Hospitals, physician practices and other healthcare providers continue to misunderstand patients’ rights to their own records years after HIPAA’s privacy rule took effect. The Los Angeles Times reported on July 27 that the California Medical Board receives many complaints from patients about trouble accessing medical records from doctors:
Candis Cohen, a spokeswoman for the board, says physicians and their office staffs frequently confuse details of the HIPAA privacy law and, even with the best intentions of protecting patients’ privacy rights and complying with the law, deny consumers access to their medical records.
Among the common disputes are whether covered entities are allowed to charge patients retrieval fees for copies of their own records. HIPAA strictly limits charges associated with providing patients access to their records to "a reasonable, cost-based fee" for copying, postage and any time spent on preparing a summary explanation (as applicable). Thus, in instances where state laws allow providers to charge the patient other record-retrieval fees, such as costs associated with retrieving records for insurance companies, lawyers and other non-patients, providers may not be permitted to pass along these costs to their patients due to HIPAA, despite any such permissive state law. Also, some providers erroneously believe that they are not allowed to fax or email medical records to a patient, even at the patient’s request.
For some providers, confusion over the rules and unreasonable fear of penalties under HIPAA and state privacy laws has resulted in reluctance to release medical records to the people HIPAA was designed to protect: the patients themselves. I personally experienced this type of resistance shortly after the Privacy Rule became effective in 2003, when confusion was more understandable. By 2009, you’d think covered entities would have a better grasp on their rights and duties, but misunderstandings persist.