Any discussion of health record access rights must begin with the laws that govern them. Your personal health records, which document your medical history and care over a lifetime, are largely in the control and possession of others. Legally, your health records, housed in various healthcare establishments, are considered property. You, the patient, do NOT own your health records (except in New Hampshire), but federal and state laws guarantee access to your health records. Getting your health records is important for coordination of care and second opinion consultation. As the picture below shows, the first step to obtaining your “shareable” health records is to know your legal rights pertaining to health record access. .
Because healthcare providers and hospitals do not willingly provide you with copies of your health records (and often do not even want you to look at them), you must exercise your legal rights to inspect and/or receive a copy.
As “property”, the rights of ownership, access, and privacy of health records have been spelled out (or not) by various federal and state government laws over the years. If you tried to get your health records (or even copies of them) before 1996 (when HIPAA (Health Insurance Portability and Accountability Act) was passed), you could have been legally denied access. HIPAA is the foundation for most of your health record access rights today. The law has been updated to take into account electronic (digital) health record access rights. In addition to federal laws governing health record access rights, all states have enacted their own laws and regulations governing health records and the information found within them. When a federal law is “silent” or vague about some aspect of health records, then state laws govern.
In the discussion below, I will not be discussing the very important health record privacy, security, or amendment rights (having errors corrected) of HIPAA. This blog post is only about health record access rights . I strongly encourage you look at the excellent online resource for the consumer available by the World Privacy Forum to get a better understanding of all your rights under HIPAA. State laws will only be touched on and I encourage you to look at your state-specific laws that affect our health record access rights.
The Health Insurance Portability and Accountability Act (HIPAA) is the single most important law governing your health record access rights. Most people think it is only about health record privacy and, if you are like me, you probably are sick of constantly signing HIPAA legal forms (you have stopped reading) every other time you see your healthcare provider. All this emphasis on privacy (and not access) makes me think that the only people who access my health records are me and my healthcare provider (unless I give my permission to do so, of course). In researching the law, I found that there is a fair amount of “legally condoned sharing” of my health records going on without my knowledge. While my health insurance company, various behind-the-scene intermediaries, government agencies, and medical researchers all have easy access to my health records, I am constantly amazed at the stiff resistance and hoops I have to go through to access my health records. To function as a patient advocate for friends and family, I must have written permission of the patient (or a health care power of attorney) to access their health records.
As with all laws, terms must first be defined and three terms of interest for health record access rights include:
- health care – “care, services, or supplies related to the health of an individual”, This broad definition then lists specifics which pretty much include all health services (and products) I could possibly think of.
- Protected health information (PHI) — “individually identifiable health information” that is shared or maintain in any form or medium (paper, electronic, etc.)
- Covered entities — includes healthcare providers, hospitals, pharmacies, nursing homes, acupuncturists, physical therapists, dentists, health insurance plans, medical device and equipment dispensers, healthcare clearinghouses, and a host of other behind the scenes business that handle protected health information.
- designated record set — which is defined as the group of medical and billing records maintained by my healthcare provider (includes hospitals, pharmacies, nursing homes, dentists, health insurers, etc.) used to make decisions about my healthcare.
What exactly is contained in a “designated record set”? Because HIPAA is at times vague, others have had to define the specifics. According to Gwen Hughes in “Defining the Designated Record Set” in the AHIMA Body of Knowledge, the “designated record set” is composed or three parts:
1. Clinical records—includes history and physical examination report, vital signs, orders, medical notes (e.g., progress, outpatient clinic), lab reports, assessments, medical consult reports, clinical reports (e.g., radiology, operative, pathology), hospital discharge summaries, and authorizations/consents
2. Source (“raw”) Clinical Data —includes X-rays, images, fetal strips, videos, pathology slides. This is data that comes from medical equipment (the source).
3. External Records and Reports—records from other healthcare providers or patient generated records
Your Health Record Access Rights Under HIPAA
As anyone who has ever asked to inspect or get a copy of their health records can tell you, the healthcare providers who have possession of the records are not always pleased to comply with your request. Knowing your health record access rights makes compliance of the law by healthcare providers and hospitals more likely. These rights include:
1. The right to inspect and/or receive copies of the protected health information (PHI) in one or more “designated record sets” from any “covered entity”.
2. The right to access health records in a specific form and format maintained in one or more designated record sets; or, if not, in a readable hard copy form or such other form and format as agreed to by the covered entity and the individual. If the request is for a specific electronic format, then the covered entity must comply, as long as the information is readily reproducible in that format; or, if not, in a readable electronic form and format as agreed to by the covered entity and the individual.
3. The right to a timely response (30 days from the date of the request)
When requesting a paper health record copy, HIPAA allows healthcare providers to charge a reasonable, cost-based fee that includes only labor costs for copying, the cost of supplies for creating the paper copy, and the cost of postage. Any other charges are not allowed by HIPAA (e.g., you cannot be charged for searching for or retrieving records).
With the widespread use of electronic copies, recent (February 25, 2016) guidance by the federal Office of Civil Rights encourages healthcare providers to offer patients electronic copies of their health records free of charge. Patients cannot be charged for health records in Electronic Health Records (EHRs) nor for any per-page electronic copies. Providers can charge for a CD-ROM or USB drive if the patient wants the health record on a portable device. Any charges must be discussed in advance. Your electronic health records can also be emailed to you if you accept the slight security risk of unauthorized email interception.
If you do not know what form or format you want, then ask the healthcare provider or hospital (“covered entity”) what formats are available. If the records are available in electronic form, you will want them in a format that can be used by other health professionals for coordination of care or second opinion consultation.
Greater in-depth information about access rights, especially about the process of requesting access, can be found in the Federal Regulation, 45 CFR 164.524 – Access of individuals to protected health information governing these HIPAA rights. If a healthcare provider or hospital denies your request for access to your health records under HIPAA regulations, then you can lodge a complaint per the rules given in 45 CFR 160.306 – Complaints to the Secretary Complaints must be made in writing and specifics can be found on the federal government’s website.
It is important to understand that while HIPAA guarantees health record access rights, it is “silent” on many aspects of health records that can impact access–ownership rights, health record maintenance and disposal of health records, to name a few. In addition, federal laws preempt (take precedence over) any state laws already enacted unless the state law is considered “more stringent” (i.e., gives the consumer “more” rights) than the federal law. For example, a state might require that a patient must be able to inspect their health records within 20 days of requesting them versus the 30-day response time in HIPAA, but it cannot enact a 40-day response time. State laws need to be constantly reassessed as HIPAA is updated.
The state-specific laws vary from state to state and the details are beyond the scope of this blog post. Let me highlight a couple of areas for thought. For the vast majority of Americans, the person or organization holding the health record (the healthcare provider or hospital) generally owns your health records AND the information found within it. It should be noted that some state laws make distinctions between the information in the medical records and the physical record (like an xray or image) when describing ownership rights (an important concept when money can be made from the information in the record by the owner).
It is important to keep in mind that any sensitive information you disclose to your healthcare provider or hospital (or input into their Electronic Health Records (EHRs)) becomes part of THEIR health record and the information is now “owned” by them. Your Personal Health Record (PHR), which you maintain and “own” would be a better place for sensitive information. When the information from your PHR is put into a web-based program that stores the information, there may be portions of the information that becomes the property of the software developer or service provider. For example, when your insurance plan provides an online PHR, the information put into the PHR may become the property of the health plan.
State laws govern the length of time that providers must maintain health records. Some states define specific time limits (typically 3-10 years) for all health records and others set time limits based on the types of healthcare providers (hospitals, primary care physicians, specialty care physicians, long-term care facilities) or types of patients (adults versus minors, living versus deceased). If you have failed to get copies in a timely fashion, you could find your health records gone with the “owner”. An excellent state-by-state summary of how long health records must be kept is given in HealthInformation&theLaw.
The Bottom Line
Health record access rights are governed by federal and state laws and it is important to understand your rights granted by them and described above. HIPAA is the primary federal law that pertains to your access rights and when the federal law is “silent”, individual state laws take over. You have the right to timely access (to inspect and/or get copies) of all personal health information in your designated health set. You also have the right to ask for the records in a specific form and format. If your request is denied, you can lodge a formal complaint. The sharing of health records with the patient is still a new concept for the healthcare industry and expect to meet with resistance.
While HIPAA guarantees your right to inspect and/or receive copies of your health records, it does not grant “ownership” rights. In all states (except New Hampshire) “ownership” rights to the health records and the information within them is given to your healthcare provider or hospital that has possession of them. Because you do not have ownership rights, it is important to get copies of all health records in a timely fashion. In addition, when you give sensitive information to a healthcare provider, hospital, or an online Personal Health Record (PHR) service, they take “ownership” of the information.