Despite HIPAA Law, Researchers Say Getting Medical Records Still is Burdensome | Healthcare Informatics Magazine | Health IT | Information Technology Skip to content Skip to navigation

Despite HIPAA Law, Researchers Say Getting Medical Records Still is Burdensome

October 8, 2018
by Rajiv Leventhal, Managing Editor
| Reprints

Although federal law has long promoted patients’ access to their protected health information, a recent study of 83 hospitals has revealed that there was noncompliance with federal regulations for formats of release and state regulations for request processing times.  

The research, published recently in JAMA, also found that there was discordance between information provided on medical records release authorization forms and that obtained directly from medical records departments regarding the medical records request processes.

The Privacy Rule under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) gives patients the right of access to their protected health information. Per federal regulation, medical record requests must be fulfilled within 30 days of receipt (with the possibility of a single 30-day extension) in the format requested by the patient if the records are readily producible in that format.

Despite HIPAA and the fact that electronic health records (EHRs) are much more widespread now than in years past, patients may not be able to easily request, receive, and manage their medical records. Under guidance from the U.S. Department of Health and Human Services, hospitals are permitted to impose a reasonable cost-based fee for the release of medical records, but costs still remain high. What’s more, many hospitals add procedural obstacles that can limit patient access, the researchers noted.

To this point, a GAO (Government Accountability Office) report earlier this year also found some troubling trends regarding patient access to medical records. The GAO analyzed four states, finding one instance in which patients paid more than $500 for a single medical record request, and another in which one patient was charged $148 for a PDF version of her medical record.

For this latest study, researchers collected both medical records release authorization forms from each hospital, and subsequently telephoned each hospital’s medical records department to collect data.

Among the 83 hospitals, 44 (53 percent) provided patients the option on the forms to acquire their entire medical record. For individual categories of “requestable” information on the forms, as few as nine hospitals (11 percent) provided the option of selecting release of physician orders and as many as 73 hospitals (88 percent) provided the option of selecting release of laboratory results. Most hospitals (92 percent) provided the option of an “other” category for requesting information not explicitly listed on the form.

Among the telephone calls made, all the hospitals said they were able to release entire medical records to patients. When asked if any information would be withheld with a request of an entire medical record, two hospitals disclosed that nursing notes would not be released unless they were specifically requested. However, just 25 percent of the hospitals who were called said they were able to release information onto patient portals. All hospitals stated in telephone calls and on the forms that they could release information via mail.

Regarding cost, on the authorization forms, 35 percent of hospitals disclosed exact costs for releasing medical records, 22 percent said they would charge patients without specifying a cost, and 36 percent did not specify anything about fees. For a 200-page record, the cost of release ranged from $0.00 to $281.54, based on the 29 hospitals that disclosed costs.

Among the telephone calls, 82 out of 83 hospitals disclosed costs for paper formats of release. For a 200-page record, the cost of release as communicated in telephone calls ranged from $0.00 to $541.50. And of the 82 hospitals that disclosed costs, 48 hospitals (59 percent) stated costs of release above the federal recommendation of a $6.50 flat fee for electronically maintained records.

Finally, for processing times for medical records release, of the 71 hospitals that provided mean times of release when called, 21 percent reported mean times of less than 7 days; 25 percent in seven to 10 days; 31 percent in 11 to 20 days; 5 percent in 21 to 30 days; and 3 4 percent in more than 30 days. In general, most hospitals were able to release records in electronic format in a shorter time frame than records in paper format.

Of the hospitals that responded with times of release, seven had ranges extending beyond their state’s requirement before applying the single 30-day extension granted by HIPAA.

The researchers concluded, “Requesting medical records remains a complicated and burdensome process for patients despite policy efforts and regulation to make medical records more readily available to patients. Our results revealed inconsistencies in information provided by medical records authorization forms and by medical records departments in select U.S. hospitals, as well as potentially unaffordable costs and processing times that were not compliant with federal regulations. As legislation, including the recent 21st Century Cures Act, and government-wide initiatives like MyHealthEData continue to stipulate improvements in patient access to medical records, attention to the most obvious barriers should be paramount.”

The Health IT Summits gather 250+ healthcare leaders in cities across the U.S. to present important new insights, collaborate on ideas, and to have a little fun - Find a Summit Near You!


/news-item/privacy/despite-hipaa-law-researchers-say-getting-medical-records-still-burdensome
/blogs/rajiv-leventhal/privacy/new-opioids-legislation-patient-privacy-holds-serve

In New Opioids Legislation, Patient Privacy Holds Serve

| Reprints
The attention has turned to patient privacy as a new opioids package nears the President’s desk

Congress’ sweeping opioids legislation—a bill that includes several important health IT provisions—has created much debate in recent days and weeks, as stakeholders sit on different sides of the table over a key patient privacy element.

For background, two weeks ago, the U.S. Senate passed The Opioid Crisis Response Act of 2018, which has the core purpose to improve the ability of various health departments and agencies to address the opioid crisis—including the ripple effects of the crisis on children, families, and communities—as well as help states implement updates to their plans of safe care, and improve data sharing between states.

The House passed its version of the legislation in June, and then after a committee was convened to reconcile the differences between the two bills, the House passed the latest version by a vote of 393 to 8. The Senate will now need to pass this consensus legislation— the SUPPORT for Patients and Communities Act— before it can go to the President for his signature.

One of the major points of controversy was whether or not the federal law, 42 CFR Part 2—which keeps mental health records separate from other health records and prevents the sharing of these confidential treatment records without a patient's explicit consent—would be amended and be aligned with HIPAA [the Health Insurance Portability and Accountability Act]—as many have clamored for. Indeed, while some healthcare stakeholders believed that patient privacy laws should be changed so providers could more easily share information about a patient’s history of substance use, others have maintained that the privacy laws ought to remain intact.

While “the House had approved changes in its original legislation, H.R. 6082 (115), they didn’t make it into the Senate version and were ultimately dropped in negotiations,” according to a recent report in Politico’s Morning eHealth Newsletter. As such, the 42 CFR Part 2 patient privacy law will remain intact.

What’s perhaps most fascinating about this debate is the major players that are on each side of it. According to a recent article in STAT News, “The AMA [American Medical Association] said it believed there was a ‘fundamental misunderstanding’ among groups working to incorporate the proposal into a sprawling opioids bill. Relaxing restrictions on patient privacy, the AMA wrote, could prevent individuals with addiction from seeking medical treatment in the first place.”

The AMA wrote in a letter to lawmakers that the intent of 42 CFR Part 2 is to encourage patients to seek treatment for addiction knowing that their health information will not be shared, thereby easing fears of discrimination and negative legal consequences resulting from their substance use. The AMA’s letter continued, “Aligning Part 2 with HIPAA would effectively remove privacy rights from a particular patient population—the very rights that were created to encourage SUD [substance use disorder] treatment.”

Importantly, the AMA also brought up two other key points in its argument. First, the association noted that amending 42 CFR Part 2 laws would impact more than just opioid addiction. For instance, the AMA wrote, “Alignment [with HIPAA] would remove the privacy rights of all patients who seek treatment at a Part 2 program for any SUD and could discourage patients from seeking treatment not only for opioid dependency, but for other addictions as well.”

The second point the AMA brought up was that patient information is simply not as available as some make it out to be. While those who support aligning Part 2 with HIPAA envision a patient’s SUD records being available to all of the patient’s providers at any given time, the AMA said that given the current state of interoperability, this not practical. The group wrote, “A clinician cannot go to his or her electronic health record (EHR) and ‘pull’ a patient’s SUD information upon request—in other words, regardless of whether Part 2 has been aligned with HIPAA, a clinician cannot simply search a patient’s name in his or her EHR and obtain all of the patient’s information. This problem exists even now with information covered by HIPAA…”

As Politico also has reported, Sen. Patty Murray (D-Wash) was very much in the middle of the dispute as well. Its report noted, “Murray, the ranking member of the Senate HELP (Health, Education Labor & Pensions) Committee, has been withholding her support for including a controversial privacy measure in the sweeping bill to address the opioid crisis despite support by other Democrats including her state's governor. She has reservations about a change that would make it easier for doctors to see a patient's substance abuse records.”

Politico spoke to three lobbyists who said that Washington Gov. Jay Inslee had lobbied Sen. Murray to include an overhaul in the final opioids legislation. “An aide to Murray said she was willing to negotiate a solution that resulted in improved care coordination while protecting patients' privacy,” according to that report.

Meanwhile, other health IT groups, such as the College of Healthcare Information Management Executives (CHIME), the American Hospital Association (AHA), and various major health insurers, feel differently about this significant privacy issue. In a letter from CHIME to Senate and House representatives, obtained by Fierce Healthcare, the group’s President and CEO, Russell Branzell, wrote, “It is essential that healthcare providers have a complete medical history with all relevant information that will help them make clinical decisions. To ensure the highest quality of care, information pertaining to substance use disorder is pertinent.”

The CHIME letter continued, “Unfortunately, under current law, 42 CFR Part 2, SUD treatment and diagnoses are kept confidential from providers which can be extremely problematic when a clinician is attempting to treat someone but is unaware of their prior addiction history. Our members strongly support synchronizing these consent policies, which will reduce the burdens imposed by these two different sets of rules and facilitate consent for the purposes of treatment, payment and healthcare operations pursuant to HIPAA.”

And according to the aforementioned STAT piece, “The groups pushing the measure say that the current restrictions inhibit providers from accessing information critical to providing quality treatment—giving a common example in which a doctor, not knowing a patient has a history of addiction, unknowingly prescribing opioids for pain treatment.”

In the end, the privacy advocates were the side who came out on top, since the proposed amendment to 42 CFR Part 2 never got included in the final version. But digging deeper, the big-picture impact of not including this amendment is also worth exploring.  

It was quite interesting to me that the AMA—the largest association of physicians in the U.S.—was leading the charge against the Part 2 amendment. To this point, it’s important to keep in mind how many physicians feel about EHRs—namely that they add to their workdays, thereby causing increased burnout.

Using this logic, if physicians are not keen on EHRs, one could understand why they would be opposed to this type of data sharing without a patient’s explicit consent. And without that physician trust in the technology—which gets extended down to the patient level as well—it’s quite possible that consent would be tough to get. If that were the case, as the AMA believes, patients might be hesitant to seek treatment for SUD in the first place.

As the debate over patient privacy surely will continue, there are many who believe that the 42 CFR Part 2 law is severely outdated. Indeed, the Part 2 regulations restricting how data of patients with substance use disorders is shared were written in 1975 out of concern that the information could be used against individuals, causing them to avoid seeking needed treatment.  As such, since it is required the patient to consent every time their data was shared or accessed, health information exchanges (HIEs) and others have found it challenging to work around these restrictions. Many HIEs have just avoided the issue during their startup phases.

To this end, the Substance Abuse and Mental Health Services Administration (SAMHSA), part of the U.S. Department of Health and Human Services (HHS), did re-write portions of the Part 2 law in a rule that was finalized earlier this year. But still, those who believe that Part 2 should be aligned with HIPAA do not believe that the rule went far enough at all to solve data sharing issues.

So for now, it’s the patient privacy advocates that continue to hold serve in this ongoing match.

More From Healthcare Informatics

/news-item/privacy/report-privacy-laws-remain-intact-opioids-bill-nears-completion

Report: Privacy Laws to Remain Intact as Opioids Bill Nears Completion

September 25, 2018
by Rajiv Leventhal, Managing Editor
| Reprints
Several health IT trade groups were in favor of a measure that would amend 42 CFR Part 2

As leading healthcare stakeholder groups remain on different sides of the fence regarding patient privacy laws in a sweeping opioids legislation, it’s looking like privacy advocates will win the battle as the bill nears its completion.

According to a report in Politico’s Morning eHealth Newsletter today, “The federal law known as 42 CFR Part 2 prevents the sharing of the sensitive treatment records without a patient's explicit consent. While the House had approved changes in its original legislation, H.R. 6082 (115), they didn’t make it into the Senate version and were ultimately dropped in negotiations.”

Last week, the U.S. Senate passed The Opioid Crisis Response Act of 2018, which includes numerous important health IT provisions. The House passed its version of the legislation in June, and a committee to reconcile the differences between the two is nearing a resolution.

One of the key issues that has remained is whether or not patient privacy laws should be changed so providers could more easily share information about a patient’s history of substance use. According to an article in STAT News, “The AMA [American Medical Association] said it believed there was a ‘fundamental misunderstanding’ among groups working to incorporate the proposal into a sprawling opioids bill. Relaxing restrictions on patient privacy, the AMA wrote, could prevent individuals with addiction from seeking medical treatment in the first place.”

However, other health IT groups, such as the College of Healthcare Information Management Executives (CHIME), the American Hospital Association (AHA), and various major health insurers, feel differently about this significant privacy issue. In a letter from CHIME to Senate and House representatives, obtained by Fierce Healthcare, the group’s President and CEO, Russell Branzell, wrote, “It is essential that healthcare providers have a complete medical history with all relevant information that will help them make clinical decisions. To ensure the highest quality of care, information pertaining to substance use disorder (SUD) is pertinent.”

The CHIME letter continued, “Unfortunately, under current law, 42 CFR Part 2, SUD treatment and diagnoses are kept confidential from providers which can be extremely problematic when a clinician is attempting to treat someone but is unaware of their prior addiction history. Our members strongly support synchronizing these consent policies, which will reduce the burdens imposed by these two different sets of rules and facilitate consent for the purposes of treatment, payment and healthcare operations pursuant to HIPAA [the Health Insurance Portability and Accountability Act].”

Indeed, the federal law, 42 CFR Part 2, keeps mental health records separate from other health records and prevents the sharing of these confidential treatment records without a patient's one-time consent. But many people believe the law is severely outdated since it doesn’t always give providers the whole picture of a patient’s medical history.

According to the STAT piece, “The groups pushing the measure say that the current restrictions inhibit providers from accessing information critical to providing quality treatment—giving a common example in which a doctor, not knowing a patient has a history of addiction, unknowingly prescribing opioids for pain treatment.”

Another letter to lawmakers, this one from The Partnership to Amend 42 CFR Part 2—inclusive of more than 40 organizations that are committed to aligning Part 2 with HIPAA—expressed similar concerns as the CHIME message, urging the 42 CFR Part 2 amendments to be included in the final version of the opioids bill.  

The organizations wrote, “Alignment of Part 2 with HIPAA will allow appropriate access to patient information that is essential for providing safe, effective, whole-person care, while protecting this information with enhanced penalties for unlawful disclosure and use.” It continued, “The Partnership strongly believes that the modernization of privacy regulations and medical records for persons with substance use disorders is a critical component for tackling the opioid crisis and will improve the overall coordination of care in the United States.”

As the debate over patient privacy continues, Politico has reported that the final opioids package could drop as soon as tonight.

Related Insights For: Privacy

/news-item/privacy/house-passes-bill-align-hipaa-42-cfr-part-2

House Passes Bill to Align HIPAA, 42 CFR Part 2

June 22, 2018
by David Raths
| Reprints
Clinicians would be able to access entire patient record, including information about substance use disorders

The U.S. House of Representatives recently passed a bill designed to align 42 CFR Part 2 with HIPAA for the purposes of health care treatment, payment, and operations. One goal of the change is so that care can be better coordinated and providers can have appropriate access to all of a patient’s medical record, including information about substance use disorders.

“Doctors must have the whole picture on a patient’s medical history in order to safely and effectively treat that patient,” said U.S. Rep. Markwayne Mullin (R-OK), sponsor of the bill, in a prepared statement. “This includes any history of substance use disorder. The Overdose Prevention and Patient Safety Act will update the decades-old, outdated law, known as 42 CFR Part 2, which keeps mental health records separate from other health records.  H.R. 6082 will modernize how doctors access their patients’ health records by streamlining 42 CFR Part 2 with current Health Insurance Portability and Accountability Act (HIPAA) regulations. 

Earl Blumenauer (D-OR) co-sponsored the legislation.

“It is encouraging that members of Congress recognize the importance of aligning the treatment of substance use disorder (SUD) records with how all other medical and behavioral health records are managed,” said Pamela Greenberg, president and CEO of the Association for Behavioral Health and Wellness, in a statement. “Clinicians need access to a patient’s full medical history, including substance use disorder records, to assess risks and adequately care for a patient. Our members contend that Part 2 is one of the biggest – if not the biggest – barrier to fighting the opioid crisis.”

ABHW is a health plan association working to improve access and quality of care for mental health and substance use disorders.

 

 

 

 

See more on Privacy

betebettipobetngsbahis