The right of individuals to access their health information under HIPAA is one of the most frequently misunderstood provisions of the HIPAA Privacy Rule. Patients frequently underestimate this right and think they cannot access or receive copies of some or all of the information in their records. Why? Because the information they are provided about the right of access, from the very entities required to comply with this right, is often inaccurate.
One purpose of the #myhealthmydata campaign is to gather and share our stories - as well as stories from patients and their caregivers - of the effort it takes to collect one’s health information using the HIPAA right of access. But we also want to educate patients - and the public - about HIPAA’s requirements, so that the next time you ask for copies of your health information (which we encourage you to do), you’ll know when not to take “no” for an answer.
This week’s lesson is about the “designated record set.”
One common way that health care entities push back on patients requesting their records is to claim that certain categories of information “cannot be shared” with patients. Images - such as xrays and MRIs - are often denied to patients, and progress notes from physicians or other medical professionals - often a rich source of information about a patient’s diagnosis and treatment - are another category of information some providers are hesitant to reluctant to share directly with patients.
Under the HIPAA Privacy Rule, patients have the right to access and obtain copies of all of their identifiable health information (called protected health information or PHI) that is part of a “designated record set.” (45 CFR 164.524(a)(1)) clearly explains that the he “designated record set” is more than just what an entity decides is part of a patient’s “medical record.” It is all records held by a health care provider or health plan that are:
(i) The medical records and billing records about individuals maintained by or for a covered health care provider;
(ii) The enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or
(iii) Used, in whole or in part, by or for the covered entity to make decisions about individuals. (45 CFR 164.501)
Psychotherapy notes that are kept separate from other information in a patient’s record are not part of the designated record set (and therefore not subject to the patient’s right of access), but this exception is limited to psychotherapy notes, which are notes recorded by a mental health professional as part of a psychotherapy session. This exception does not extend to notes from other professionals. (Information compiled for the purpose of a civil, criminal or administration action or proceeding is also excepted from this right.) But the breadth of this definition - and that there are only a couple of narrow exceptions - means patients are entitled to most health information that is generated about them and held by a health care provider or a health plan.
The agency that enforces HIPAA - the HHS Office for Civil Rights (OCR) - has made clear in guidance that the “designated record set” includes x-rays and other images, and also includes provider notes. You can see where OCR could not be more clear that patients have a right to receive copies of their X-rays. OCR does note image files can be quite large, so often there needs to be some negotiation between the provider and the patient (or a vendor or service like Ciitizen working on the patient’s behalf) about how best to convey the copy of the image for the patient, but at no point does OCR question whether individuals should be able to get copies of x-rays directly pursuant to the HIPAA right of access.
As for provider notes, OCR has also made it clear that patients have a right to obtain of copy of provider notes. This guidance also reinforces the right of patients to get copies of their x-rays.
You can’t get more clear guidance than what is in those two links. Why patients are still getting misinformation about their rights to this information is … well, let’s just say it’s a head scratcher. It’s also a violation of the HIPAA right of access to deny individuals copies of their health information based on misinformation about HIPAA. Just like in the movies, “ignorance of the law is no excuse.”
We also want to give a shout out to ePatient Dave and to the Open Notes Program - both of whom have been among the many steadfast advocates for the right of patients to access their health information.
ePatient Dave (Dave deBronkart) wrote a great blog post last year to counter the argument that patients won’t want their images because they won’t be able to read or understand them. If there’s one thing we should never doubt in the internet age, it’s the ability for consumers to educate themselves and become experts in their own right. As we’ve learned here at Ciitizen, nothing motivates a patient to seek out and understand their medical records more than a cancer diagnosis.
The Open Notes program has been steadfastly working to encourage health care providers to voluntarily make notes affirmatively available to patients, such as through patient portals. Yes, notes are already required to be made accessible to patients when they ask for them, but OpenNotes advocates for providers to make this information accessible to patients without the patients having to specifically ask for them. The more information made affirmatively available to patients, the easier it will be for them to collect their comprehensive health histories with minimum hassle. And I think we’ve made it clear over the last few months as to what a hassle it can be.
And now you know your rights in the midst of such a hassle. Yes, you have the right to get copies of all of your health information, including the images, and copies of the notes. They are indeed part of the “designated record set.”