When we discuss HIPAA most of the articles have been on security and breaches, but HIPAA goes well beyond privacy and Security. One aspect of the HIPAA rule is the “Right of Access”.
OCR (The Office for Civil Rights – the branch of HHS the enforces HIPAA) is enforcing this law even more strongly since the 21 Century Cures Act was published. OCR has begun to levy fines against organizations that are in violation of the “Right of Access” rule.
What is the Right of Access Rule?
When a request is made for access to medical records, HIPAA-covered entities must provide access or supply a copy of the requested medical records as soon as possible, but no later than 30 days after the request is received.
Here are some frequent questions I get about the Right of Access Rule:
If a patient has a balance can I withhold their records until the bill is paid?
NO you cannot withhold records even if the patient has a balance.
Can I charge for providing a copy of the medical records?
Many state rules allow you to charge a fee for providing copies of medical records, but I recommend waiving that fee when the request comes from the patient. The amount you charge would not be much and if you are delayed in providing the records you may be investigated and experience a fine. Just recently NY Spine Medicine , a private practice in New York, settled a violation of the Right of Access Rule for $100,000.
How am I required to provide the records?
Patients have the right to request the format of the records (paper or electronic). When you are able to, you must provide the records in the requested format. That being said your EHR may have limitations on how it can produce the record, or you may not have an EHR. If a patient requests a copy of their records on a CD, but your EHR can not burn a CD you can tell the patient that option is not available but you then need to tell them which options are available. Other electronic methods may include flash drives or pushing the records to the patient portal. If you do not have an EHR and the patient requests electronic copies of their records you can tell them, you do not have their records in electronic format and then provide them in paper form.