Every year, I endeavor to get medical records from my healthcare providers and every year I run into several issues in getting those records. As a result, I am forever fighting the same battles with staff ultimately wasting their time and mine, ruining relationships with staff, and unfortunately involving the Office for Civil Rights (OCR; aka the folks that enforce HIPAA). I thought I’d share a few common issues I see arise again and again to educate patients on their rights and to educate providers on the provisions where they often have compliance issues.
HIPAA – the Health Information Portability and Accountability Act – is the law that requires healthcare providers to keep your personal health information private and secure. It also gives patients many rights to their records. The law should be empowering and helpful to patients but because it is often misinterpreted or provisions are not known to staff, the law too often puts barriers in the way of patients getting their records.
Below I present common HIPAA issues including:
- Where to start: How to ask for your records
- Getting all your records
- Taking forever to get your records
- Radiology images
- Getting records the way you asked for them (CD, email, paper)
- Side Note: Why I ask for records on CD
- Insisting a patient pick up records in person
- Sending someone else to pick up your records
- Records Fees
- Withholding records until payment
- Correcting records
- Accounting of Disclosures
I hope this will be helpful to patients and providers everywhere (just remember that none of this is legal advice).
Where to Start: How to ask for your records
Many patients don’t even know where to begin to ask for their records and honestly it’s not straight forward. Most doctors and hospitals will have a copy of their medical records release form on their website or you can call the office directly and ask for their form. You can use this form to get records sent directly to you, to send them to other providers, send them to family, or even send them to companies that may be helping you gather and organize your records.
- Where to find the forms
If the form is on their website, it’s usually under a tab like “Patient forms” or “Patient information.” Sometimes, they have it under “Contact Us” but you may have to look around the site to get to it. And the name of the form may differ. It might say “medical records release” or it might say “authorization to release medical information.” Every practice varies. And most should have a fax number or email to send the request in once signed.
- What is in the forms
HIPAA Rules do not specify how the release forms are supposed to look or what they contain. While you can theoretically send in your own form, most doctors and hospitals require you to fill out their forms. You can write on the form with specific instructions. You can also add your own form or notes to their records request – just make sure to make it clear on their form to “See Attached” so they know to look for more.
Unfortunately, most the forms I come across are missing parts that patients may want to ask for. For instance, patients have a right to ask for billing information (which is often not included when you check “complete chart”), for information held by Business Associates (which can include their lawyers, accounting firms, billing companies, and more), or Imaging Records (see below). You can write in that you want these records too. Sometimes they have an “Other” section where you can write those instructions in, but usually it’s very small to contain all the other information you may want to ask for.
- Sensitive information in your records
Most forms should have a place to initial or a notification that mental health, HIV/AIDS, substance use, and genetic information may be released. Many do not. This is sensitive information and you may want to make a note on the form if you do/do not want that information shared if you are filling out the release to let other people (other doctors, family, or companies) have your information. You are allowed to ask to restrict certain information from being shared.
If you are releasing this information to someone else, the doctor and office must respect your choice. I know many apps or companies that request information on behalf of a patient may be told they cannot get a copy of the records (because “HIPAA”). This is not true. Whoever you designate as the recipient can have a copy.
- Right to records
Additionally, the form might ask why you are asking for their records. I generally put down “continuity of care.” You have a right to your records regardless of the reason (per 45 CFR 164.524). They cannot prevent you from getting a copy of your own records.
Once you have filled out the doctor or hospital’s form and send it in, they have 30 days to get you your records (see below on Taking Forever to Get Your Records). Because many offices still use fax machines, you may want to call or email the office to make sure they receive your request.
Getting ALL your records
One of the most common issues I see is offices not giving patients a copy of ALL of their records when they request all of their records. On most records request release forms, patients can choose what part of their records they would like released. This can include medical history, immunizations, radiology reports, radiology imaging, billing, etc. And often there is a box to check off for all records (or a box for “other” where you can write “all medical records”). Time and again, though, even if you check all the boxes or you write in the space for “other” or you check the “all” box, you will not get your full records.
Most often the following will be left out:
- Billing records
- Radiology images
- Records that remain on paper
Why? There are a lot of reasons:
- Many providers and hospitals use outside records retrieval companies (Ciox and MRO are big ones and ones I’ve interacted with a lot). These companies generally only have access to electronic records. They will pull the records they have access to remotely and either print them, email them, or put them on CD. However, there is a lot they do not have access to.
- Billing records are often not kept in the same repository as your other medical records. A provider has to specifically ask their billing company to get those records for you. Because they often send requests directly to their records retrieval company without looking at the request, they skip over what you actually marked and assume you just want your medical records.
- Radiology images are also kept in a different location – namely, the radiology department. Often, they will send you the radiology reports but not the images. However, those reports are often not helpful for your doctors who usually want to see the actual images. (I’ll discuss images more below).
- Finally, records that you filled out on paper. A lot of doctors have patients fill out paper forms when they come in. These can be the administrative records like a consent for treatment or a form that asks you to rate your pain. Some doctors don’t scan these in to the electronic record but still keep them in the office. If they do keep the records, obviously a records retrieval company will not have access to them so they get left out.
Providers often get away with not providing all records because patients trust that when they request their records, they will receive all of their records. Additionally, some medical records can be incredibly long and it can take patients a really long tim to look through it all (a recent 4 day hospital stay of mine resulted in about 450 pages from just the medical chart, not including billing). And even if you look through it all, unless you are looking for something specific and know what it looks like, patients may not realize that anything is missing.
Because of these issues, I have taken to asking staff when I turn in the records request form to please be sure to include all of my records, including billing, radiology images, and anything that may not be accessible to a retrieval company. Patients have a right to all of these records. That right is described in the law at 45 CFR 164.524(a)(1). Not receiving all your records when you ask for all your records is a HIPAA violation.
*Note: Psychotherapy notes and records that might be used in a legal case may be withheld.
Taking forever to get your records
Providers have 30 days to get you that information and can ask you for 30 more days if it takes them a little longer to find everything (45 CFR 164.524(b)(2)). This is often not met and one of the biggest reasons the OCR is contacted. Sometimes the reasons for the delay are technical (i.e. if you faxed it and the fax didn’t go through). Other times, these are systemic issues where a provider is not set up to receive and handle requests in a timely manner. Unfortunately, offices rarely take the time to call the patient and say a simple “Hey, we’re running a little behind on getting your request together, can we have a little more time?” which ultimately would save a lot of consternation. Patients can always call and ask for confirmation that the office got the request and for a status update – though I have found that this annoys staff and does not often help the process.
At times, records may be taking forever because they are lost in the mail. Too often providers do not use tracking to make sure your records get to you. They can charge you for tracking (see below in the Fees section), so you can request that they not be tracked if you don’t want the fee, but this puts a lot of your information at risk. I have had records lost multiple times or sent to the wrong address. I have had records damaged. And of course, someone can always intercept your mail (luckily I haven’t lost records this way, but I have had mailboxes broken into and mail opened by others). Many times records are on unencrypted CDs or simply in paper format and include my driver’s license, Medicare card, and of course much more sensitive health information, all of which I prefer not to be open to the public. Problems with mail are rarely considered a breach under HIPAA law (e.g. – only if the provider somehow negligently or intentionally sent your mail to the wrong place), so filing a complaint about it may not get you anywhere. But you will want to check in with the office if you think your records are taking too long and you may check in with your mail carriers (e.g. – USPS, UPS, or FedEx) if you have a tracking number or if you suspect your mail could have been intercepted.
Ultimately, if you want your records, be prepared to wait. It can take the full 30 days or more, especially if you are chasing down all records they forgot to include or they are lost.
One of the items that is quite hard to get is your radiology images. As mentioned above, they are generally located elsewhere. However, if you do get your radiology images you may face other issues. These days, radiology images generally come on a CD program that you open up on your computer and looks really complicated. You can usually export the images to .jpg files (or even .mov files for some MRIs) on your computer if you look around. This can be quite confusing if you aren’t a smidge tech savvy, so I’ve known many patients to give up on trying to look at them or store them themselves. You can just keep the disc and bring it to your doctor directly and they usually can open it on their computer and look around. However, I have had some radiology discs come with software that is not compatible to certain operating systems making the CD virtually useless.
Patients have a right to their radiology images and to have them in a readable format. Technically this can be a printout or a .jpg image (both of which are substandard if you are trying to keep good records and virtually useless to radiologists). So having a disc that you can open on your computer and look around is best practice. However, you can agree with the provider to providing you with the printout or picture files if that’s all you want.
Getting records the way you asked for them (CD, email, paper)
This is literally the biggest issue I have with providers. I cannot count the number of times I have had to talk to providers about the fact that they did not give me my records in the format I requested – which is almost always on CD or USB.
45 CFR 164.524(c)(2) says that a provider has to give you your records in the “form and format” you request. Essentially this means, if I ask for a copy of my records on CD, they must send me a copy of my records on CD. If the records are on paper, generally, the office must scan them in and give you an electronic copy. If the office says they cannot provide you with a copy in the format requested, they have to work with you and you have to both agree to a different format.
Some providers will say, “We don’t have CDs.” While the office cannot technically be forced to go buy CD’s, the law is clear that they have to be able to provide your records in some sort of electronic format. Specifically as Health and Human Services (HHS) explains, “while a covered entity is not required to purchase new software or equipment in order to accommodate every possible individual request, the covered entity must have the capability to provide some form of electronic copy of [personal health information] maintained electronically.” That may mean emailing your records to you. Though this may be problematic if you have hundreds of documents as email inboxes usually have limits.
The HHS specifically highlights that if your records are “maintained electronically by a covered entity, the entity is required to have the capability to provide some form of electronic copy (see 78 FR 5633, https://www.gpo.gov/fdsys/pkg/FR-2013-01-25/pdf/2013-01073.pdf – PDF) – and this means that some covered entities may need to make some investments…in order to meet this baseline requirement.” To interpret this broadly, an office might consider investing in a stack of CDs or a few USBs (you can buy them in bulk) to have on hand for any and all patients who wish to have their records in this format. It’s a small investment to meet the baseline requirement.
Quite frankly, I have yet to meet an office that cannot put records on a CD or USB or scan them into a file to email to you. In today’s world, most computers come equipped with the ability to do this. Some computers no longer have CD drives, but most still have USB drives. And most offices have copiers that scan – with most scanners having the ability to upload to electronic files. Additionally, most offices now use electronic medical records and these programs have exporting functions that create electronic files. Often not wanting to provide a CD or USB is because they don’t want to either go out and get one or they are just too lazy to copy it over. It’s not that hard though and patients should not accept such flimsy excuses when they request their records.
I do not know why this is such a problem for offices to comply with and it is one of my greatest frustrations.
Side Note: Why I ask for records on CD
I am a stickler about asking for my records on CD and making sure they come to me on CD because it is very important to me. I should not have to explain this to providers, but I find myself having to far too often, so I’ll share it here too:
First, why do I need my records (I promise this ties into the CD issue)? In any given year, I have 5-20 providers that have some of my medical records. I make sure to collect these records because I have so many providers and often many new providers. More often then not, a provider will ask me a question about my medical history – a previous lab result, notes from a procedure, specifics of an appointment with another provider. You’d be surprised how often it comes up and how random the questions can be. Finding a lab result for B6 from an inpatient hospital stay from 4 years ago. The surgical report for my elbow surgery in 2002. The number of times, I’ve had to pull something up for a provider (and they are often astounded I can) is quite impressive. And every time it informs my care and improves outcomes.
I am also on disability and need to keep records for disability reviews. While the Social Security Administration (SSA) does at times get records on their own for these reviews, they often miss many records, especially older records that may be relevant. Having the records myself can help me insure that I have the information available for the SSA and provide everything they need to understand my case. In my experience it is best not to trust the SSA to get your documents, and make sure to read them all before any review or application, so that’s what I do.
Basically, I have a lot of records and I need access to them. CD is the best format. I have done this a long time and before the rules came out saying that I could ask for records on CD, I got them on paper. Hundreds and hundreds of pages that I had to scan in by hand. Paper records are terrible. They are easily ruined – torn, waterlogged, etc. (mine were recently destroyed by a post office error). To scan them in (if you have a scanner, which many patients do not) can take hours and hours of time. Hours, that this patient cannot put in anymore. Generally the scanner feeder doesn’t work because things get jammed and technical issues abound. You miss a page or a page is damaged, etc. (Interestingly, hospitals used to make the argument they didn’t want to provide electronic copies because they didn’t want to pay their folks to sit and scan things in – yet they were happy for patients to do that work…). CDs work better.
Paper records also have the added problem of their sheer size. I cannot carry or keep that many records in paper form. They add up and they are heavy. Not to mention, I cannot leaf through them with any ease if I need to find something specific. CDs however, are small and light and can be easily stored and called up. CDs work better.
CDs allow me to upload my information electronically. I can back it up in several places and store it in the cloud so I have the ability to call them up as needed. As there’s no one repository for patient records (interoperability is a long way off and fraught with its own issues), I have made my own repository and it has served me well.
One could say that having a provider email them to me might work. But electronic records can fail. If I don’t have access to internet and I can’t get to my emails or the files in the cloud. If my computer crashes and my files are lost. If my email is hacked or emails are deleted by accident. Then what? This is why I like a CD. It is a hard copy. It is a copy I can keep with me and reboot to my computer should something happen.
For me, nothing else will do – not paper or email or any other format, just CDs (or USB).
And yet, this seems impossible with some. I, however, will not take a “no” or a “we can;t” or “we don’t do that.” It is my right to have a copy of my records sent in the form and format requested and I will fight for my rights.
Insisting a patient pick up records in person
I have on several occasions been told that I have to come to an office to pick up my record. To which I say, “Nope.” As HHS clearly states: “A covered entity also must provide access in the manner requested by the individual, which includes arranging with the individual for a convenient time and place to pick up a copy of the PHI or to inspect the PHI (if that is the manner of access requested by the individual), or to have a copy of the PHI mailed or e-mailed, or otherwise transferred or transmitted to the individual to the extent the copy would be readily producible in such a manner.” And further, “Thus, a covered entity may not require that an individual travel to the covered entity’s physical location to pick up a copy of her PHI if the individual requests that the copy be mailed or e-mailed.”
This is important for many reasons. Many patients with chronic illness or disabilities cannot make random trips to a doctor’s office or hospital to get their records. Other’s may not have money for gas or any transportation at all. And still other folks that work may not have the time to take off to pick them up during business hours. Mailing or emailing the records is what needs to happen if that’s what the patient wants.
Sending someone else to pick up your records
If a patient does want to send someone else to pick up records or want the records mailed or emailed to another person, that can be accommodated. There are two different parts to this. First, there are the folks who count as “personal representatives.” Personal representatives are people who may have a medical power of attorney or other document saying that they can act on the patients’ behalf. In this case, under 45 CFR 164.502(g), the provider has to treat the personal representative as if they are the patient essentially.
The person does not have to be a formal “personal representative” to pick up another patient’s records or have them mailed to them. If a patient wants another person to have access to those records, all they have to do is put in writing that they want another person to pick it up, clearly identify who that person will be, and sign it (see HHS guidance here). A lot of people who are caregivers for their parents or significant others helping out their loved one may choose to do this. And while I have not had to deal with this, I know many providers who have tried to make this nearly impossible.
Records fees are a huge hurdle for patients. Under HIPAA (45 CFR 164.524(c)(4)), providers can charge “reasonable fees” but “reasonable” is pretty vague other than the fees can include labor, supplies, and postage. HHS has given some guidance to providers which can be found here. Most notably in this guidance, providers have to be able to tell you in advance of how much they may be charged if they are going to charge you specifically for each item. For instance, if they are going to charge you for actual labor costs and actual postage, they have to be ready to tell you how much that will be. Additionally, while if you have paper records, they can charge you per page, if you have them put on a CD or USB, they cannot charge you per page.
HHS however implores providers not to charge fees for records. They see these fees as barriers to care, especially for those who are poor. Specifically they say:
Further, while the Privacy Rule permits the limited fee described above, covered entities should provide individuals who request access to their information with copies of their PHI free of charge. While covered entities should forgo fees for all individuals, not charging fees for access is particularly vital in cases where the financial situation of an individual requesting access would make it difficult or impossible for the individual to afford the fee. Providing individuals with access to their health information is a necessary component of delivering and paying for health care.” (bold added)
To make things more complicated, each state has their own medical records fees laws. Patients will need to investigate what their state allows to ensure they aren’t being over charged. A list of state records fee schedules can be found here. However, HIPAA beats state laws (because it is federal law) so if your state law says something different than HIPAA, the state law is wrong.
Here’s an excerpt from a recent OCR decision specifically on the issue of fees. In this case, a Colorado patient asked for fees and was sent an absurdly high bill. After trying to explain to the doctor’s office that this was an unreasonable fee, they filed a HIPAA complaint and the OCR responded with the following:
Withholding records until payment
Some providers try to withhold records because a patient may have an outstanding bill. This is not allowed. Additionally, to my knowledge, there is no provision that says that patients have to pay upfront for their records. Some offices may insist on this but there is no provision that says they can withhold records because you do not pay upfront. And since you have a right to your records, it seems anathema that you would never be able to get them because you cannot afford them.
One reason to get your records in the first place is to ensure that the information in your records is correct. I have type 1 diabetes and yet far too many of my records (usually hospitals) will write down type 2 diabetes (probably sheer laziness and stigma). These errors can cause huge problems down the line, so asking to correct them is an important right patients have under HIPAA (45 CFR 164.526).
Essentially to correct your record, you have to ask for an amendment request. You fill out what the incorrect information is and what the right information should be and the provider has 60 days to say whether they’ll make the amendment. Unfortunately for patients, providers can deny this request… If they deny it, they have to tell you why and give you a chance to write why you think they are wrong and they have to keep that in the record.
If they do amend the record, the old record still remains in your chart technically. It never really goes away. It’s like using a red pen and crossing it out and writing in the correct information. The red pen will always exists. Still worth it to request the amendment (and submit a letter if they refuse to make the amendment).
Accounting of Disclosures
Few people know about accounting of disclosures (even some providers). It’s not kept with your regular records, but it’s an important part of your records. When you request records, you can specifically ask for an accounting of disclosure (or ask separately). Be sure to point this out though as it’s often skipped (like billing and radiology images).
An accounting of disclosures (45 CFR 165.528) is a list that providers have to keep if they give your information to others that aren’t part of your treatment. There are a lot of exceptions as to what they do not have to keep track of. For instance, they don’t have to keep track of when they talk to your insurance carrier or other providers involved in your care or to national security agencies. But they do have to keep a record when they share with public health agencies (usually shared for state reporting purposes) and in many other cases.
What I find is often providers don’t keep these accountings as they should and when they do, they don’t keep all the information they are required to. Under an accounting of disclosure they have to tell you:
- The date of the disclosure;
- The name of the entity or person who received the protected health information and, if known, the address of such entity or person;
- A brief description of the protected health information disclosed; and
- A brief statement of the purpose of the disclosure that reasonably informs the individual of the basis for the disclosure
It’s that last point that is often missed. They have to tell you why they disclosed your information, and writing “mandatory reporting” is not going to cut it.
Unlike your medical records, they have 60 days to get this information to you but don’t hold your breath for it.
Anyone who knows me, know that I prefer email with my providers. I do not use patient portals for messages. Getting providers to use email though is like pulling teeth. They’ve all been sold the line by medical records companies that portals are the only “secure” way to send messages. And while some portals may have encryption to help with privacy and security, some personal email accounts also have a feature to encrypt (the provider’s email should already be encrypted or they are running dangerously close to more HIPAA problems). You can read the letter I give my doctors on using email here.
Needless to say, if you want to talk to them by email, they must accommodate this request, per 45 CFR 164.522(b). They cannot force you to use a portal or mail letters to you. All they have to do is send you a message that says “email may not be the most secure method for communication” (though many fail to give this warning at all) and they can presume you take on the risk if you email them.
Why this needs to be a fight is beyond me. It’s 2018. Everyone uses email. People know the risks (or at least most people I know). It’s the easiest and fastest way to communicate. Portals are not all they’re cracked up to be and generally present many more problems than they solve. You can read why I gave up on them here.
Retaliation is forbidden under HIPAA. A provider may not “threaten, intimidate, coerce, harass, discriminate against, or take any other retaliatory action against any individual” for filing a complaint or opposing unlawful acts (45 CFR 160.316). Unfortunately, providers are quick to retaliate when a patient says that they might be violating HIPAA. This can come in the form of cutting off care all together or siccing a lawyer on you.
Providers unfortunately fear lawsuits unlike any other profession. Their fear is generally unwarranted and overreactive. When it comes to HIPAA, what they don’t realize is that if you report them (a) you will get NOTHING out of it monetarily. There is no right to sue (called a private right of action) and reporting to the OCR is not a lawsuit. Moreover, they are likely never to see a fine or any disciplinary action (see below). But everyone reads of the million dollar settlements for privacy breaches and somehow think that they too will get a fine that big…
Filing a HIPAA complaint
If the provider is not following HIPAA, you can provide them with the citations in law and share the guidance from HHS but 9 times out of 10, they won’t listen. This is where filing a HIPAA complaint comes into play. I have filed far too many HIPAA complaints and “won” too many. It’s a good tool for patients but it is incredibly inefficient for everyone involved.
To file a complaint, go to the OCR portal found at: https://ocrportal.hhs.gov/ocr/cp/wizard_cp.jsf (or go to https://ocrportal.hhs.gov/ocr/cp/complaint_frontpage.jsf and select the link under “Health Information Privacy” that reads “File a Health Information Privacy Complaint“). In the portal, you’ll fill out your information and the providers information. There is a space to write what the problem is and under that you can attach files that might support your case. If the description of the problem takes longer to write out than the space allows, I will write a word document and upload that. Once you submit it, they’ll give you a confirmation number and you can chose to print the complaint (I highly suggest you do this).
Response times for HIPAA complaints vary but typically take a few weeks. The OCR is underfunded and overworked so everything takes a bit more time. They generally read your complaint, contact the provider, and offer the provider “technical assistance” (meaning they told them what the law is and to follow it). Then they send you a letter recapping what law they looked into and explaining your rights and notifying you that they gave the provider “technical assistance” and they are closing the case. They tell you if the problem persists to contact them (which means to file a new complaint referencing the last complaint). There is no appeal if they say they didn’t find any HIPAA violations, you are stuck with whatever they come up with, whether you agree or not. Hopefully though, the provider will have shaped up and fixed the problem so everyone can move on.
As above with retaliation, while they are not allowed to retaliate for a claim, it doesn’t mean they won’t try.
Why is it so difficult? Training and Accountability
In general, HIPAA is problematic because providers do not know the law and see it simply as an administrative burden. Better training is desperately needed in the healthcare field to correct the issues outlined below and to fully comply with all provisions of the law. While doctors, nurses, and staff have to undergo regular training, there is no standard for that training. Trainings differ widely – from online courses to lawyers giving lectures. The HIPAA does not dictate what must be in those trainings. Thus, because training is so disparate, each office is often left with wide gaps in their understanding of the law and its intent and HIPAA issues abound.
Each provider has to appoint a Privacy and Security Officer who is in charge of HIPAA but that’s not always helpful. Some of these officers do not know much either. And even if they do know the law, that does not trickle down to staff or providers who may be the ones violating HIPAA. Further, you have no right to talk to the officer. You can ask to speak to them, but they do not have to talk to you. If a provider or staff say they won’t pass the issue on and won’t have the officer call you, there is nothing you can do.
In addition to this, there is little accountability (ironic given the title of the law). Patients can file complaints with the OCR if they believe there is a HIPAA violation, but that’s it. Patients cannot sue providers (filing a complaint is not a lawsuit, it is just a complaint). The OCR has the final decision. There is no ability to appeal OCR decisions, which are generally nothing more than a slap on the wrist – no fine, no real repercussions. Providers don’t always know this and fear the wrath of the OCR (spoiler alert: there is no wrath). But once they go through the process of a complaint, they realize that there aren’t real repercussions and thus there is no incentive to comply.
The OCR is supposed to be doing random HIPAA audits for providers. But those audits generally focus on security issues – things like whether they encrypt your records and have completed a risk assessment. The most they may do for compliance when it comes to compliance to help patients get their records is to see if they have a policy and procedure manual that tells them what they should do (they don’t even care if they follow this manual honestly).
Ultimately, between poor training, lack of accountability, and no great incentives to comply, it is not all that surprising that HIPAA compliance is so poor and these issues arise again and again.
Why this all sucks
Honestly, all of this sucks. It sucks that patients records requests are not being fulfilled properly. It sucks that patients and providers end up wasting so much time trying to deal with all these problems. It sucks that doctors, nurses, and staff are so poorly trained. It sucks that providers become contentious and doctor-patient relationships can be ruined. It sucks that sometimes the only people providers will listen to are those calling from the OCR. It sucks that many patients don’t know their rights and get screwed over because they just accept what providers tell them even if that’s not what they want or need.
And mostly, it sucks that this law (HIPAA) which is meant to protect patients and empower patients is so deeply misunderstood and misused.
Because when HIPAA does work it improves healthcare. When patients can get their records (all of them), they can have better conversations with their doctors (all of their doctors for years and years to come). When patients can get their records and their records, it can improve trust with providers. When patients can get their records, they can go on to look up information to understand their diagnoses better. When patients get their records, they can find errors that can be amended to avoid future harm.
It should not be this hard. There is absolutely no reason for records requests to be this hard or to be contentious. There is no reason that providers and staff need to dismiss patients when they explain provisions of HIPAA as they assert their rights. There is no reason that patients should have to contact the OCR. It just shouldn’t happen. And yet it does…
I’ll keep working on getting my records and weathering the absurd HIPAA issues I face. I’ll keep letting providers know when they get it wrong because if they’re doing it to me, they’re doing it to others. I’ll keep tweeting about my experiences because I think it can help others understand their rights. And I’ll keep wishing that I could retrain every provider everywhere (I actually have a full compliance package if anyone wants to take me up on that).
- HIPAA Privacy Rule (Code of Federal Regulations, aka CFR citations)
- HHS Guidance to providers on access to records (useful for patients)
- HHS Guidance to Patients on their records (much more of an overview)
- HIPAA FAQs
- HHS explaining the complaint process
Some of my writing on HIPAA
- Privacy and security of patient data in the cloud (IBM developerWorks)
- Should Apps with Personal Health Information Be Subject to HIPAA? (EMR & HIPAA)
- Why You Shouldn’t Take Calculated Risks with Security (EMR & HIPAA)
- HIPAA and Trust
Update 8/8/18: A previous version of this post did not contain the section entitled “Why is it so difficult? Training and Accountability.”
Update 8/9/2018: A previous version of this post did not contain the tweet by @GilmerHealthLaw
Update 8/14/18: Additional information was added to the section entitled “Getting records the way you asked for them (CD, email, paper)”
Update 8/16/18: Additional information was added to the section entitled “Taking forever to get your records”
Update 8/17/18: Additional information was added to the section entitled “Records fees”
Update 6/4/19: A section on “Where to Start: How to ask for your records was added.” Further information was added to the section entitled “Records Fees”