As a patient, you have a right to your medical records and X-rays or other diagnostic images.
“People with ready access to their medical records have the advantage of being empowered to make more informed decisions about their health,” says William Dale, M.D., Ph.D., director of the Specialized Oncology Care and Research in the Elderly (SOCARE) Clinic at the University of Chicago Medicine. “As the U.S. health system moves to a model where patients possess greater control of their care and its costs, access to this information is essential.”
Since 1996, the Health Insurance Portability and Accountability Act (HIPAA) has provided patients with the right to access their health information from healthcare professionals, pharmacies, health plan, and medical facilities, including hospitals and nursing homes. HIPAA also requires health entities to protect and secure this information from others.
Recently, the U.S. Department of Health and Human Services (HHS) issued guidance designed to help patients understand their rights to these records and better navigate the process of obtaining them. HIPAA’s Privacy Rule requires health plans and healthcare providers to provide you, or a third party designated by you, with your protected health information in what’s called a “designated record set.” This set includes:
■ Medical and billing records, such as clinical laboratory and imaging test results; wellness or disease-management program files; and clinical case notes
■ Insurance information, payment records, claims decisions and case- or medical-management record systems
■ Other records used to make care decisions
Entities not required to follow the Privacy Rule include life insurers, most law enforcement agencies and many state agencies, such as child protective services.
Moreover, you do not have the right to access certain types of information, such as:
■ Information that’s not used to make care decisions (for example, provider performance evaluations or quality-control
■ The personal notes of a mental healthcare provider documenting or analyzing a counseling session
■ Information compiled for (or in reasonable anticipation of) a civil, criminal or administrative proceeding
■ Information that a provider reasonably deems a threat to the patient’s or another person’s life or physical safety, such as information that may lead a suicidal person to take his or her own life or information that a provider feels may cause emotional or psychological harm, such as notes that a patient may be upset by or not be able to understand
Where to start
“Too often, individuals have trouble obtaining their health records, although this problem is changing with the increased adoption of secure patient portals and electronic medical records, which enable the quick dissemination of health information,” Dale says.
While some practices or organizations simply allow you to request access to your records via fax, email, or online through a secure web portal, others may require you to formally request your records in writing or complete a form to do so.
Your providers must verify your identity, but they can’t require you to come to the office physically to request records or provide proof of identification. They also can’t require you to mail in your request, as this causes undue delay in obtaining your records. You don’t have to give a specific reason for your request, nor can records be denied because of an outstanding bill.
After receiving your request, the entity must provide access to your records within 30 calendar days—although the HHS encourages healthcare professionals and organizations to do so as quickly as possible. If the information isn’t easily accessible—for instance, older files may be archived offsite—the entity may request a one-time 30-day extension but must inform you of both the reason for the delay within the initial 30 days and the date by which you’ll receive access.
You can specify the format in which you’d prefer to receive the records (for example, paper copies or digital files such as a PDF, provided the organization can reasonably produce an electronic format). Some providers allow you to access an online patient portal, where you can view your health records and download them to your personal computer. If you’ll be using an application or special computer software to analyze or organize your information, you’ll typically need your records in a structured data format, sometimes called CCDA files, which some organizations can supply.
The doctor’s office or facility may charge a “reasonable fee” for labor to copy the files, supplies, or devices such as a CD or a USB drive, postage and, if you request it, preparation of an explanation or summary of your information. Any other fees, such as for time spent searching for records, are prohibited. The provider must also inform you in advance of the approximate fee you’ll be charged.
If you don’t want to pay for copies, you have the right to view your records privately on the provider’s premises without charge. While there, you can freely take notes or use your smartphone or another device to make copies of your files.
Obstacles you may face
An organization’s ignorance of the law isn’t an excuse for noncompliance, but you may encounter some resistance to your request. It’s best to be prepared in advance for dealing with challenges, including these:
■ Your provider tells you HIPAA prevents sharing any information, even with the patient. Under federal law, you have the right to your records. You can point the organization to the HHS website for more information about the requirement.
■ You’re told only paper records are available. If you prefer electronic copies, you can request that they be scanned in a digital format. However, you may be charged a fee for scanning the files.
■ The organization says it can’t send records via email. Email may not always be secure, but as long as you accept the risks associated with email transmission (namely that a third party might be able to obtain the files), the organization must send them, if requested.
■ You’re told you must visit in person to verify your identity. The provider can’t require an in-person visit. Ask to have your identification verified over the phone, such as by confirming your address or providing other personal information.
■ You’ve received your records, but they contain errors. You can request that errors be fixed or missing information be added. If your provider believes the records are correct, you have the right to have your disagreement noted in your file.
■ You don’t receive a response to your request. If you don’t receive a response or access, you can file a complaint with the HHS Office for Civil Rights..
If your request is denied, you must receive a written notice of denial in easy-to-understand language within 30 days of your request. If you believe you’ve been wrongly denied, you can file a complaint with your provider, health insurer or the HHS. To file a complaint with the HHS, go here.
Your rights at a glance
You have a right to:
■ View and receive copies of your health records
■ Receive electronic copies in the format requested (if the format is unavailable, you and the organization must agree on an alternative)
■ Receive your records within a certain time frame, which varies by state.
■ Request files be sent via email
■ Request files be sent to a third party of your choice, such as a caregiver or a mobile health application
Accessing a loved one’s medical records
If you’re a caregiver for a loved one, you may need access to his or her medical records. In addition to providing your right to your own medical information, the HIPAA Privacy Rule recognizes the rights of personal representatives—those who are legally authorized to make healthcare-related decisions on another’s behalf.
A personal representative may be a mentally incapacitated adult’s legal guardian, a healthcare power of attorney or an executor of an estate, among others. A personal representative can exercise the patient’s rights, and he or she has the right to the patient’s protected health information. Some exceptions and limitations apply; for instance, a personal representative with a limited power of attorney for a particular procedure may only access information related to that specific healthcare decision.
Finally, you have the right to a patient’s medical records if he or she has provided prior written authorization for the disclosure of his or her health information to you.