The Office for Civil Rights (OCR) within the U.S. Department of Health and Human Services is showing a renewed interest in assuring that patients have access to their medical records. In other words, OCR will be looking to assure that your practice “does not create a barrier to or unreasonably delay the individual from obtaining access to her PHI [Personal Health Information].”

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its exhaustive regulations have been with us for years. The HIPAA Privacy Rule is usually considered as a shield to protect a patient’s privacy. However, savvy patients are now using the Privacy Rule as a sword to access their records and to exert pressure on a physician to change information in the records. Here are some tips on being in compliance:

Requests for Access

You may require that a request by a patient for access to her records be in writing on a form that you have created. However, you have to accept faxed or scanned copies of the endorsed form. Additionally, you may accept requests using an electronic means (e.g. email or Web portal). You can (and should) take reasonable steps to verify that the individual requesting the records is actually your patient or a proper personal representative. For example, your form can ask for basic information about the requester. However, you can’t require the patient to appear in person in your office to sign the form. Likewise, you can’t limit conveyance of the access form to snail mail if that would be an unreasonable delay. Nor can you require all requests to go through your Web portal. Of note, you can ask a patient why she is asking for her records. The patient isn’t obligated to tell you, and you can’t refuse to produce her records if she refuses. Still, it may be worth asking in order to defuse an adversarial situation.

Form, Format and Manner of Access

 A patient has a right to receive her PHI in a form and format that she requests, if readily producible. If not, then in a readable hard copy form or other form and format to which you and the patient agree. Regardless of whether you are using an EMR or old-fashioned paper records, the patient can request a copy of her records in paper. Conversely, you will be required to produce electronic copies of paper records if they are readily producible, e.g. scanning the paper records. Last, but not least, you must deliver the records in the manner requested by the patient, which may include a convenient time and place to pick up the records or inspect them. If the patient wants an electronic version, arrangements must be made for delivery, which may be by email, Web portal or storage device. You can’t require the patient to appear in your office to pick up the records if she wants them mailed or emailed.

Fees for Providing Records

Forget all of the fee schedules and rules of thumb that you have previously heard! OCR is adamant that the Privacy Rule limits a physician to billing for only 1) clerical labor for copying PHI into the format requested; 2) supplies for creating the requested paper copy or electronic media, e.g. CD or USB flash drive if electronic version is requested on portable media; and 3) postage when the patient requests that the records be mailed. “The fee may not include costs associated with verification, documentation, searching for and retrieving the PHI … or other costs not listed above even if such costs are authorized by State law.” [emphasis in original]. A practice is permitted to develop a fee schedule based on average labor costs to fulfill standard types of record requests. Without explanation, OCR has stated that a flat fee not exceeding $6.50, inclusive of labor, supplies and any applicable postage, is reasonable for providing electronic copies of PHI maintained electronically. Per-page fees are prohibited unless the records are being produced on paper. The fees from an outside service can’t simply be passed through to the patient. To make it even more complicated, you should provide an estimate of the fee when a patient requests the records. OCR says that you ought to be able to provide a breakdown of the total fee charged when it asks you for it. No fee can be imposed when a patient uses an EMR Web portal and downloads her own records. Access to records can’t be withheld due to an unpaid bill. No fee can be charged if a patient just wants to look at her records, even if she wants to take pictures of them on her smartphone.

Denying Access to Record

You likely will not be able to refuse to produce your records to a patient unless: 1) you maintain psychotherapy notes separate and apart from your patient chart; 2) the information was obtained by someone other than the healthcare provider, e.g. a family member, under a promise of confidentiality, and providing access would be reasonably likely to reveal the source of the information; or 3) you have a reasonable basis to believe that disclosure of your records to a patient will result in endangering the life or physical safety of your patient or someone else or likely cause substantial harm to another person referenced in the records. OCR has little sympathy for concerns over psychological or emotional injury. If you refuse to produce the records under the therapeutic privilege, then you must document your reasoning in your chart and advise the patient of the process by which she can have the records reviewed by another healthcare provider who will decide whether the records should be released. This review can be done by someone of the patient’s choice or by someone paid for by the healthcare provider.

Correcting Records

A patient has a right to request that you correct your records in a manner similar to a consumer’s right to correct a credit report. Think carefully about whether you should  or should not make the changes. Do not yield to emotion over good clinical judgment. If you feel that the patient’s request should be declined, then she has a right to put her explanation in your chart.

With open access to your records, you need to be even more thoughtful in what you include and do not include in your charting. Anything on which you base your clinical decision is good to include. Anything else is probably best left out.