Individuals’ Rights to Their Health Information: The Federales Awaken

A long time ago (in internet years), the original HIPAA regulations were promulgated.

A long time ago (in internet years), the original HIPAA regulations were promulgated. (The final Privacy Rule was published in 2000.) They’ve been tweaked and updated over the years, most notably in the “mega-reg” promulgated a few years back in order to implement the updates included in the HITECH Act. For purposes of the present discussion, I am interested in the patient right to medical record information included in HIPAA, rather than privacy and security protections for patient data. The core elements of the HIPAA rule relevant to patient access to medical records have not changed since the rule was originally promulgated. That original rule did not expand all that much on the access to records rules in some of the more enlightened states in the Union, though it has pulled up some of the laggards. 

In essence, the rule requires that if a patient requests a medical record, the “covered entity” (health care provider or health plan) must provide the record, in the format requested (if it is reasonably possible to do so, or in another format acceptable to the patient if it is not), within 30 days. (The HITECH “mega-reg” made only a minor change to this rule with respect to records stored off-site: an extra 30 days to retrieve records in cold storage. Meaningful Use regulations governing health care providers with certified electronic health records require much quicker responses for a certain percentage of patients, so in a perfect world a request could be acted on within 48 hours.) Federal and state rules differ with respect how much a patient may be charged for a copy, and state rules control in this instance, sometimes leading to significant fees charged for paper copies. Given the current environment, a “per-page” charge does not make much sense, particularly if a requested record is transmitted electronically to a repository of the patient’s choosing. (In fact, the official commentary on the draft Meaningful Use Stage 3 regs noted that when records are available via APIs — the notion of the federales designing standards for certification of APIs is a topic for another day — perhaps no copying fees should be permitted since there is virtually no cost to sharing an individual record. An argument may also be made that the many federal dollars paid for patient care and in Meaningful Use incentives ought to cover the cost of delivering a copy of the record.)

Most forward-thinking health care providers and other covered entities recognize the value of being in partnership with patients, and recognize the value of having “e-patients” (the “e” is for equipped, enabled, empowered and engaged; today, the usual meaning of “e-” often applies to e-patients as well.) Many also recognize the value of lifetime health records — and there are multiple means of helping patients/consumers gather and update such lifetime health records (e.g. Free Our Health Records, a free service powered by Flow Health, a client.)

The U.S. Dept. of Health and Human Services, Office for Civil Rights (OCR) enforces the HIPAA regulations and recently issued a new fact sheet and series of FAQs entitled Individuals’ Right under HIPAA to Access their Health Information 45 CFR § 164.524. This is the first in a promised series of issuances and it lays out individuals’ rights clearly. (OCR has a global collection of HIPAA FAQs which is a good resource as well.)

So far, so good – right?

Well, while the new issuance may be helpful, and while it is easier than ever to file a complaint with OCR about health data privacy or security violations, the substance of the publication has been posted before, with annual cover letters by current and former OCR directors (patients get to get copies of their records; it’s the law), and yet many readers of this post are likely shaking their heads, thinking about a close encounter with the medical-industrial complex where a simple record request was not responded to adequately.

It is disappointing that fifteen years after the promulgation of the HIPAA Privacy Rule many health care organizations are less than fully compliant, given the plain language of the statutes and regulations, and it also disappointing that the federales seem not to have done much to move the dial on compliance. (A colleague sought me out as recently as this week for assistance with an individual’s Sisyphean struggles to obtain copies of health records from health care providers.) Pro Publica recently ran a series of stories on the issue of lax HIPAA enforcement (related to data breaches), accompanied by HIPAA Helper, which is an enhanced version of the Wall of Shame (the public government database of HIPAA breaches). Some folks are mad as hell about this. We have heard from a number of OCR directors over the years that important steps are being taken to improve compliance, to ensure that individuals are able to avail themselves of their HIPAA-guaranteed right of access to their medical records.

The proof is in the pudding: so let’s reserve judgment for a bit and see how the current team at OCR manages to improve compliance with record requests overall as this and other guidance is rolled out to the regulated community and the general public. I hope the persistence and patience of the current team is rewarded, just as Horton’s was.

It’s about time. I’m ready. Are you?

David Harlow
The Harlow Group LLC
Health Care Law and Consulting

A version of this post first appeared on e-patients.net, the blog of The Society for Participatory Medicine. I serve as chair of the Society’s Public Policy Committee.