In January 2016, the Department of Health and Human Services issued new guidelines regarding the rights of individuals to access their protected health information under HIPAA. Though the guidelines are new, the rights they describe are not. In fact, in 2009 the rights to security, privacy, and access to medical information under HIPAA were modified for the digital age when Congress passed the Health Information Technology for Economic and Clinical Health Act (HITECH Act) as part of the American Recovery and Reinvestment Act.
As reported by the New York Times, the new guidelines released this year spring from studies and research by the Department of Justice, Office of Civil Rights. Those studies reveal health care providers are failing to adhere to the HITECH amendments to HIPAA and respect patients’ longstanding rights of access to inspect or copy their medical records.
The new guidelines address the rights described under federal HIPAA regulations at 45 C.F.R. §154.624 and begin with a summary of the “General Right” to access health care information, which includes the following:
- The right to receive a copy or inspect your medical records;
- The right to designate another individual or entity to receive a copy of or inspect your medical records;
- The right to access the information whether its maintained by the actual health care provider or its business associates (such as an independent company under contract to process and respond to requests for medical records); and,
- The right to access protected health information from a provider that originated from another source, such as a consulting or referring physician.
In addition, the new guidelines forbid several “unreasonable measures” which health care providers place as barriers between patients and their protected health information. Specifically, health care providers are not permitted to require an individual:
- Who wants a copy of her medical record mailed to her home address to physically come to the doctor’s office to request access and provide proof of identity in person.
- To use a web portal for requesting access, as not all individuals will have ready access to the portal.
- To mail an access request, as this would unreasonably delay the covered entity’s receipt of the request and thus, the individual’s access.
Before our office files a medical malpractice lawsuit on behalf of an injured client or their loved ones, we must determine whether there is substantial basis to believe health care providers failed to provide medical treatment within appropriate and accepted standards of care. We make this determination with a two-pronged investigation involving extensive research of the medical issues followed by applying our knowledge to the facts at issue. The key facts which help us determine whether or not a lawsuit is justified are found almost entirely in the potential client’s medical records.
With a constant need to access protected health information, we are all too familiar with obstacles to acquiring medical records similar to those which compelled DHS to issue the new guidelines. Hospitals or the business associates they hire to process and respond to requests for medical records are notorious for charging a fee to produce records which assigns a separate fee for each page of the record. As an absurd example, once a business associate for a regional hospital charged our office by the image for several radiology studies, including MRI studies which contained hundreds of individual, detailed images. The business associate claimed the HIPAA/HITECH rules regarding access to medical records simply did not apply to radiology images.
It is unfathomable to consider how many dollars which could have assisted an injured patient were thrown away because of this illegal practice. Fortunately, the new guidelines stop the gouging. First, the guidelines clarify that medical images are included in the definition of records protected under HIPAA. More importantly, the guidelines inform the public of the law’s limitation on what a health care provider or its business associate can charge for producing copies of health care information. The fee for production of medical records, whether produced in on paper or in an electronic format, must be limited to a reasonable fee based on the cost of labor, supplies and postage.
Health care providers or their business associates attempt to get around the protection of the law in several ways. First, health care providers or their business associates assert the limits on charges to produce medical records only apply to requests directly from the patient, and not their attorneys. Fortunately, the new guidelines include a section titled “Individual’s Right to Direct the PHI to Another Person”. That section states the “same requirements for providing the PHI to the individual, such as the fee limitations and requirements for providing the PHI in the form and format and manner requested by the individual, apply when an individual directs that the PHI be sent to another person. See 45 CFR 164.524(c)(3).”
Also, offending health care providers attempt to justify their per-page charges by citing to Pennsylvania law. The new guidelines clarify that any state law which is contrary to the rights given to patients under HIPAA is preempted by the federal law and does not apply.
We applaud DHS for these clear and concise guidelines. Likewise, we look forward to securing medical records at a reasonable cost, free from the unlawful barriers imposed by hospitals, doctors, and the businesses which ignore rights for the sake of profit.