In 2011, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) penalized Maryland-based Cignet Health $4.3 million for violations of the HIPAA Privacy Rule and other charges. OCR’s investigation found that Cignet violated 41 patients’ rights by denying them access to their medical records.
The Privacy Rule requires health organizations to provide patients with a copy of their medical records within 30 (and no later than 60) days of a patient’s request. And OCR is serious about enforcing the rule.
Although the HIPAA Privacy Rule went into effect in 2003, several factors have kept many healthcare providers, including behavioral health organizations, from having transparent and efficient processes for sharing records with patients:
- Few patients requested copies of their records;
- There was an overabundance of caution and misunderstanding about HIPAA protections; and
- Doctors have traditionally been reluctant to share information with patients.
“They are concerned that patients will not understand the information that has been recorded,” says Joy Pritts, former chief privacy officer for the Office of the National Coordinator for Health Information Technology.
But the advent of electronic medical records, the digitization of information and the opportunities to more easily and efficiently exchange information with patients has changed things.
“Another reason this issue is coming to a head now is the movement around patient-centered care and patient and family engagement,” says Erin Mackay, associate director of health information technology programs at the National Partnership for Women & Families. “There is increasing recognition that if we expect patients to be engaged and activated partners in their care with doctors and other care team members, we absolutely have to be giving them information that is empowering. We don’t ask people to manage their bank accounts and not give them access to their checking information. And yet we expect that to happen in healthcare, and it is a little bit ridiculous.”
In 2015, Mackay’s organization helped launch the GetMyHealthData campaign to enlist people to ask health systems for their health data and report back on their experiences. The results were eye-opening. Participants received messages saying that they could have their data only if they asked correctly while some received letters asking why they wanted their data in the first place. Some were charged up to $600 with no estimate upfront about how much it would cost. Some providers were even charging for access to patient web portals that were subsidized by taxpayer dollars through the Meaningful Use EHR incentive program.
In 2016, the difficult experiences reported by the GetMyHealthData campaign and others led OCR to issue guidance clarifying for providers what their rights and responsibilities are and what they can reasonably charge patients.
OCR specified what types of fees were permitted and outlined a few options providers could use to calculate those fees. Providers could calculate the combined labor, supplies and postage costs to prepare and send an explanation or summary. Alternatively, they could charge a flat fee, and OCR suggested $6.50.
“That gives you an approximation of what OCR is thinking should be a reasonable fee for an information request,” Mackay says. “Of course that generated a lot of outrage from people who make money charging per-page fees.”
She notes that OCR was not imposing a ceiling.
“This was just one option and an easier way for providers to calculate those fees,” she says. “But this gave consumers a ballpark idea of what is or is not a reasonable fee.”
Mackay knows of one family caregiver who got a bill for $500 for her parent’s hospitalization records, which were delivered in a huge box. That volume of information was neither relevant or particularly helpful, and the fee “is absolutely outrageous.”
Providers must confer with both the OCR guidance and state laws.
“There are several states where an individual is entitled to one free copy of their record per year,” Pritts says. “That is less than what OCR might allow a provider to charge under HIPAA. In that case, the state law remains in effect, and the individual is entitled to one free copy per year. You have to go to the lowest fee, whether under federal or state law.”
OCR also reminds providers that if medical records are in electronic format, patients have a right to receive them in electronic format.
Of importance to behavioral providers, excluded from the patient right of access are psychotherapy notes, which are the personal notes of a mental healthcare provider documenting or analyzing the contents of a counseling session, that are maintained separate from the rest of the patient’s medical record. Pritts says she has seen large healthcare systems where the psychotherapy notes are maintained within the electronic health record.
“If it is retained with the rest of the electronic health record, that has to be produced for the individual when they request their medical record,” she says.
In Minnesota, patients have the right to view or receive all parts of their medical records, including psychotherapy notes.
Confusion over that issue led the Minnesota e-Health Privacy and Security Workgroup to issue a paper clarifying patient rights in the state Health Records Act.
“Historically that workgroup has included attorneys and privacy officers from providers, but not a lot of behavioral healthcare executives,” says Stacie Christensen, director of the information policy analysis division of the Minnesota Department of Administration. But recently a few behavioral providers started attending. “They were concerned that under HIPAA there is this carve-out, but not in Minnesota, so we prepared an information sheet based on the law just to see if it would prompt any legislative changes, which it hasn’t,” she adds.
In practice, the state report says, therapy notes are rarely accessed. Minnesota does allow for the use of clinical judgment in the release of all medical records. If the release could cause harm to the patient or others, they can be withheld from the patient’s view
“My assumptions are that the patients don’t realize that those notes are there, and they could request them,” Christensen says, “or the providers are using that exception to avoid providing them.”
Set up to share
There are several steps involved in creating a successful program in terms of providing individuals access to their own information, Pritts says.
“First is establishing a culture within the organization that individuals accessing their own information is a good thing and is to be encouraged,” she says. “If you don’t have that piece down, the rest is going to be a struggle.”
Another key aspect is having an efficient and transparent process for responding promptly to requests, so that clinicians don’t get bogged down in administrative details. The individual has the right to the information for their own purposes, and having an easy process for doing that is important, not only for the patient, but for the providers.
“The easier it is for patients to get the information, the more likely they are to ask for it, and the more positively they will view their provider,” Pritts says. “You want this to be a selling point, not the reason somebody gives your organization a thumbs down.”
Mackay says some providers require patients to fill out a specific form to request their data, and patients can find those confusing. Technically there is a difference between requesting your own records—an access request—and an authorization to disclose data to a third party.
“Unfortunately, a lot of health systems conflate the two and create one form for patients to fill out and use the same form whether they are trying to access the records for themselves or someone else,” she says. “In almost all of the examples I have seen, the information related to CFR 42 Part 2—alcohol and drug treatment, HIV/AIDs-related information, and now genetic testing, too— if you don’t check the box that you want this information, then it won’t be provided to you. I understand that this evolved out of an abundance of caution and wanting to make sure the system was not releasing information the patient wasn’t comfortable with, but these forms can be confusing to patients and families.”
It is already difficult for patients to fill forms out correctly and get the data they want. The request form is yet another document they have to read carefully and understand, she says.
Further complicating matters are new mobile health app companies that are granted permission by customers to request medical records on their behalf.
“We have heard examples of apps or companies making requests on behalf of patients,” Mackay says. “These are faxed in, because every provider has a fax machine. The health information management professionals in the office get that request and they are not sure what to do with it, and as one app company told us, they put it in the ‘Oh, crap’ pile, which means ‘Oh crap, we don’t recognize this.’”
All too often such requests go ignored for lack of processes to address them, she says.
David Raths is a freelance writer based in Pennsylvania.
OCR guidance for providers is here.