Stories of Non-Compliance: Fax & Email Requests

Calendar Icon February 14, 2019
Reading Time Icon Read Time: 2 min
By Ciitizen

We sent a plethora of requests to a massive, well-known hospital chain on the west coast recently, and they responded by sending us this:

***Action Required*** Faxed/Emailed Requests No Longer Accepted — Please Mail Requests With Prepayment.

Just forget for the moment that the email we received included an encrypted password just to access the notice that our request could not be faxed or emailed, creating yet another obstacle for our patient.

As Deven’s last post stated, per OCR guidelines, hospitals cannot force patients to mail in an access request, as this would unreasonably delay the covered entity’s receipt of the request and thus the individual’s access. Hospitals also cannot charge unreasonable fees, yet this particular hospital chain was demanding a prepayment-even though fees for digital copies of digital records would generate a low (if any) fee, and how do you know how much you are required to pay before you’ve even submitted a request?

But this is the type of message we see all too often, if we’re lucky enough to receive any message at all.

We recently faxed another request to a provider listed as one of the “top 100 hospitals” in the US, part of a division of a leading hospital management company with 34 hospitals across 10 states. After not hearing anything for three days, we called the office to follow up. The medical records representative’s exact response to our Ciitizen request sheet was:

“You make life so complicated. What the heck? Your form confused the heck out of me. I just put it to the side.”

At Ciitizen, we use nothing more complicated than a standard form to request medical records. The fact that it confused this particular representative is highly unnerving, but even more concerning is that she chose to put it aside rather than follow-up on the request (we provide our contact information, of course). She then added that it would take her 15 days just to transfer the request to corporate. When we pushed back that this request was for a cancer patient needing continuity of care, she said:

“Well, I could expedite it. Do you want me to?”

Uh….for God’s sake: YES! We are helping cancer patients in need of treatment here, and fortunately we understand the rights that HIPAA provides them to access their health records. But what about those patients that are putting in requests on their own? Are they supposed to fight a two-front war against the disease on one side, and the hospital’s records department on the other?

-Lisa Taylor

Originally published at on February 14, 2019.

Share this insight