As Deven stated this past Tuesday, the “designated record set”—the data that we as patients have a right to—is an often misunderstood aspect of our rights under HIPAA. As an example, many patients don’t realize they have a right to copies of all of their imaging—every x-ray, CT scan, MRI, and even the photos from your colonoscopy!
Today we want to talk about our efforts at Ciitizen to obtain copies of images for our users.
When we first started asking for medical records on behalf of patients, we relied on hospital websites for guidelines on how to submit those requests. With each request we specifically stated that we were seeking images as part of the “designated record set.” Early on, we gave each institution the benefit of the doubt and waited to follow-up until we were close to the HIPAA 30-day deadline. (Of note: we have since learned that follow-up within 48 hours is necessary to avoid the request going into a black, bureaucratic hole.)
When we did call to check on these early requests, it surprised us to learn that, for many institutions, a separate imaging request had to be specifically submitted to the hospital’s radiology department. Needless to say, this tidbit of information was not included as part the website page of instructions on how patients should submit their requests; we actually learned this information when we called to check on the request. One institution even told us (confidentially, we presume!) that, when they received requests for radiology images, they ignored that aspect of the request, as the health information management (HIM) department was not authorized to release images to patients.
As we know, however, imaging is indeed part of the “designated record set.” Yet, when we call radiology departments to determine their processes for getting x-rays to patients (or their designees), we too often hear that the radiology department will not release images to patients—only to other medical professionals. In fact, roughly one out of every ten institutions we’ve queried seems to think imaging is not included under the HIPAA right of access.
First, if an institution wants radiology requests going directly to the radiology department, this needs to be communicated to patients up front. Secondly, the institution is still obligated under HIPAA to provide this information to patients, so if the radiology department isn’t properly trained on the HIPAA right of access (which seems to be the case at least 10% of the time), that’s a serious non-compliance issue.
In one particular instance, we sent a request to a community hospital for a “designated record set,” including images, on behalf of a cancer patient and had to follow up when we did not receive the information by the 30 day deadline. (Our request also had to be sent by mail—no other communication method was permitted—but we’ll take on that issue on in a future blog post.)
Our request clearly indicated that the patient wanted designated record set information to be sent to Ciitizen by email (with acknowledgements of the security risks of unsecure email, as required by HIPAA), and that the institution could mail a CD with images if they were too large to be e-mailed. Nevertheless, we received a CD by mail of medical records over a month and a half later—accompanied by a letter indicating that the radiology images needed to be requested directly from the radiology department. We had already had phone conversations with the community hospital’s HIM department when the records were in danger of being post-30 days, and at no point did the HIM staff tell us we needed to send a separate request to radiology. Not until we received the letter well past the compliance deadline did we learn of this necessity.
As a result of this all-too-frequent scenario, we now call all facilities ahead of time to find out directly from hospital administrative staff about the specific processes for filing requests, including for images, and we hear from far too many radiology departments that images “cannot” be released to patients as they are not part of the “designated record set” (yet, we know from Deven’s blog post this is incorrect!).
It is not unusual for us to hear different policies regarding the release of radiology images (will they or won’t they release to patients) from different locations of the same hospital system. That some large hospital systems don’t standardize their policies isn’t necessarily shocking, but the fact that they’re non-compliant with HIPAA is entirely unacceptable.