8 Tips on Giving Patients Access to Their Records

HHS Points to Ways to Improve Compliance With HIPAA Requirements


Under the HIPAA Privacy Rule, patients and their authorized representatives have the right to access their electronic or paper health records. Unfortunately it’s often easier said than done, and federal regulators want that to change.

Complaints from patients about the lack of access to their records have remained consistently among the top five issues in HIPAA cases that are investigated and closed with corrective action by HHS’ Office for Civil Rights. In order to help address the issue leaders at HHS have issued a new training module and a research report.

Patient access can be a tricky issue. The policy is straightforward – give the patient his or her information. Execution is often more complicated.


Training Module

OCR’s latest training module notes that “an individual has the right to receive protected health information in the form and format requested if readily producible.” It depends on the entity’s capabilities. That means if an entity maintains information electronically, at least one type of digital format must be accessible by the individual.

The individual also has the right to specify the mode of transmission or transfer, including unsecure email, as long as the individual is warned about the security risks, according to the OCR.

Patients can also ask for other modes of transmission if the request is within the capabilities of an entity and the mode would not present unacceptable security risks to PHI on the entity’s systems.

Yet another option is individuals have the right to request a healthcare provider to transmit their health information to a third party, which could include a competing healthcare provider, family member or friend, research institution or mobile health application.

Tips for Providing Access

The ONC report notes: “Healthcare practices have the opportunity now to improve their records request processes and reduce the burden on consumers.”

Among the report’s tips for improving their ability to provide patient access to records is creating “a streamlined, transparent, and electronic records request process” that may include:

  1. Allowing patients to easily request and receive their records from their patient portal.
  2. Setting up an electronic records request system outside of the patient portal.
  3. Creating a user-friendly, plain language online request process.
  4. Using e-verification to quickly confirm the record requestor’s identity.
  5. Including a status bar or progress tracker so consumers can see where they are in the request process – for example, indicate when the request is received, when their records are being retrieved, and when they’re ready for delivery.
  6. Making sure consumers know that they can request their record be provided in different formats – such as PDF or CD – and delivered in the way they choose, such as by email or sent to a third party.
  7. Providing user-friendly, plain language instructions for patients and caregivers on how to request health records, what to expect and who to contact with questions.
  8. Encouraging patients to use patient portals by promoting features such as online appointment scheduling, secure messaging and prescription refills.

While these tips are hardly a cure-all they should make it easier for patients to access their records and establishing this protocol gives practices an opportunity to figure out how to balance patients access and privacy rights.

If you have questions about how patient access regulations could impact PHI security call ITPAC today.