The facility must comply and follow HIPAA. A facility should not release records just to satiate a request for records if they must jeopardize their ability to comply fully with HIPAA. If the patient cannot get to the facility AND there is no patient portal to allow for an electronic viewing/access, then it may well be that the patient will not get their records.
Denise VanFleet, MS, RHIA |Program Coordinator, HIM BS Program; Assistant Professor
Rasmussen College - National Online
I would suggest you go to the hospital administration and complain. This practice is placing an unnecessary burden on the patient. This is a totally unreasonable practice. If you cannot get anywhere with the administration, I would contact the Office of Civil Rights.
Lynn Boyes, RHIT
Health Information Management Director,
HIPAA Privacy Officer
7010 S. Yale Ave | Tulsa, OK 74136 email@example.com | 918.236.4135 direct line
Website | Facebook | Twitter | LinkedIn | Instagram
I completely disagree with the statement that says "the patient may not get their records." That is completely unacceptable.When your mother was a patient, surely she was registered with her address. Why is it not possible for the hospital to accept her signature on the release form (compare it to when she was a patient) and then mail the records to her address?
I certainly cannot go through or project all the possibilities of a release. That is for the facility and the patient to work through. I am saying, however, that a facility must be able to confidently comply with HIPAA.
The Privacy Rule requires a covered entity to take reasonable steps to verify the identity of an individual making a request for access. See 45 CFR 164.514(h). The Rule does not mandate any particular form of verification (such as obtaining a copy of a driver's license), but rather generally leaves the type and manner of the verification to the discretion and professional judgment of the covered entity, provided the verification processes and measures do not create barriers to or unreasonably delay the individual from obtaining access to her PHI, as described below. Verification may be done orally or in writing and, in many cases, the type of verification may depend on how the individual is requesting and/or receiving access – whether in person, by phone (if permitted by the covered entity), by faxing or e-mailing the request on the covered entity's supplied form, by secure web portal, or by other means. For example, if the covered entity requires that access requests be made on its own supplied form, the form could ask for basic information about the individual that would enable the covered entity to verify that the person requesting access is the subject of the information requested or is the individual's personal representative. For those covered entities providing individuals with access to their PHI through web portals, those portals should already be set up with appropriate authentication controls, as required by 45 CFR 164.312(d) of the HIPAA Security Rule, to ensure that the person seeking access is the individual or the individual's personal representative.
While the Privacy Rule allows covered entities to require that individuals request access in writing and requires verification of the identity of the person requesting access, a covered entity may not impose unreasonable measures on an individual requesting access that serve as barriers to or unreasonably delay the individual from obtaining access. For example, a doctor may not require an individual:
While a covered entity may not require individuals to request access in these manners, a covered entity may permit an individual to do so, and covered entities are encouraged to offer individuals multiple options for requesting access.
Thank you all for the advice, the link to the "Unreasonable Measures" information and for the reminder to "see the innocence".
I was originally speaking to the department receptionist. I was forwarded to the staff member who handles ROI who explained what I originally shared.
I would be surprised if this request exceeded a page limit. It was a fairly routine ER visit with a few labs and radiology tests ordered.
I just sent a scanned copy of the completed authorization form with the message below. I will let you all know how I made out.
DearAttached please find a completed authorization signed by my mother, XXXX.
Ideally, my mother would like:
Please see the information at the following link from the Office of Civil rights which indicates that a patient has a right to request to receive a record via email. My mother would assume the risk of a breach of information. https://www.hhs.gov/hipaa/for-professionals/faq/2060/do-individuals-have-the-right-under-hipaa-to-have/index.html (The following is an excerpt from this link: "Thus, a covered entity may not require that an individual travel to the covered entity's physical location to pick up a copy of her PHI if the individual requests the copy be mailed or e-mailed.")
Please also see the information at the following link for Office of Civil Rights Guidance which describes "Unreasonable Measures" that covered entities may not employ when providing a patient access to their records https://getmyhealthdata.org/ocr-guidance-requests/
The following are excerpts:
-Who wants a copy of her medical record mailed to her home address to physically come to the doctor's office to request access and provide proof of identity in person.
I've added a notation onto the authorization, indicating that my mother authorizes the information to be mailed to her, picked up by either XXXX (son) or XXX (daughter) or to be mailed to my mother's home address. (This is the same address she used when she registered for the ER visit. I also believe my mom was seen a few years back at [Hospital Name] and would have used the same address at that time.)
I think that my mother would have signed consent forms when she registered. So, her signature on the authorization form could be compared against her signature on consent.