A recent audit completed by the Government Accountability Office (GAO) has shown patients still face many hurdles obtaining copies of their health data and healthcare providers and insurers are struggling to meet HIPAA requirements – and in some instances – are violating HIPAA Rules.
A 21st Century Cures Act provision required GAO to carry out a study on patient access to medical records. The audit included interviews with stakeholders, vendors, provider groups, patient advocates, and state and HHS officials. The audit was completed in four states – Ohio, Kentucky, Rhode Island and Wisconsin – which were opted for, in part, due to the range of fees charged for providing patients with copies of their medical records.
Under HIPAA regulations, patients are permitted to request copies of their health records from their providers. Patients can ask for their health records in paper or digital form and the requests must be completed within 30 days. HIPAA-covered entities are allowed to charge a reasonable, cost-based fee for supplying patients with copies of their health data.
Patients receive copies of their health information for several reasons: To take more active management of their own healthcare, to take their medical records to new suppliers, to resolve disputes with their insurers, to give to lawyers, or for disability claims.
Patients ask for their records to be forward on to another person or entity by their provider, such as when they are seeking a second opinion from another physician. Third parties may also be told by patients to obtain copies of their health records – a lawyer for example.
The GAO audit found that the fees charged by providers varied considerably from state to state and for different sorts of request.
Some states have set up fee schedules, formulas and limits for allowable fees. Three of the states – Ohio, Rhode Island, and Wisconsin – have set up per-page fee amounts and different rates for obtaining medical images such as copies of X-rays. Ohio has introduced a per-page fee amount for third party requests, Rhode Island has a highest fee for providers that use an EHR for patient and patient-directed requests, while Kentucky permits patients to obtain one free copy of their medical records and sets a highest charge of $1 per page for any additional copies.
While HIPAA states that providers can only charge a reasonable, cost-based fee for patient requests and patient-directed requests, those restrictions do not apply to third party requests for copies of data, and the charges are often considerably higher.
Providing Copies of Health Information & Excessive Fees
In 2016, the Department of Health and Human Services’ Office for Civil Rights issued guidance for HIPAA-covered entities on the fees that could be charged for providing patients with duplicate copies of their health information. Even so, some providers are not adhering to HIPAA Rules.
In the GAO report, examples are given of the excessive fees that have been charged. One patient was charged a fee of $148 for a single PDF of their medical records, and two patients were each charged over $500 for a single request to obtain a copy of their medical records. One patient was charged a retrieval fee by a release-of-information (ROI) vendor for a duplicate copy of her health records, even though such fees are not allowed under HIPAA. There have also been cases of suppliers charging annual subscription fees for providing access to medical records.
One issue faced by patients whose medical conditions have necessitated many visits to physicians is the amount of data stored by their healthcare suppliers. Their health records span many pages and fees are charged at a per page rate. That can make obtaining copies of health records prohibitively costly.
The GAO report shows that many patients have tried to obtain copies of their medical records from their providers but cancelled the requests when they found out the cost of doing so. There have been cases where providers have denied patients who have requested copies of their health records and patients have failed to address this with their providers.
The report made it clear that even though attempts have been made to improve understanding of HIPAA Rules, many patients are still unsure of their rights under HIPAA Rules.