A Patient’s Right of Access is still an issue for many Covered Entities

By Suze Shaffer

February 15, 2020

Many covered entities struggle to understand what is “right of access” for individuals. Under HIPAA and the Omnibus Rule, a patient has the “right” to request a copy of their medical record in the format of their choice (if available). What this means is, a medical provider is not required to purchase special equipment or software to meet these requests. With that said, if a patient requests a CD or DVD of their medical records and you do not have a DVD drive, you would not necessarily be required to purchase one. Keep in mind, DVD drives are only about $25 and it would not be unreasonable for a practice to purchase one. Of course, the ideal situation would be to direct the patient to your EHR portal and download it themselves. However, you can’t require them to do so.

When a patient requests the right to access their PHI (protected health information), be sure to have the patient sign a written request and make note of the date. A provider has 30 days to supply the patient with this information. To extend the time, the covered entity must, within the initial 30 days, inform the individual in writing of the reasons for the delay and the date by which the covered entity will provide access. Keep in mind, only one extension is permitted per access request.

The next area of confusion is the fee limitation. Copying fees for medical records are set by individual states and typically refer to the cost of labor, printing, and delivery of paper or electronic data. The labor fee does not permit the provider to charge for the preparation of the data but labor costs could include skilled technical staff time spent to create and copy the electronic file, such as compiling, extracting, scanning and burning [PHI] to media.

The Flat Fee rate option is not cap, merely an option rather than calculating the actual cost of labor and printing. Many providers are utilizing this method since it is easier than calculating the actual costs.

On January 23, 2020, a federal court vacated the “third-party directive” within the individual right of access “insofar as it expands the HITECH Act’s third-party directive beyond requests for a copy of an electronic health record with respect to PHI (protected health information) in an electronic format.” Additionally, the fee limitation set forth at 45 C.F.R. § 164.524(c)(4) will apply only to a patient’s request for access to their own records, and does not apply to a patient’s request to transmit records to a third party.

https://www.hhs.gov/hipaa/court-order-right-of-access/index.html

If you would like to read the Memorandum Opinion from the United States  District Court in the case  Ciox Health LLC vs Alex Azar:

https://ecf.dcd.uscourts.gov/cgi-bin/show_public_doc?2018cv0040-51

We hope this will help clear up any misconceptions when it comes to a patient’s right to access their medical information.

If you would like more information, contact us at 877.659.2467 or complete the contact us form.

“Simplifying HIPAA through Partnership, Education, and Support”

About Suze Shaffer

Suze Shaffer is the owner and president of Aris Medical Solutions. She specializes in HIPAA compliance, risk management, and cyber security. She believes that by educating her clients in understanding why and what needs to be done to protect their practice they have a better outcome.

Suze has been instrumental in helping clients nationwide with risk management, implementing privacy and security rule policies and procedures, and ultimately protecting patient data. She includes state and federal regulatory requirements to ensure clients are protected in all areas.

She has spoken at numerous conferences and functions. She continues to educate organizations how to minimize the risks of data breaches. HIPAA compliance is not an option, it is mandatory for every organization that comes in contact with protected health information to have reasonable and appropriate security measures in place. Unfortunately, most organizations don’t realize they are not compliant until they suffer a data breach or they are faced with an audit or investigation.

Did you know that the Office for Civil Rights (OCR) is the agency that investigates data breaches? Have you seen the heavy fines that have been imposed for non-compliance?

All 50 states now have their own set of privacy laws and the State's Attorney General may also investigate privacy violations!

HIPAA in 2020 – How the protection of our privacy maybe changing

January 15, 2020

Cell phone use in the workplace causing distrust

March 15, 2020
©2021 Aris Medical Solutions – HIPAA Risk Management | HIPAA Compliance Consultants | All Rights Reserved | Terms and Conditions | Privacy Policy
The content and images on this website is owned by Aris Medical Solutions and their owners. Do not copy any content or images without our consent.
Powered by Bandwise LLC