In Brief: The Health Insurance Portability and Accountability Act Privacy Rule and Patient Access to Medical Records

Table of Contents:

• Findings: Patient Access to Medical Records—Current Law and Practice
• Findings: Improving Patient Access—The Promise of Electronic Communication
• Conclusion and Recommendations

This Issue Brief summarizes a PPI Issue Paper titled, “The Health Insurance Portability Act Privacy Rule and Patient Access to Medical Records” (#2006-03). The study was commissioned from the Health Privacy Project, a non-profit organization dedicated to ensuring health privacy to improve health care access on quality. The authors of the study are Beth Tossell, Emily Stuart, and Janlori Goldman.

The right to access information about oneself is essential to privacy. Access to medical records can play a vital role in motivating consumers to become more active, informed agents in the delivery of health care services. Until recently, patients had no federal right to see and copy their own medical records. The 1996 Health Insurance Portability and Accountability Act (HIPAA) changed that situtation by instructing the Secretary of the Department of Health and Human Services (DHHS) to issue the HIPAA Privacy Rule in the event Congress failed to act within two years. As a result of congressional inaction, DHHS promulgated the Privacy Rule, which grants people new federal medical privacy rights, including the right to see and copy their own medical records.

Top of Page

Findings: Patient Access to Medical Records—Current Law and Practice

The Privacy Rule gives consumers the right to access, inspect, and request amendments to their medical records held by certain health care organizations, notably health care providers and plans. The Privacy Rule establishes procedures for gaining access to personal health information, including limits on both the number of days a provider has to respond to a request and the fees that may be charged. In some circumstances, covered entities do have the right to deny access, although individuals also have the right to request a review of that denial. The Privacy Rule also gives patients the right to request that an amendment be added to the medical record. The Privacy Rule grants a health care consumer the right to know how his or her medical information has been disclosed outside the core health care arena.

While the Privacy Rule grants Americans important rights, translating a legal right into practice can be difficult. Some surveys have shown a reluctance on the part of physicians to give patients access to their own records, often because they found it costly and time-consuming. Furthermore, the lack of any significant public education effort designed to inform consumers about their rights has had a damaging impact on the strength of the law.

In addtion, although the Privacy Rule does not specify a format in which patients must request access to their records, some providers mistakenly insist that patients use the authorization form that the law requires for disclosures to others, such as to employers, who are otherwise prohibited from receiving protected health information from covered entities.