Patient Data Access News

Supporting Patients in HIPAA Compliant Health Data Access

Healthcare organizations must offer patient support to ensure patients understand their rights to health data access under HIPAA.


Source: Thinkstock

By Sara Heath

- Patient heath data access is key to meaningful patient engagement, helping to empower patients in healthcare decision-making and self-management. However, ensuring patient access to their own medical records is often easier said than done.

Recent reports highlight significant financial barriers that patients face when hospitals overcharge for medical record copies. Other experts say the healthcare industry is still facing some provider pushback in granting patients access to their clinician notes.

Kathy Downing, AHIMA Source: AHIMA

According to Kathy Downing, Senior Director of Information Governance, Privacy, and Security for AHIMA, the key to seamless patient data access is ensuring healthcare organizations and patients are clear on how HIPAA and other legal regulations protect patient rights to their individual medical records.

“That patient right is very important because there are providers that aren’t excited about sharing the medical record with the patient,” Downing asserted.

READ MORE: How Patient Health Data Access Drives Patient Engagement

However, for Downing, the law is cut-and-dry. HIPAA states that patients have access to their medical records, and therefore organizations must comply.

“Ultimately, the patient’s record is their information, so they have a right to inspect it,” she said.

HIPAA regulations reinforce several methods by which patients may access their health information, Downing explained. Patients can visit their providers’ health information management (HIM) department to obtain paper copies of their designated record sets, incurring only a minor fee to cover the costs of materials and labor. This fee should be nominal, or around $6.50, Downing said.

EHRs and other health IT tools have made it less costly and easier for patients to gain access to their designated record set. Patients may receive CD copies of their EHR files for only a small fee. They may also view their EHR in the doctor’s office at no cost, or view their medical records via the patient portal.

It is important for healthcare organizations and their patients to understand those rules, Downing asserted. Health data access laws give patients opportunities to work up a chain of command to make sure providers honor patient rights.

READ MORE: How Patient Data Access, Education Improve Patient Safety

“I think from a patient perspective, it’s as simple as having a right to access your entire medical record at any time from any provider,” she said. “Should a patient have issues getting her medical record from a provider, she has avenues to complain.”

When patients know their access rights, they can work with office HIM professionals or even the HHS Office for Civil Rights (OCR) if providers pose barriers to their health information.

But that doesn’t mean patient data access doesn’t come without its own complications. As noted above, some providers are still hesitant toward letting patients look at all of their health data.

In some cases, Downing notes, this is because the providers view the data as not complete or accurate enough for patients to view.

“It’s very frustrating to me that healthcare providers in large institutions are not providing patients access to the full medical record through the patient portal,” she said. “Having a patient portal and putting labs and radiology into it is not what patients want. They want access to their full medical record.”

READ MORE: Reviewing Patient Access to Health Data Under HIPAA Privacy Rule

Downing added that a lot of hospitals and providers have data issues. At AHIMA, experts are advocating for better data governance so that providers don’t have a reason to keep patients from their full medical records.

Other healthcare professionals are confused by HIPAA, and let those rules get in the way of seamlessly offering patient data access, or exchanging patient data with other providers. However, according to Downing (and HHS itself), HIPAA should not be an impediment to patient data access.

“HIPAA should never cause any delays or issues with getting information from provider to provider,” Downing said.

“If, for instance, you’re changing doctors and you want to send information to a new one, you shouldn’t have to fill out any forms,” she continued. “It also shouldn’t cost you to get information shared with another provider. Your old doctor may not like it, but you have a right for your new doctor to have your information.”

Patient education is key with respect to medical record access, Downing pointed out. When healthcare organizations have the proper patient resources on hand, it makes it easier for patients to navigate the HIM world.

For example, empowering patients with knowledge about their data access rights will be helpful if they encounter a provider overcharging for their medical records.

“There’s certainly no ability to charge anything on top of material and labor costs,” Downing reiterated. “That right to access rule is clear, and OCR added the access guidance to make sure organizations are clear about getting that information to patients for a low cost.”

“The OCR has a website where you can visit and submit a complaint if you are not getting access to your medical records,” she continued.

Overall, patient data access education helps build patient efficacy. Patients who know about their rights – or at least that they do have rights, and can consult the web for details – are better able to advocate for themselves when they face access barriers.

To help support patients, providers are legally required to issue the Notice of Privacy Practices, which outlines patient data access rights for all patients at a practice. Even if patients do not memorize their rights, the Notice of Privacy Practices informs patients that they do have rights and how to move forward if a provider infringes upon them, Downing said.

Healthcare organizations should also appoint a patient privacy officer who knows the ins and outs of HIPAA. This individual can serve as a translator for patients and should answer any data access questions patients pose.

“Every single covered entity must designate a privacy official,” Downing advised. “That includes a physician practice or a dentist office.”

Additionally, practices must ensure that their front office staff are knowledgeable about HIPAA and patient data access, Downing suggested.

Ultimately, making sure there is ample support for patients accessing their designated record set is a critical aspect of patient engagement.

“The idea of engaging patients and their caregivers in care, we believe will ultimately increase the overall health of the entire population. When you can see your records and you realize how high those lab values are compared to how they should be, it might encourage you to eat better or exercise more,” Downing concluded. “We believe that’s the major component of population health.”


Sign up for our free newsletter:

Our privacy policy

no, thanks

Continue to site...