Staff members need to know that practices are legally required to provide patients with their records and that organizations can be fined for not doing so. There are some important points to remember. Providers have 30 days to respond to a request and most practices should be able to get records out well before that deadline, Hook said. If a patient asks for information provided electronically, it must be given that way if possible. Staff should just remember to explain that if the information will be sent over unsecured email, once the document leaves the provider’s care, it is not their responsibility if it is intercepted or lost.
Patients do not have to fill out a records release form when they are asking for their own information. Most practices require this, but it is an unnecessary burden for patients, Pritts said.
Medical organizations should have a process in place for handling records requests. That process should be part of their HIPAA procedures. Hook said it should not be difficult for most offices to create a single-page document outlining the process for releasing information.
Record requests can be directed to the organization’s privacy officer, the person who would verify the identity of patients or their representatives who are requesting the health information.
“It really shouldn’t be too hard in most offices to say, ‘Here’s how we release information after we get a request,'” Hook said.
Organizations can charge fees for providing records, but these fees must be reasonable and comply with HIPAA guidelines.
Hold Off Saying ‘No‘
Most importantly, Hook recommends using a take-a-breath approach when patients require their medical records. Patients should never be told “no” right away. If there is an issue, patients should be asked to fill out a records release request. This gives practices time to consult their procedures and determine the best way to proceed.
“I get calls from patients who say a practice told them it was against HIPAA regulations to send records in the mail,” Hook said. “That sounds like something someone made up instead of taking the time to ask. They [staff] don’t want to do it, or they have an imperfect understanding of the HIPAA laws, and they definitely don’t understand the potential consequences of their actions.”
This article originally appeared on Renal and Urology News