Health Care Provider Compliance with the HIPAA Right of Individual Access: A Scorecard and Survey

Abstract

Background: Historically, patients have had difficulty obtaining copies of their medical records, notwithstanding the legal right to do so. In 2018, a study of 83 top hospitals found discrepancies between those hospitals published information and telephone survey responses regarding their processes for release of records to patients, indicating noncompliance with the HIPAA right of individual access.\n\nObjective: Assess state of compliance with the HIPAA right of access across a broader range of health care providers and in the context of real records requests from patients. \nMethods: Evaluate the degree of compliance with the HIPAA right of access 1) through telephone surveys of health care institutions regarding release of records to patients and 2) by scoring the responses of a total of 210 health care providers to actual patient record requests against the HIPAA right of access requirements. (51 of those providers were part of an initial cohort of 51 scored for an earlier version of this paper.)\n \nResults: Based on the scores of responses of 210 health care providers to record requests and the responses of nearly 3000 healthcare institutions to telephone surveys, more than 50% of health care providers are out of compliance with the HIPAA right of access. The most common failure was refusal to send records to patient or patients designee in the form and format requested by the patient, with 86% of noncompliance due to this factor. The number of phone calls required to obtain records in compliance with HIPAA, and the lack of consistency in provider responses to actual requests, makes the records retrieval process a challenging one for patients.\n\nConclusions: Recent federal proposals prioritize patient access to medical records through certified electronic health record (EHR) technology, but access by patients to their complete clinical records via EHRs is years away. In the meantime, health care providers need to focus more attention on compliance with the HIPAA right of access, including better training of staff on HIPAA requirements. Greater enforcement of the law will help motivate providers to prioritize this issue.