In 2011, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) penalized Maryland-based Cignet Health $4.3 million for violations of the HIPAA Privacy Rule and other charges. OCR’s investigation found that Cignet violated 41 patients’ rights by denying them access to their medical records.
The Privacy Rule requires health organizations to provide patients with a copy of their medical records within 30 (and no later than 60) days of a patient’s request. And OCR is serious about enforcing the rule.
Although the HIPAA Privacy Rule went into effect in 2003, several factors have kept many healthcare providers, including behavioral health organizations, from having transparent and efficient processes for sharing records with patients:
- Few patients requested copies of their records;
- There was an overabundance of caution and misunderstanding about HIPAA protections; and
- Doctors have traditionally been reluctant to share information with patients.
“They are concerned that patients will not understand the information that has been recorded,” says Joy Pritts, former chief privacy officer for the Office of the National Coordinator for Health Information Technology.
But the advent of electronic medical records, the digitization of information and the opportunities to more easily and efficiently exchange information with patients has changed things.
“Another reason this issue is coming to a head now is the movement around patient-centered care and patient and family engagement,” says Erin Mackay, associate director of health information technology programs at the National Partnership for Women & Families. “There is increasing recognition that if we expect patients to be engaged and activated partners in their care with doctors and other care team members, we absolutely have to be giving them information that is empowering. We don’t ask people to manage their bank accounts and not give them access to their checking information. And yet we expect that to happen in healthcare, and it is a little bit ridiculous.”
In 2015, Mackay’s organization helped launch the GetMyHealthData campaign to enlist people to ask health systems for their health data and report back on their experiences. The results were eye-opening. Participants received messages saying that they could have their data only if they asked correctly while some received letters asking why they wanted their data in the first place. Some were charged up to $600 with no estimate upfront about how much it would cost. Some providers were even charging for access to patient web portals that were subsidized by taxpayer dollars through the Meaningful Use EHR incentive program.
In 2016, the difficult experiences reported by the GetMyHealthData campaign and others led OCR to issue guidance clarifying for providers what their rights and responsibilities are and what they can reasonably charge patients.
OCR specified what types of fees were permitted and outlined a few options providers could use to calculate those fees. Providers could calculate the combined labor, supplies and postage costs to prepare and send an explanation or summary. Alternatively, they could charge a flat fee, and OCR suggested $6.50.
“That gives you an approximation of what OCR is thinking should be a reasonable fee for an information request,” Mackay says. “Of course that generated a lot of outrage from people who make money charging per-page fees.”
She notes that OCR was not imposing a ceiling.
“This was just one option and an easier way for providers to calculate those fees,” she says. “But this gave consumers a ballpark idea of what is or is not a reasonable fee.”
Mackay knows of one family caregiver who got a bill for $500 for her parent’s hospitalization records, which were delivered in a huge box. That volume of information was neither relevant or particularly helpful, and the fee “is absolutely outrageous.”
Providers must confer with both the OCR guidance and state laws.
“There are several states where an individual is entitled to one free copy of their record per year,” Pritts says. “That is less than what OCR might allow a provider to charge under HIPAA. In that case, the state law remains in effect, and the individual is entitled to one free copy per year. You have to go to the lowest fee, whether under federal or state law.”
OCR also reminds providers that if medical records are in electronic format, patients have a right to receive them in electronic format.
Of importance to behavioral providers, excluded from the patient right of access are psychotherapy notes, which are the personal notes of a mental healthcare provider documenting or analyzing the contents of a counseling session, that are maintained separate from the rest of the patient’s medical record. Pritts says she has seen large healthcare systems where the psychotherapy notes are maintained within the electronic health record.
“If it is retained with the rest of the electronic health record, that has to be produced for the individual when they request their medical record,” she says.
In Minnesota, patients have the right to view or receive all parts of their medical records, including psychotherapy notes.
Confusion over that issue led the Minnesota e-Health Privacy and Security Workgroup to issue a paper clarifying patient rights in the state Health Records Act.