How to Handle Records Requests - HIPAA + CURES Compliance

Introduction

The United States federal government, along with many states, continually updates the rules and standards associated with client/patient access to health information.

With very few exceptions, patients are already entitled to their records through HIPAA. Providers should be wary of any practice that denies or restricts access once a request has been received.

TherapyAppointment provides a variety of features to help you respond to records requests. Based on these features and current legislative guidance, we’ve created the following guidelines. Please use these guidelines to establish processes for your own practice.

Guidelines

• You must respond to records requests in a prompt manner.

• While the Federal Privacy Rule currently allows 30 days, arbitrary delays can constitute information blocking, even if you act inside of this window.
  
  
  error Note: This timeline is subject to change with the new Privacy Rule proposed changes that outline a 15-day maximum.
• State laws may also vary, requiring a speedier response, so be sure to check your states’ specific guidelines.

• You must have a process to handle a standing request for ongoing release of new records.

• You are required to take reasonable steps to verify the identity of an individual making a request for access.
• Neither Health Insurance Portability and Accountability Act of 1996 (HIPAA) nor the 21st Century Cures Act (Cures) defines how to perform identity verification.

• This detail is generally up to your discretion as long as you do not create unnecessary burdens or obstacles between an individual and access to their records.

• Registering your clients for the TherapyAppointment 2.0 Client Portal provides a level of identity verification. We suggest asking your clients to also submit records requests via messaging within their Client Portal.

• However, you should still consider whether any other person (e.g., a parent or spouse) has access to a given patient’s account.

• You must attempt to satisfy a request in the form and format expressed by the patient if this is within your current capabilities.
• If you cannot provide the records in the requested format, HIPAA and Cures require you to offer an alternative electronic format. TherapyAppointment’s software supports PDF versions of records, and these can be provided to clients.

• All providers are expected to deliver records through physical or electronic mail at the patient’s request. In these circumstances, you must discuss the risk with the patient before completing the request.
• You cannot require a patient to pick up records in person if they have requested electronic delivery.

• Remember that access to healthcare records is a right under US law. Inappropriately denying access to records is considered a civil rights infringement.

• States may also provide laws governing denials.

• While HIPAA may allow you to deny a request that might cause harm, this exception is very narrow and must be applied on a case-by-case basis.

• Before charging any fees for fulfilling a records request, make sure that you fully understand the restrictions on fees under HIPAA, Cures, and state law.
• Make sure that you fully understand the relevant State law. It may impact one or more of these points, including the permitted time for responding to a request or the type of information that you are required to share.
• You should enable TherapyAppointment’s Client Portal and features related to messaging and sharing records (e.g., billing and statements). As far as TherapyAppointment makes these services available at no extra cost, it is within your clients’ rights to use them to access their own information.
• The U.S. Department of Health and Human Services (HHS) is currently reviewing changes to the privacy rule which may shorten the timeline allowed to respond to records requests and modify other aspects of this guidance.