Patients Still Battling Providers for Medical Records

— Nearly three-fourths of requests required nudging or escalation to be HIPAA compliant

MedpageToday

Patients have the legal right to obtain their medical records but many still struggle to access them, a new study found.

After receiving patients' requests for medical records, more than half of 51 healthcare providers failed to comply with the Health Insurance Portability and Accountability Act (HIPAA) right of individual access when processing these requests, Deven McGraw, JD, MPH, and colleagues from Ciitizen Corporation reported.

Without any further intervention, which varied from explaining HIPAA requirements to staff to escalation calls to supervisors, 71% of requests to providers would not have been fulfilled, they wrote in a medRxiv preprint manuscript.

Furthermore, telephone surveys of 3,003 hospitals found that 56% did not have HIPAA-compliant procedures in place for processing medical record requests.

As former deputy director for Health Information Privacy in the Office for Civil Rights (OCR) at the Department of Health and Human Services (HHS), McGraw knows all about patients' rights to their medical records.

"I knew what healthcare providers were supposed to be doing, in terms of complying with that right, and we were just seeing time after time that institutions were refusing to send [records] by email ... [and] refusing to accept requests from patients that were emailed or faxed," McGraw told MedPage Today. "They wanted them mailed or they wanted patients to come in person."

From the survey results, McGraw's group concluded that either institutions don't understand their obligations under HIPAA or they have not trained staff to understand those obligations.

Refusing to send medical records to patients by email was the primary reason for non-compliance both among the actual requests submitted to providers and in the hospital surveys, McGraw said.

"Sometimes the reason was, 'HIPAA does not allow us to do that,'" McGraw said with a laugh. In other cases it was, "We won't do it that way" or "We will either fax or mail it."

"They thought it was their option to be able to refuse to do it," she said.

In the HIPAA Omnibus Rule of 2013, which updated the Health Information Technology for Economic and Clinical Health (HITECH) Act, the OCR specifically stated that if patients want to receive medical record by "unsecure" email they can, so long as they acknowledge that there are security risks.

From February 2019 to July 2019, Ciitizen submitted requests using a HIPAA-compliant form for medical records to the 51 healthcare providers for 30 cancer patients -- "beta users" of the company's platform for storing, organizing, and sharing medical records. The researchers then scored the experience of record retrieval or non-retrieval against the requirements delineated by HIPAA.

Provider Scorecard

The scorecard was primarily based on a provider's ability to meet four core HIPAA requirements: accepting requests by email or fax, sending records in the format requested to the patient's designated recipient, sending records within 30 days, and not charging an "unreasonable fee" for the request (providers may only charge minimal fees to cover labor and supply costs, the researchers noted).

It often took multiple phone calls with supervisors to gain compliance with the law, McGraw said.

Submissions were rated on a five-star scale. Providers rated as one-star in the study (27%) met the baseline requirement of accepting a record request by fax or email (and not requiring mail or in-person delivery).

The two-star providers (24%) also met the baseline requirement of processing requests in a HIPAA-compliant manner and delivering on those requests after two or more phone calls.

Three-star providers (20%) achieved all of the HIPAA required components and delivered on the requests after only one "escalation" phone call to a supervisor or privacy official.

The four-star (12%) and five-star (18%) providers "needed no help," McGraw said.

Twelve of the 14 providers that received one star did not achieve compliance because they did not send records in the electronic format requested by the patient (unsecure email). One provider was scored as non-compliant because the records were not sent to the patient's designee (Ciitizen), and another was non-compliant based on charging unreasonable fees. The providers' scores can be found here.

The "good news," McGraw said, was that most were willing to give patients their records for free.

It took providers an average of 8 days to deliver on patients' medical record requests (range, 1 to 26 days).

Hospital Survey

The second part of the study happened organically. Ciitizen searched for a directory that included information about individual health and hospital system's patient record access process and found that none existed. They then sought to build one by searching lists of the largest hospital systems in the country and calling them.

These surveys were conducted from August 2018 to May 2019.

Researchers realized after collecting the information on each institution's process that their data "constituted an informal survey" of hospital and health systems' procedures regarding patient requests for medical records.

Survey questions involved four aspects of patient access under the HIPAA Privacy Rule, including their rights to:

  • Receive records directly (rather than through another healthcare provider)
  • Submit a request "in ways that do not cause undue delay or impose a burden"
  • Receive records in the "form and format" they request (including email)
  • Reasonable fees (i.e., reflecting the labor of making the copy)

Survey results found that 30% of the 3,003 institutions were "likely non-compliant" because of anticipated refusal to send records to patients electronically. Another 24% were similarly likely non-compliant because of fee requirements. And another 11% of hospitals and health systems appeared to be non-compliant on the basis of potentially refusing to send records directly to patients.

One limitation of the study was the small sample size of healthcare providers. Also, some were judged on a single request, McGraw said.

"We do intend to continue to refresh both the scorecard and the survey," McGraw said, noting that Ciitizen will update the scores for providers who have improved their process and will add new providers.

Disclosures

McGraw and co-authors are employed by Ciitizen Corporation, which has developed a consumer platform that allows patients to collect and organize their medical records.

Note that medRxiv is a preprint server for posting manuscripts prior to undergoing formal peer review. As such, the data and conclusions should be regarded as preliminary until published in a peer-reviewed journal.

Primary Source

medRxiv

Source Reference: McGraw DC, et al "Health care provider compliance with the HIPAA right of individual access: A scorecard and survey" medRxiv 2019; DOI: 10.1101/19004291.