In the previous post of our five-part Legal Issues blog series, we explored the FAQs that the United States Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has published in recent months concerning patient access to Protected Health Information (PHI). The FAQs were generated in response to recent studies and OCR investigations that found patients often face obstacles when trying to access their health information from hospitals and physician practices.

The last post described potential barriers in the request stage of the Release of Information (ROI) process for patients, which you can read here . This post, the final in our Legal Issues series, will focus on the release stage of the process.

Provide patients with access to their “designated record set”
HIPAA entitles patient access to their “designated record set” which consists of a broad array of health information including: medical and billing records; insurance information; clinical laboratory test results; medical imaging; wellness and disease management program files; and clinical case notes. The OCR’s FAQs provide guidance on what should be considered part of a designated record set and should be reviewed by providers to ensure compliance.

Deliver PHI in the requested format
Under HIPAA, patients are entitled to receive copies of their PHI in the form and format they request. If that’s not feasible, the PHI must be in a readable format agreed to by the provider and patient. Thus, if a patient requests copies of their electronically-stored PHI in the same format, a provider should offer the requested PHI copies in an email, on a CD-ROM, or in another electronic method. The same rule applies if the patient requests copies of their PHI be delivered on paper.

Release PHI within 30 days of receipt of their request
A major focus of the OCR’s recent FAQs is the importance of providing patients with access to their PHI within 30 days of receipt of the request. If a rare long turnaround time is unavoidable, the provider must notify the patient of the delay, explain why it has occurred, and when the patient should expect to receive copies of their PHI.

Providers should review their turnaround times and make sure they are in line. Having a form letter prepared in the event that there is a delay is also a good idea.

I hope you enjoyed reading the posts in this Legal Issue series as much as I enjoyed writing them. To be sure you never miss a new post, you can subscribe to MRO’s blog below.

This blog post is made available by MRO’s general counsel for educational purposes only, as well as to give general information and a general understanding of the law, not to provide specific legal advice. This blog post does not create an attorney-client relationship between the reader and MRO’s privacy and compliance counsel. This blog post should not be used as a substitute for competent legal advice from a licensed professional attorney in your state.