How much patient information can you share with…your patient? And does your support staff know the answer? Patients’ access to their own health information is a cornerstone of HIPAA, the intent of which is to protect the privacy and security of identifiable health information. However, HIPAA has generated plenty of confusion as to who has access to what. As a result, practice administrators might be gun-shy around HIPAA to the point where they might not let patients access their own records.
Under HIPAA, individuals may request an electronic copy of their PHI (protected health information) if this information exists in electronic form—and health information is increasingly generated and stored electronically by covered entities (health plans and most providers). The covered entity must provide the PHI in the electronic format requested by the individual if it can readily be reproduced in that form and format, according to the Department of Health and Human Services (HHS).
If an individual requests it, the covered entity must provide medical records, insurance information, clinical test results, medical images, disease management program files, clinical case notes, and other information used to make clinical decisions about individuals. Psychotherapy notes documenting or analyzing a counseling session, which are maintained separately from the rest of the patient’s medical record, are excluded from the HIPAA requirements. Information compiled or used for administrative actions or legal proceedings is also exempt, according to HHS.
HHS and Office of Civil Rights recently provided additional HIPAA guidance, including:
- Patients needn’t give a reason for requesting their own health records.
- Providers cannot refuse access to records just because they contain information that might be upsetting to the patient.
- Entities can’t deny an information request because a patient has failed to pay medical bills.
Does this make things any clearer?
Inadvertently withholding HIPAA-protected information from patients is understandable, even if it is frustrating for patients. Unfortunately, some organizations have used HIPAA as a regulatory shield to protect themselves from whistleblowers or unhappy patients.
HHS provides online resources for practices to make sure they honor patients’ requests for their own records. Consulting with legal experts is another way to get the right answers to patient and staff questions about this vital component of care.
A recent survey by the AHIMA Foundation revealed wide variation in contemporary practices affecting patient access. The survey results demonstrated a high level of adoption of EHRs, with 87.5% of respondents reporting they had an EHR. Patient portals were available at 38% of facilities with an EHR system. And as EHRs and portals are implemented, patient requests for PHI will likely drop, the AHIMA study speculated, because the information will be more readily available.
Last Updated on July 22, 2016