Skip to content

In Brief: The Health Insurance Portability and Accountability Act Privacy Rule and Patient Access to Medical Records

This Issue Brief summarizes a PPI Issue Paper titled, “The Health Insurance Portability Act Privacy Rule and Patient Access to Medical Records” (#2006-03). The study was commissioned from the Health Privacy Project, a non-profit organization dedicated to ensuring health privacy to improve health care access on quality. The authors of the study are Beth Tossell, Emily Stuart, and Janlori Goldman.

The right to access information about oneself is essential to privacy. Access to medical records can play a vital role in motivating consumers to become more active, informed agents in the delivery of health care services. Until recently, patients had no federal right to see and copy their own medical records. The 1996 Health Insurance Portability and Accountability Act (HIPAA) changed that situtation by instructing the Secretary of the Department of Health and Human Services (DHHS) to issue the HIPAA Privacy Rule in the event Congress failed to act within two years. As a result of congressional inaction, DHHS promulgated the Privacy Rule, which grants people new federal medical privacy rights, including the right to see and copy their own medical records.

Findings: Patient Access to Medical Records—Current Law and Practice

The Privacy Rule gives consumers the right to access, inspect, and request amendments to their medical records held by certain health care organizations, notably health care providers and plans. The Privacy Rule establishes procedures for gaining access to personal health information, including limits on both the number of days a provider has to respond to a request and the fees that may be charged. In some circumstances, covered entities do have the right to deny access, although individuals also have the right to request a review of that denial. The Privacy Rule also gives patients the right to request that an amendment be added to the medical record. The Privacy Rule grants a health care consumer the right to know how his or her medical information has been disclosed outside the core health care arena.

While the Privacy Rule grants Americans important rights, translating a legal right into practice can be difficult. Some surveys have shown a reluctance on the part of physicians to give patients access to their own records, often because they found it costly and time-consuming. Furthermore, the lack of any significant public education effort designed to inform consumers about their rights has had a damaging impact on the strength of the law.

In addtion, although the Privacy Rule does not specify a format in which patients must request access to their records, some providers mistakenly insist that patients use the authorization form that the law requires for disclosures to others, such as to employers, who are otherwise prohibited from receiving protected health information from covered entities.

Some patients have complained to DHHS’ Office for Civil Rights (OCR), which oversees HIPAA implementation, about refusals of access, suggesting that some providers are not complying with the law or may not understand how to influence the patient access rules.

Findings: Improving Patient Access—The Promise of Electronic Communication

While the Privacy Rule allows for access to paper and electronic records, the increasing use of technology in the health care arena has the potential to streamline the process of granting patients access to their records. Americans support advancements in health information technology but also express serious concern about related privacy and security issues.

Electronic medical record (EMR) systems could go a long way to addressing issues related to patient access to personal health information, such as cost and timeliness. But while the technology is certainly promising, the privacy risks are significant. The HIPAA Privacy and Security Rules provide a clear foundation for the development of EMR systems, but they are just that—a foundation. While both laws serve as a good starting point, neither fully anticipates or addresses issues associated with the development of a system in which personal health information is shared electronically across a spectrum of providers.

Conclusion and Recommendations

Generally, providers understand their responsibilities to grant patients access to their medical records under the HIPAA Privacy Rule. Nevertheless, some confusion remains among providers about the access provisions of the law.

Additionally, patients are ill-informed about the rights afforded them under the Privacy Rule. Overall, OCR needs to actively monitor, enforce, and educate the public and providers about the law. OCR should seek funding from Congress to launch an immediate, widespread public education campaign that encourages patients to assert their access rights under the law by offering them technical assistance, including written guidance and sample language to prepare written requests.

Access to personal health information is essential to strong privacy protections and quality health care. In the health care arena, access to personal medical records has been shown to encourage patient participation in care, adherence to treatment regimens and enhanced doctor-patient communication.

The implementation of the Privacy Rule was an important step towards ensuring that patients are afforded the necessary privacy protections. The related access provisions of the law are a vital component in meeting the needs of patients and the demands of an effective health care system. However, while the Privacy Rule was groundbreaking, the impact of the law has, so far, fallen short of its potential. Patients who are unaware of rights afforded them under the law are not exercising those rights—to the detriment of the quality of their own care, as well as the quality of the health care system. As the development and implementation of a national health information infrastructure continues, including EMRs, it is critical that providers are aware of their responsibilities and that patients are both knowledgeable about their rights and committed to asserting them.

Written by Joyce Dubow, AARP Public Policy Institute
January 2006
©2006 AARP
All rights are reserved and content may be reproduced, downloaded, disseminated, or transferred, for single use, or by nonprofit organizations for educational purposes, if correct attribution is made to AARP.
Public Policy Institute, AARP, 601 E Street, NW, Washington, DC 20049

Join the Discussion

0 | Add Yours

Please leave your comment below.

You must be logged in to leave a comment.