Topics
More on Compliance & Legal

Majority of providers fall short of compliance with HIPAA access requirements

The primary reason for noncompliance was that most providers don't send records electronically even when so requested.

Jeff Lagasse, Associate Editor

More than half of healthcare providers are out of compliance with HIPAA right of access requirements, with the most common failures revolving around a refusal to send records to patients or patients' designees by email, according to a study and survey published by health manuscript archive company medRxiv.

In the telephone survey portion of the study, it was found that almost a quarter of respondents, 24%, were potentially noncompliant with HIPPA's fee limitations.

And as regards to patient records requests, for 71% of providers the records were provided in compliance with HIPAA only after supervisors and privacy officials were educated on HIPAA's requirements.

WHAT'S THE IMPACT

The primary reason for noncompliance was that most providers don't send records electronically even when the patient explicitly requests them in that format. Of the 14 one-star providers analyzed, 86% failed for not providing records in an electronic format requested by the patient -- by unsecure email for text records. One provider was noncompliant for failing to send records to the patients' designee, while the other was found to have charged unreasonable fees.

Providers, and their copy services, continue to send paper records, faxes and CDs even when the patient explicitly requests records be sent electronically to a designee via email or a patient portal. Providers are also hesitant to send records by standard, unsecure email, even when there are specific patient requests that include the acknowledgement and acceptance of security risks.

It took the study team an average of eight days to fulfill patient requests, though some took as long as 26 days. Without some kind of educational intervention -- such as informing staff about HIPPA requirements, or escalating calls to supervisors and privacy officials -- 71 percent of the requests wouldn't have been fulfilled in a way that satisfied HIPAA requirements.

The authors said that efforts are still ongoing to digitize medical records and allow patients to access them through a device or patient portal. But they said it would be years before seamless digital access is a reality.

In the interim, requests for information will still be necessary to enable patients to collect all of their health data -- making it critical that the processes in place be HIPAA compliant.

THE LARGER TREND

Privacy regulations under HIPAA have always included a right of individuals to access and receive copies of their complete medical records, with rare exceptions.

In the Health Information Technology for Economic and Clinical Health Act of 2009, Congress clarified that individuals have the right to digital copies of electronic health records and to have those copies sent directly to a designated third party, such as a personal health record service or mobile health app.

The Department of Health and Human Services incorporated the HITECH changes into the HIPAA Privacy Rule in 2013. These changes to the HIPAA Privacy Rule right of access were part of an emphasis in HITECH on digital collection and exchange of health information, and were expected to spark the development of more widespread personal health record services and mobile apps.

Twitter: @JELagasse

Email the writer: jeff.lagasse@himssmedia.com