HIPAA Compliance: Patient Requests for Records – Avoiding Costly Violations

By: Cristina N. Hyde, J.D.

It is undeniable that health care providers have their hands full these days.  However, operating during a global health emergency does not alleviate basic obligations such as those related to a patients’ protected health information (PHI).  Just last year, the Office of Civil Rights (OCR) announced its Right to Access Initiative; ensuring patents’ rights to access their medical records were upheld.  The first completed investigation under the initiative resulted in an $85,000 violation over ONE medical record that was not timely or properly provided.

Under the HIPAA, patients not only have a legal and enforceable right to access PHI, but a covered entity must maintain a designated record set and must have procedures in place to make timely access to those documents easy for the purposes of inspection, copying or forwarding.  Upon receipt of an appropriate and verified request, a covered entity must provide the records requested in the format in which they were requested, including a paper copy even if the PHI was maintained electronically; reasonable fees for access are permitted.  It is only under very limited circumstance that a covered entity may deny an individual’s request for access to all or a portion of the PHI requests, but this denial may be subject to review.

With few exceptions, a designated record set includes anything used by the covered entity to make decisions about patient care as well as medical and billing records, enrollment paperwork, payment information, and case or medical management record systems maintained in conjunction with a health plan.

If a covered entity is audited, the OCR will look at several areas of HIPAA compliance including  evidence of:

  • Proper Notice of Privacy practices related to PHI.
  • Proper administrative requirements for the security of PHI
  • Proper authorizations for use and disclosure of PHI available for patient use.
  • Proper administrative, physical and technical safeguards on premises related to PHI.

If you find yourself in a situation where you have questions about a patient’s records request, or other obligations under HIPAA, Contact Us.

Comments are closed.