that providing access to their data is a core competency."
Organizations need to properly train their staff about the various ways patients can receive their PHI so that the information about such requests is accurately conveyed to those patients, Nahra says.
He predicts HHS will eventually release more guidance about patient access to their health information.
"In the meantime covered entities - particularly providers - need to realize that this is an area of increasing concern and that they need to be trying harder to get records to patients in a reasonable way," he says.