New regulations passed under the Health Insurance Portability and Accountability Act (HIPAA) will soon permit patients to request and receive their medical records electronically. These regulations have the potential to help patients by reducing the cost of obtaining records, providing the records in a form that is more accessible, and perhaps even by allowing access to hidden information that patients don’t generally get without a fight.
45 CFR §164.524 will be effective as of March 25, 2013, but health care providers have until September 25, 2013, to comply. The regulation requires that providers who maintain their patient records in electronic form must, on request by the patient, provide the records in an electronic format acceptable to the patient if the record is “readily producible” in that format, or, if not, in a different electronic format agreed to by the covered entity and the individual. Instead of the usual per-page copying charges, the provider may charge a reasonable, cost-based fee, which may include the cost of the data device (CD-ROM or USB device), actual labor costs, and postage. However, the published interpretation from the U.S. Department of Health & Human Services states that that charge does not include non-labor-based retrieval fees or overhead costs for creating or maintaining electronic systems and equipment.
The regulatory comments suggest that in many cases, the patient will request records in Portable Document Format (pdf). In most cases, the patient should request and the provider must provide, a searchable pdf file. This will make record review much faster and easier. In the alternative, patients may want to request a copy of the file in its “native” state, just as it is used in the hospital or office, although the software necessary to read this format may be proprietary and not readily available.
Although the issue of metadata is not specifically addressed in either the regulations or the comments, an argument can be made that the patient is entitled to receive the entire contents of the facility’s electronic file, including often invisible information about when and by whom entries were made, changed or even accessed. If the timing of entries or who reviewed them will be an issue in a medical malpractice case, this information can be invaluable. While it is usually obtainable through discovery, in many cases it would be advantageous to have it sooner rather than later.
Finally, the new regulations establish a fixed time limit of 30 days for the health care provider’s response to the patient’s request. Unlike the old regulations, this period is not extended if the data is stored off-site. Time spent negotiating with the patient about the format of the electronic response is chargeable against the 30 days. The provider may request a one-time extension of 30 days, with written notice to the patient or other requestor about the reason for the delay and the expected date of completion.
Read the full text of the regulations and comments here.