Blog
← Back to Blog
January 22, 2018 medical

Patients Have a Right to Their Records. Are You Complying?

Legal documents and compliance paperwork Patient health records and documentation

HHS has made it clear that HIPAA's Right of Access is a priority enforcement area. And from what we see working with practices, it's an area where many are falling short. Not because they're trying to hide records, but because their processes are cumbersome, slow, or don't comply with the specific requirements of the rule.

What the Law Requires

Under HIPAA's Privacy Rule, patients have the right to:

  • Access their health records (inspect and obtain copies)
  • Receive copies in the format they request (electronic or paper) if reasonably producible
  • Have records sent directly to a third party they designate
  • Receive records within 30 days of the request (one 30-day extension allowed with written notice)

Where Practices Go Wrong

Excessive Fees

HIPAA limits what you can charge for copies. You can charge a reasonable, cost-based fee that includes: the cost of copying (supplies, labor), postage if mailed, and the cost of preparing a summary if the patient agrees to one instead of full records. You cannot charge for search and retrieval time. Some practices charge $1 per page or a flat $50 "records retrieval fee." These may exceed what HIPAA allows.

Requiring In-Person Pickup

If a patient requests electronic records, you must provide them electronically if your systems can reasonably produce them. "You have to come pick them up" is not compliant if the patient has requested electronic delivery. Secure email, a patient portal, or encrypted media are all acceptable delivery methods.

Slow Response Times

Thirty days is the maximum, not the target. Best practice is to fulfill records requests within 5-10 business days. If you can't meet the 30-day deadline, you can take one 30-day extension, but you must notify the patient in writing with the reason for the delay and the expected completion date.

Requiring Written Requests on Specific Forms

You can require requests in writing, but you cannot require patients to use a specific form. If a patient submits a written request on a napkin, it's a valid request. You can offer your own form for convenience, but you can't refuse to process a request because it wasn't on your form.

Refusing Third-Party Requests

Patients can direct you to send their records to anyone they designate: another provider, a lawyer, a family member, an app. If the patient's written request clearly identifies the designated person and where to send the records, you must comply. You can't refuse because you don't like the recipient or think the patient shouldn't share their records.

Setting Up a Compliant Process

  1. Designate a records request coordinator. One person who handles all requests, tracks timelines, and ensures compliance.
  2. Create a tracking system. Log every request with: date received, patient name, what was requested, format requested, date fulfilled, and any fees charged.
  3. Know your fee schedule. Calculate your actual cost-based fee and document how you derived it. Post it where patients can see it.
  4. Configure electronic export. Make sure your PMS can export records in a standard electronic format. Test the process so it's not a scramble when a request comes in.
  5. Train your front desk. The first person a patient contacts about records is usually the front desk. They need to know: accept the request, don't argue about the format, don't require a specific form, and route it to the coordinator.

OCR is actively pursuing Right of Access violations with enforcement actions and financial penalties. Getting this right isn't just good practice. It's mandatory.