Patient Rights of Access to Medical Information

Published on: December 8, 2020

Much of the discussion around patient privacy and confidentiality centers around appropriately restricting and securing access to protected health information, and this is for good reason- threats such as data breaches and cyber attacks often dominate the news, and medical practices are understandably concerned about the risks of litigation and bad publicity associated with privacy violations.   

It is important, however, to remember that patients have the right to access, and in some cases to direct others to access, their medical information in a timely fashion and at a reasonable cost.  Providers own their physical records, but patients increasingly expect to have the ability to exercise their legal rights to the information contained in those records. 

Laws pertaining to medical record access only apply to those records that are currently in a physician’s possession.  For more information on requirements and recommendations around retaining medical records, please see MIEC’s article How Long Should We Keep Medical Records?. 

This article will address how federal law (HIPAA) and state laws in Alaska, California, Hawaii, and Idaho address patients’ right of access to their own medical information.  It is important to note that more restrictive state laws, where applicable, supersede the requirements defined under federal laws. 

Federal Law- HIPAA 

The HIPAA Privacy Rule generally requires HIPAA covered entities (generally, any physician or medical group who transmits patient information electronically) to provide patients with access, upon request, to their protected health information (PHI).  “Access” includes the right to inspect and/or obtain a copy of the PHI, as well as to direct the covered entity to transmit a copy to a designated person or entity of the patient’s choice. 

While patients cannot sue providers under HIPAA (they can sue under state privacy laws), the U.S. Department of Health and Human Services Office for Civil Rights (OCR) investigates complaints of HIPAA violations and, in certain cases, imposes significant fines and penalties for noncompliance.  In the past year, as part of its HIPAA Right of Access Initiative, the OCR has settled a total of twelve (12) investigations into patient complaints of failure to provide health records in a timely manner and at a reasonable cost.  Those settlements have involved significant financial penalties and mandatory corrective action plans on the part of the providers.    

Importantly, HIPAA requires providers to provide patients with access to their medical records within 30 calendar days of the patient’s request.  Providers are encouraged to provide access as soon as practical, depending on their circumstances and the nature of the request. 

HIPAA’s access requirement applies to one or more “designated record sets” maintained by or for the covered entity.  Importantly, a designated record set consists of any medical or billing records maintained by the physician or practice, and any outside records used, in whole or in part, to make treatment decisions. 

Records that are not used for treatment decisions do not need to be provided; including records pertaining to: quality assessment or quality improvement activities, patient safety activities, peer review, business planning and development, management records, or employment. 

Two types of medical records are expressly excluded from the right of access: 

1. Psychotherapy notes, which are the personal notes of a mental health care provider documenting or analyzing the contents of a counseling session, that are maintained separate from the rest of the patient’s medical record.  
   Psychiatrists should ensure that psychotherapy notes (aka “process notes”) are kept separate from the medical record (diagnosis, dates of treatment, prescriptions, etc.) to ensure that patients and other requestors do not have the right to access to this sensitive information. Providers must still provide access to other mental health records, including:  
   • medication information 
   • counseling session start/stop times 
   • treatment modalities and frequency 
   • results of clinical tests 
   • summaries of symptoms, diagnosis, functional status, treatment plan, progress to date, and prognosis
     
2. Information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding
   

Physicians may also restrict patient access to information that poses a significant risk of harm to the patient, or to others.  This decision must be based on the individual patient and specific to each request for access. 

The HIPAA Privacy Rule permits providers to charge a reasonable, cost-based fee for individuals to receive a copy of their medical record.  The fee may include labor, supply and postage costs involved in providing the patient with the copy in the form and format and manner requested.  Fees can be calculated by several means, including calculating actual costs, calculating average costs, or charging a flat $6.50 fee for producing a chart in electronic format.  Of note, providers may not withhold access of records to their patients because of nonpayment.  

HIPAA allows providers to require individuals to request PHI access in writing if the covered entity informs individuals of this requirement.  Providers also may require individuals to use the provider’s request form, as long as this does not create a barrier or unreasonable delay in fulfilling the request.  Similarly, providers may not impose unreasonable measures on patients in such as way as to create a barrier or delay in providing access.  For more information, see here. 

For practices that have an EMR, patients have the right to receive a copy of their chart in electronic format.  Although providing access to PHI via unencrypted e-mail is discouraged, HIPAA specifically authorizes providers to send a copy of a patient’s medical record to the requesting patient via unencrypted email so long as this method of transmission is the patient’s preference and the patient understands the potential security risks involved.  

Sample language could include:  

“I recognize that unencrypted e-mail is not a completely secure means of communication because messages can be addressed to the wrong person or accessed improperly while in storage or during transmission.  I understand that I have the option to obtain a copy of my medical record by more secure means such as mail or fax.  I wish to receive a copy of my chart via unencrypted email.” 

Federal Law- The ONC Final Rule 

Beginning in April 2021, patients will have the right to directly access their electronic health information under a new federal requirement.  On May 1, 2020 the DHS Office of the National Coordinator for Health Information Technology (ONC) issued a Final Rule on Interoperability, Information Blocking, and the ONC Health IT Certification Program (part of the 21st Century Cures Act).  The law is also known informally as the “Open Charts law.”  

The Final Rule prohibits the practice of “information blocking,” which is defined as any practice which is likely to interfere with access, exchange, or use of electronic health information (EHI) by patients or other healthcare providers. 

For more information on this new requirement, see MIEC’s recent article ONC Final Rule on Information Blocking. 

Alaska 

 Alaska law sets standards for who has access to medical records held by physicians, hospitals, and other healthcare providers in the state.  Although Alaska’s privacy laws largely mirror the HIPAA Privacy Rule, healthcare providers must carefully follow both.   

Specifically, Alaska law allows the following individuals and entities to access medical records:  

• Patient (§18.23.005) 
• Parent or guardian (§25.20.130) 
• Dept. of Social Services for financial records of medical assistance beneficiaries (§47.07.074) 
• Medical Review Organizations (§18.23.010 et seq.) 
  

In the case of an emergency, records of those being treated may be disclosed to EMTs for emergency care (§18.08.087).  Alaska also stipulates that mental health records may only be disclosed to individuals whom the patient has given written consent (§47.30.845(2)).   

California 

Health & Safety Code §123110 provides that any adult, minor authorized by law to consent to treatment, or patient representative may inspect the patient’s medical records upon presentation of a written request and payment of reasonable clerical costs.  

Importantly, providers must permit patient to physically inspect their records within 5 working days of receiving a written request.  Patients may request copies of their records in any format, and physicians must provide copies to the patient within 15 working days of the request. 

Physicians may charge up to $0.25 per page for copies, plus a reasonable clerical fee.  Additional fees may be charged for diagnostic imaging if the patient has specifically requested those records. 

Transferring records between providers is considered a “professional courtesy” and, as such, there are no fee restrictions or time limitations pertaining to the transfer of medical records between physicians.  

Hawaii 

HRS §622-57 specifies that, if a patient of a healthcare provider requests copies of the patient’s medical records, copies shall be made available to the patient unless, in the opinion of the provider, it would be detrimental to the health of the patient to obtain the records.   

If the healthcare provider declines to provide records to the patient for the above reason, they must advise the patient that copies of the records will be made available to the patient’s attorney upon presentation of a proper signed authorization.  If the patient’s attorney presents a proper authorization and requests records, the provider must give them complete and accurate copies of the records within a reasonable time not to exceed 10 working days. 

In the case of a deceased patient, a personal representative of the deceased patient’s estate may obtain copies or authorize the healthcare provider to release copies of the patient’s medical records upon presentation of proper documentation showing the personal representative’s authority.   

If no personal representative has been appointed, the deceased person’s next of kin in order of superseding priority, without court order, may obtain copies of or may authorize the healthcare provider to release copies of the deceased person’s medical records. 

Notwithstanding applicable state confidentiality laws governing the following types of specially protected health information, a healthcare provider may honor, in whole or in part, a request by the deceased person’s next of kin for release of medical records if the medical records of the deceased person contain references pertaining to any of the following types of specially protected health information: 

• HIV infection, AIDS, or AIDS-related complex 
• Diagnosis or treatment of a mental illness 
• Participation in a substance abuse treatment program
  

A healthcare provider must refuse a request by the deceased person’s next of kin for release of medical records if the deceased person had previously indicated to the medical provider in writing that the person did not wish to have medical records released to next of kin. 

Reasonable costs incurred by a healthcare provider in making copies of medical records shall be borne by the patient or requesting individual. 

Idaho 

Idaho’s patient access laws closely mirror HIPAA requirements.  The following individuals are allowed access under the law: 

• Patient or agent by subpoena (§9-420) 
• Parent of minor child whether custodial or non (§32-717A) 
• Discovery in some civil legal actions (§39-1392e) 
• Government medical records exempted from open records law (§9-340C)
  

Effective July 1, 2019, the Idaho Department of Health and Welfare has implemented new patient rights rules for hospitals (see IDAPA 16.03.14.220 to .350).  The rules include new requirements around responding to patient requests for medical information, including a requirement that hospitals provide access to information within 3 business days of a request.  

Consistent with HIPAA, the patient may request records in either hard copy or electronic format.  When the patient requests the information electronically, the hospital is required to deliver the information on a storage medium and in a format that the patient can use.  Regarding costs, HIPAA permits hospitals to charge a reasonable, cost-based fee; however, under the IDAPA rules those charges cannot exceed the copy rates charged at the local library. 

If you have any questions regarding medical records management or responding to requests for access, please contact MIEC Patient Safety & Risk Management.