Almost any information can be delivered digitally these days, whether it comes directly from a digital database or as a PDF scan attached to an email, and the privacy rules surrounding the release of medical records have taken these modern capabilities into account for patients requesting their health data. Under the HIPAA right of access, individuals have the right to get copies of their information in the form or format they they want — as long as it is “readily producible” in that format (i.e., the hospital or doctor is capable of producing it and doesn’t have to go out and buy new software to meet the individual’s particular format) (45 CFR 164.524(c)(2)(i)). That means a digital scan can be requested over a physical paper copy, so long as the hospital in question has evolved beyond the fax machine.
But the rule is even more specific when it comes to getting an electronic copy of your health data. If the information requested by the individual is maintained electronically (for example, if it is in an electronic medical record, or in software that stores electronic documents), and if the individual requests an electronic copy of that information, the covered entity (doctor, hospital, lab, pharmacy, health plan, for example) “must provide the individual with access to the protected health information in the electronic form and format requested by the individual.” If it is not available in the particular electronic form and format requested by the individual, it must be in a “readable electronic form and format as agreed to by the covered entity and the individual” (45 CFR 164.524(c)(2)(ii).
In other words, it is NEVER acceptable to provide an individual with paper copies of a digital record, unless the individual has specifically asked for paper copies — or the rare instance where the individual refuses to accept any reasonable digital options (such as PDF) that the entity can readily produce. In the words of OCR, “individuals who request electronic access to PHI maintained electronically can be diverted to receiving a paper copy only in circumstances where all of the covered entities’ existing capabilities for readily producing electronic copies have been presented to the individual, but the individual has determined that those formats are not acceptable to her.” If the information is stored digitally, it must be delivered digitally if the patient has requested it as such.
But what if the information the individual is requesting is actually maintained on paper (for example, a record that was created prior to the more widespread adoption of electronic medical records by doctors and hospitals and the information in that record was never scanned into the electronic medical record)? Even in that case, the individual has the right to get that information digitally if the covered entity has a scanner and can readily scan the paper record into electronic format. The rule doesn’t require hospitals to purchase a scanner in the absence of one, but I have to ask: what records office doesn’t have a scanner in 2019?
And while entities are not required to go out and buy new software just to meet an individual’s format request (even though scanners can be had for less than $100 these days), entities that maintain protected health information digitally must have the capability to provide some form of readable electronic copy of that information. According to OCR, “this means that some covered entities may need to make some investments (which cannot be charged to individuals) in order to meet this baseline requirement” (i.e. shelling out $100 or less for a scanner).
Finally, when an individual asks for a particular form and format, such as seeking PHI in digital format, the question of whether the entity can “readily produce” it in the requested form or format is a “matter of capability, not willingness.” An entity cannot decline to provide the individual’s requested form or format because the entity would prefer than individual accept another format, or another format is part of an entity’s customary record processes. It cannot be a policy decision. If a hospital is capable of digitally scanning a patient’s records (which they all should be), then they must do so at the patient’s request.
And the vendors who perform this service on behalf of hospitals and doctors must play by these same rules.