Health Information Technologies and Processes

refusal to send records

  • 1.  refusal to send records

    Posted 04-03-2019 14:10

    I have requested records from a facility that performs the same services as our clinic. The owner of the clinic is a former employee of the organization I work for.  I have requested records, and she is not sending the records. After the 30 day time period has passed, what is my next step to get the records?  This is not a medical doctor. It is for O.T., P.T., Speech & ABA services .


    Thanks in advance,


    Melissa Alley

    Client Records & HIPAA/FERPA Compliance Coordinator |


    Wichita, Kansas 67226

    Fax 316.634.8875


    The content of this e-mail is intended solely for the use of the individual or entity to whom it is addressed. If you have received this communication in error, be aware that forwarding it, copying it, or in any way disclosing its content to any other person, is strictly prohibited and may be prosecuted. If you have received this communication in error, please notify the author by replying to this e-mail immediately.

  • 2.  RE: refusal to send records

    Posted 04-03-2019 14:29
    ​Good afternoon,

    I would suggest you contact the office to ensure that they received the request.  If yes, I would ask to speak to the employee's manager and/or
    the Privacy Officer.  Please also note the following from the OIG website.  If a request is going to take longer than 30 days, HIPAA allows for a one time additional 30 days, but the requestor must be notified. Best wishes.

    Timeliness in Providing Access

    In providing access to the individual, a covered entity must provide access to the PHI requested, in whole, or in part (if certain access may be denied as explained below), no later than 30 calendar days from receiving the individual's request. See 45 CFR 164.524(b)(2). The 30 calendar days is an outer limit and covered entities are encouraged to respond as soon as possible. Indeed, a covered entity may have the capacity to provide individuals with almost instantaneous or very prompt electronic access to the PHI requested through personal health records, web portals, or similar electronic means. Further, individuals may reasonably expect a covered entity to be able to respond in a much faster timeframe when the covered entity is using health information technology in its day to day operations.

    If a covered entity is unable to provide access within 30 calendar days -- for example, where the information is archived offsite and not readily accessible -- the covered entity may extend the time by no more than an additional 30 days. To extend the time, the covered entity must, within the initial 30 days, inform the individual in writing of the reasons for the delay and the date by which the covered entity will provide access. Only one extension is permitted per access request.

    Kathleen Heinze, RHIA, CPC
    HIM Compliance