HIPAA Compliance: Form vs. Phone / by David Driscoll

One of the most frustrating aspects of requesting your health information from a hospital is the actual requesting itself. While many institutions provide submission forms—both written and electronic—to handle the queries, you’re likely going to end up on the phone with a records department agent no matter what because of the discrepancies between the options available on these forms and the reality of your needs. Yale’s Assessment of US Hospital Compliance With Regulations for Patients’ Requests for Medical Records found that, “among the 83 top-ranked US hospitals representing 29 states, there was discordance between information provided on authorization forms and that obtained from the simulated patient telephone calls in terms of requestable information, formats of release, and costs.”

Looking at the stats, we can see exactly how those discrepancies break down:

  • As few as 9 hospitals (11%) provided the option of selecting the desired categories of information on the request form

  • Only 44 hospitals (53%) provided patients the option to acquire their entire medical record

  • On telephone calls, all 83 hospitals stated that they were able to release entire medical records to patients

At Ciitizen, helping patients request their health records is a daily office activity, and we’ve seen similar levels of discordance, not only with the discrepancies between what’s available on the form versus the phone, but also the amount of effort it takes to get someone on the phone who understands HIPAA’s right of access! On average, our team has found that:

  • A minimum of 3 escalations are often necessary in order to obtain reports

  • 50% of the time an escalation to the hospital’s chief privacy officer was necessary in order to get information released

  • Therefore, 50% of the hospitals we contacted—HALF!—were not compliant with HIPAA regulations right off the bat, requiring us to go up the food chain in order to exercise the right of access

Most of the time an escalation to a privacy officer was needed because our request via the form was denied, but as the Yale report supports: all hospitals are ultimately compliant if you can get them on the phone. Yet, while HIPAA requires hospitals to comply with patient requests for their health data, it doesn’t mandate how the requests themselves must be facilitated, but the the process shouldn’t be burdensome for patients.

So I have to ask: are incomplete data request forms that require patients to follow-up with multiple phone calls, often requiring escalation to the hospital’s privacy officer, considered “burdensome” under HIPAA?

Let’s not forget the Yale report also found that “three hospitals were unreachable, two of which provided no option to leave a voice message or reach a department representative.

If that’s not burdensome, what would fit that definition?

-David Driscoll