Patients have a right to access personal health information

Confusion exists about how and when patients can access their personal health records under the Health Information Portability and Accountability Act.

When patients request access to their medical records, what to provide and how best to do so can be tricky. Does the practice have to allow access to everything? Can the practice charge a fee? If so, how much? Can patients provide their own thumb drives? Can the information be e-mailed? These questions are all answered in new guidance on this topic released by the Centers for Medicare & Medicaid Services.

The Health Insurance Portability and Accountability Act (HIPAA) privacy rule requires that clinicians provide individuals, on request, with access to their personal health information. This means that the patient (or his/her personal representative as defined by state laws) has the right to inspect and/or receive a copy of the information and/or request that it be transmitted to a designated person or entity. Individuals have a right to access this personal health information regardless of the date the information was created, whether it is maintained on paper or electronically, or where it originated, such the current clinician, another clinician, or the patients themselves.

The new guidance clarifies a number of issues that come up most often. Patients have a right to personal health information in the “designated record set” about themselves, including medical records, billing and payment records, lab results, medical images such as X-rays, wellness and disease management files, and notes.

The rule expressly excludes psychotherapy notes and information related to any court proceedings (civil, criminal, or administrative) from the “designated record set.” Also excluded is anything that is not needed to make decisions about the patient, such as quality reporting, patient safety activities, or practitioner performance evaluations.

The form and format of the information matter. The personal health information must be in a readable paper or electronic format agreed to by the requesting patient. If the patient wants an electronic copy, and the chart is only on paper, then a scanned copy or other agreed-to electronic alternative will suffice. If the patient requests an electronic copy of personal health information, the clinician must offer it in the requested electronic format, if it is readily producible in that form and format. If not, an alternative readable electronic format should be provided.

The law does not require the purchase of new software or equipment to fulfill the request, but the patient must be offered some reasonable alternative if possible. If the individual declines to accept any of the electronic formats readily producible, then a readable hard copy of the personal health information, or a summary thereof, can satisfy the request if the patient agrees to it.

Access must be provided in less than 30 days and in a manner convenient to the requestor (within reason). For instance, the practice may request that the patient pick up the records, but the patient may prefer to receive the records another way, such as mail or e-mail. The particular mode of transmission will be based on the capabilities of the system used and the level of security risk associated with the mode of transmission.

Based on a security risk analysis, the practice is not expected to tolerate unacceptable levels of security risk in responding to requests for access. If the patient chooses e-mail transmission and file size is not prohibitive, unencrypted e-mail may be used even though there are security risks to the personal health information while in transit, as long as the patient has expressly accepted those risks.

Clinicians may require that requests be in writing and may offer the option to use electronic means (e.g., e-mail, secure Web portal) for requests or use their own request form. Reasonable cost-based fees may be charged for postage, labor, and supplies (within state limits, where applicable). Due to security and computer integrity, it is highly recommended that practices provide the data on their own CD, DVD, or thumb drive, thus not allowing any outside media.

Fees may not include costs of verification, documentation, search and retrieval, system maintenance, or costs for data access, storage, or infrastructure, even if such costs are authorized by state law.

Detailed guidance on providing patient access to personal health information, including grounds for denial of access, is online . For more on HIPAA, see the related story in this issue.