From Report on Patient Privacy

Risking OCR and Patient Ire, Many CEs Don’t Comply With Patient Access Rules

REPORT ON PATIENT PRIVACY delivers timely news and business strategies for safeguarding patient privacy and data security.

June 2014Volume 14Issue 6

In apparent defiance of final HITECH regulations, many HIPAA covered entities (CEs) are not offering patients the option of receiving an electronic copy of their medical records, let alone in the “form and format” of their choosing, as has been required since January 2013.

Some are imposing fees for copies and applying limits on what they will provide that do not appear to be in line with regulations. Health systems with multiple hospitals have implemented the access requirements inconsistently across their medical centers, meaning some may be in compliance while others are not.

All of this is evident on the websites of covered entities, in their pages that outline the policies and procedures for patients to obtain their protected health information (PHI) — so officials from the Office for Civil Rights (OCR) can readily see it also. An OCR spokeswoman tells RPP “we can and we have” brought enforcement actions against CEs who violate the access requirements.

Patient advocates, medical records providers, privacy experts and others also tell RPP of a multitude of likely unlawful hoops imposed by CEs that people are jumping through to try to get their records.

“Unless you are behind the curtain like I am or unless you start finding the right stones to turn over, you don’t ever get to see the horror show that really exists in various degrees across the country,” says Chris Carpenter, director of operations for Diversified Medical Record Services, Inc. (DMRS), a business associate that processes records requests for hospitals and physicians offices nationwide.

Noncompliant Patient Access = Risk

Deborah Peel, a psychiatrist and founder of the advocacy group Patient Privacy Rights, maintains that “trying to get your medical records is just impossible. Most Americans cannot get anything electronically [from health care entities], when everything should be as easy as it is in banking.”

Privacy and security officers tend to pay close attention to the really splashy, high-priced settlements OCR publicizes when they’re completed, such as the record $4.8 million deal inked just last month with a university hospital and its affiliated physician group (RPP 5/14, p. 1). And they should.

Aside from the penalties paid to OCR, CEs involved in these cases spend untold sums handling breach notices, paying for credit monitoring and trying to restore their reputations, a fate their colleagues surely wish to avoid.

Chances are they will, statistically speaking, because these settlements are still exceedingly rare.

It’s the more mundane stuff like refusing to email records to a patient that can land a CE and its HIPAA officials in the middle of an OCR inquiry, with its own headaches and legal bills.

In fact, in 2013 alone, OCR closed some 3,500 complaints after obtaining some corrective action from the covered entity. A lack of patients’ access to their own PHI is the third most common complaint OCR receives, after “impermissible uses and disclosures of protected health information” and “lack of safeguards of protected health information.”

A Tweak, but an Important One

The 2009 HITECH Act tweaked an existing provision in the privacy rule regarding individuals’ requests for access to their PHI, offering the promise that patients would get easier, quicker and more convenient access to their records, as long as data were “maintained electronically” by the CE (RPP 4/13, p. 1).

As the preamble to the final rule, published Jan. 25, 2013, describes, under §164.524(c)(2)(ii), “if an individual requests an electronic copy of protected health information that is maintained electronically in one or more designated record sets, the covered entity must provide the individual with access to the electronic information in the electronic form and format requested by the individual, if it is readily producible, or, if not, in a readable electronic form and format as agreed to by the covered entity and the individual.”

HHS took pains to explain that it didn’t just mean records residing in electronic health record systems, but that it was applying these requirements much more broadly, to the extent that it would seem every CE other than the very smallest should be offering patients their PHI electronically.

But what “form and format” means is anyone’s guess: HHS doesn’t define these terms in the final rule. But it does say CEs with other “legacy” systems might have to spend a few bucks to produce some kind of electronic record.

“We note that some legacy or other systems may not be capable of providing any form of electronic copy at present and anticipate that some covered entities may need to make some investment in order to meet the basic requirement to provide some form of electronic copy,” HHS says in the preamble to the final rule.

The final rule required CEs to modify their notices of privacy practices (NPPs) to alert patients to their new rights, including the option of getting their PHI electronically. While some no doubt added this verbiage, whether they actually offer an electronic copy to patients when they go through their medical records departments is another story. (See p. 7 for a sample request form.)

Reece Hirsch, a partner with Morgan, Lewis & Bockius LLP in San Francisco, warns covered entities that they “need to be careful that any [records access] forms they are using are consistent with what is being said [in the updated NPP].”

From Many Electronic Options to Zero

The process of getting one’s records has never been simple, and it may now be even more complicated than before. Most CEs require patients to go through a number of steps before the PHI is released. Some have different procedures for when the patients are requesting the record to be sent to themselves, versus when it is sent somewhere else, which is technically an authorization; some use a single form for both purposes.

Hirsch says HIPAA does not mandate that patients complete a written request for their own records or when requesting that their doctor share them with another provider, although most CEs do require some written documentation of such requests. Hirsch calls this “a bit of a gray area.” Covered entities, he says, can send the records when they have a “reasonable belief that the provider they are sending [them] to is providing treatment.”

CEs typically post a form online for records access, which the patient downloads, prints out on paper, completes, signs and then either mails or faxes back to the CE. The form should give the patient options for how the records are going to be delivered, with one choice being some form of electronic version.

Hopkins Offers Many E-Options

Johns Hopkins Medicine, a health system in Maryland, offers patients many electronic options. Patients can check a box to receive the records on paper; electronically on a CD; electronically on a flash drive; through the Hopkins web portal “with notice provided” to the patient’s email account; “by unencrypted e-mail” to a listed address; and, finally, “by other electronic means (if agreed upon by JH records department).” (See

In contrast, another Maryland hospital appears to offer no electronic records options. It seems doubtful that Shady Grove Adventist Hospital doesn’t maintain any PHI electronically, yet it will send paper records only to patients through the United States Postal Service. According to Shady Grove’s website, patients must mail the form “or drop it off in person,” and the records will be mailed within five business days.

Neither its website nor its form mention anything about costs, so it would seem that Shady Grove does not charge for copies (see

Portability and Access Are Key

Carpenter says the reliance on paper requests and mailed records “is not how the industry is trending.” He adds: “I’d even go so far as to say that’s not how HHS sees it working. The ideas are portability and access.”

When reviewed by RPP, the webpage for Kaiser Permanente’s (KP) Santa Clara Medical Center seemed to offer a lot of electronic options, but placed limits on the information it would send to patients. Its preferred methods of providing records seemed to be on CDs or by email as these are “FREE” — if encompassing the “last 2 years of records.”

According to its frequently-asked-questions page, which misspelled HIPAA in every use, patients who needed help with the process could email the “release of information office” at an email address given, and were asked to include either their medical record number or Social Security number. This was somewhat stunning, as emailing Social Security numbers in unencrypted emails is generally frowned upon by privacy and security professionals.

The release form indicated that KP would fax records to patients, but only 10 pages, and, again, a two-year limit was specified.

After RPP inquired to KP about these features, a spokesman said records older than two years were available for $15 “per request.” He did not answer any other questions, such as about the pricing structure, limits on faxed pages and the emailing of Social Security numbers. Shortly after RPP’s inquiry, all of the pages referring to medical records access were taken down.

UPMC, a health system affiliated with the University of Pittsburgh Schools of the Health Sciences, states on its release of medical records’ page that it “has now implemented an electronic health record at all its hospitals.” It also points out that “Electronic release is convenient and helps reduce cost.”

Patients are directed to contact individual hospitals for those records. But patients seen at UPMC Mercy, in uptown Pittsburgh, are not given any options for electronic records. According to the release form, which seems to be the same one used for 12 other UPMC facilities, records are available only by mail (see

DMRS, which offers electronic delivery options for its medical records clients, didn’t see an anticipated increase in these methods after the final rule was released. “The assumption was that with the new rights, patients would exercise them and as a result, more records would be going out in electronic format,” Carpenter says. “Such is not the case.”

Although patients may still prefer their records mailed, they do want to send their request in electronically, Carpenter says, including being able to use an electronic signature to complete their forms. But this has proven difficult, he says, because CEs have been resistant to accepting electronic signatures (see story, p. 5). He says it is the IT industry, records vendors, and fulfillment service providers that are “really doing all the heavy lifting, with regard to ‘form and format.’”

“For example, we finally go live with our new systems next quarter (just about a million dollars later), and in doing so we will be delivering everything digitally (within hours rather than the standard of a week or two), with an option for the requestor to register on our website and opt out of electronic delivery, choosing their preferred method (i.e., fax or snail mail),” Carpenter says.

Which Way Is the Industry Going?

Once the new system is deployed, Carpenter will be “very eager to see [what patients choose], because that will be a true indicator of the direction the industry is shifting.”

Peel is waiting, too, and will be watching. She laments that the pledge that President George Bush made that patients would have access to their records and be able to control them electronically still hasn’t been kept. “Most places don’t have electronic portals. They don’t email us securely,” says Peel, who reviewed some of the CEs’ policies for records access at RPP’s request. “They put all these obstacles in the way of us getting our own data. It’s just terrible, awful.” The expanded access requirements aren’t being met, she says, because of “gaps” in the regulation and ignorance on the part of CEs. “People believe what they are doing is actually legal,” Peel says. “The implementation has completely failed patients.”

Have an opinion on this issue? Let us know what you think on the AIS blogs.

Available at The AIS Marketplace: How to Comply With New HIPAA/HITECH Rules, authoritative guidance on the multitude of new rules HIPAA covered entities, business associates and subcontractors must comply with … and the ways in which the risks and relationships among these three types of HIPAA entities have changed. Click here for more information and to order today.

© 2014 by Atlantic Information Services, Inc. All Rights Reserved.

It's quick and easy to sign up for FREE access to!

Why do I need to register?