Most providers not fully compliant with HIPAA access requirements, research shows

By | August 15, 2019

Dive Brief:

  • More than half of providers sampled in a recent study failed to comply with the HIPAA right of access, according to research published Wednesday on medRxiv, a free online archive for unpublished health-related manuscripts. The study has not been peer-reviewed.
  • The most common problem was providers not sending health records via email when patients requested them. About a quarter were also potentially noncompliant with the health privacy law’s fee limitations.
  • The average wait for responses ranged from one to 26 days, with eight days being the average. More than 70% of requests would not have been fulfilled pursuant to HIPAA without some form of intervention, such as educating staff members on the law or calling supervisors.

Dive Insight:

The study authors said while efforts to digitize medical records and let patients access information through their phone or a patient portal are ongoing, “it will be years before seamless digital access by patients to all of their health information is a reality.”

“In the meantime, requests to medical records departments (and Radiology) will still be required to enable patients to amass all of their health information. It is critical that these processes be compliant with HIPAA and responsive to patient needs,” they said.

The research was led by Deven McGraw, former deputy director for health information privacy at the HHS Office of Civil Rights. McGraw is now chief regulatory officer of Ciitizen Corporation, a consumer platform aimed at enabling patients to obtain all of their health records, with an initial focus on cancer patients.

The study used requests to 51 providers from 30 cancer patient beta users of the Ciitizen platform. They average about two medical requests per patient. Researchers then scored provider responses on a scale of one to five based on a few key metrics: whether providers accepted requests by email or fax, whether the records were sent in the format the patient requested, the records being sent within 30 days and no unreasonable fees being charged.

It also included a phone survey of more than 3,000 healthcare institutions that produced similar findings, with 56% of responses indicating lack of compliance.

The issue is hardly new. A recent JAMA study also found discrepancies in records release processes at more than 80 top hospitals studied, and patient anecdotes of difficulty abound. Access was among the top four issues for HIPAA investigations by OCR from 2015 through 2018.

The more than two-decades old sweeping healthcare privacy law, however, could be getting an update. In December, HHS issued a request for information seeking ideas on removing regulatory barriers to ease care coordination and case management. Providers that responded were by and large wary of change and opposed any effort to shorten the window for responding to record requests.

Healthcare Dive – Latest News