With new laws brimming on the health care horizon, providers are bound to get a wave of medical record requests. Therefore, if you've received medical record requests from one of your patients, either directly or via a patient tool like Guava, this article will guide you through the necessary steps and give you the information to stay well-informed on new laws and regulations.
Do I Have to Send My Patient Their Medical Records?
Yes. According to the HIPAA Privacy Rule, providers must share all personal health information with the patient at the patient's request, even if the patient requests this information through a third-party service. This includes but is not limited to all medical records, billing records, enrollment records, payment records, and any other records used to make decisions surrounding the patient (with some exceptions). The U.S. Department of Health and Human Services defines a record as "any item, collection, or grouping of information that includes personal health information (PHI) and is maintained, collected, used, or disseminated by or for a covered entity."
How Do Medical Record Requests Work?
Usually, before you begin the process of sending records to your patient, your clinic or hospital may first have your patient submit a request. This request may be a written request, via email, via a secure web portal, or via a record authorization form. Most hospitals and clinics have their own record authorization forms, which are very helpful for patients requesting records directly from you.
HIPAA law also gives patients the right to verify their identity and request their records without coming to your office in person or mailing information. Providers commonly use the patient’s name, previous names, birthday, and the last four digits of the patient’s social security number present on the authorization form. Another common option would be requesting a phone call from the patient or a photo of their driver’s license via email.
In addition, the E-Sign Act legitimizes electronic signatures and records so you must accept any contract, record, or signature (like an authorization form) in an electronic format if the patient prefers.
After you receive a request from your patient, there are multiple ways you can send these records.
How Can I Send Records Directly to My Patient?
When sending records, keep in mind patients can request to receive them in whichever format they want. If you have that format readily available or easily convertible (such as electronic records already in an EHR system), then federal law says you must provide the patient with that format. This means, for instance, that you cannot print out records and mail them if the patient requests digital records. Print-to-PDF is often an easy solution that both Windows and Mac support.
There are many HIPAA-compliant secure digital transfer methods, including secure email (providers include Protonmail, Zoho Mail, and Mailbox) or drive-sharing services. In addition, patient services like Guava may provide a secure upload link. This is the most secure method because the information travels encrypted directly to the final destination and doesn’t involve third parties.
An arguably strange exception to HIPAA security rules is that if the patient explicitly asks you to send something using an insecure format like standard unencrypted email, you must still comply under HIPAA.
How Can I Send Records Requested Through a Third Party?
Many personal health record apps now provide services that allow patients to pool their records into one place. These apps are a great tool for people to better understand their own diagnoses, treatments, and overall health. However, medical records are confidential information and should be protected. There are several ways to send medical records to these third parties, but only a few methods are truly protected and secure.
| Secure Upload Link | |
|---|---|
Pros
|
Cons
|
| Email or Drive-Sharing Services | |
Pros
|
Cons
|
| Fax | |
Pros
|
Cons
|
Pros
|
Cons
|
| Carrier Pigeon | |
Pros
|
Cons
|
How Long Do I Have to Send My Patient’s Records?
As the HIPAA Privacy Rule states, you have 30 days since your patient’s request to send their records. However, if you fail to send your records within the 30 day timeline, you are allowed to request only one additional extension (another 30 days) to which you must provide your patient the reasoning behind this extension in writing and the date your patient should expect their records. Even though you have 30 days to complete this request, it’s encouraged to send them as soon as you can.
What If Patients Want to Access Their Records Electronically Through a Third-Party App?
The recent CMS Interoperability and Patient Access Ruling (CMS 9115-F) and the ONC Cures Act require providers and health plans to make certain patient records accessible electronically via authorized third-party apps of the patients’ choosing. If you receive a request from patients to access their records via a third-party app, your EMR (e.g. Healow, Allscripts, Meditech, etc.) can usually help you make that integration possible to comply with the law. Allowing patients to access their records electronically via third-party apps also reduces the number of physical record requests you’ll have to handle in the long term, saving everyone time, money, and precious paper.
Conclusion
It’s important to remember that these laws are not put in place to frustrate providers, but instead, to allow transparency between the patient and their doctor to foster better healthcare from both ends. We understand the busy schedule and overwhelming workload providers face. That’s why Guava's goal is to make it easier for patients to play a large role in their own health while reducing the work of our already overburdened healthcare providers.
