Urgent message: Urgent care providers subject to the privacy regulations of the Health Insurance Portability and Accountability Act of 1996 need compliant procedures for handling patient requests for medical records, including transfer of patient records to other providers.
U.S. federal and state laws require providers to allow patients access to their medical records. This includes records supplied by another provider (e.g., a specialist who has forwarded a report to the primary-care physician) that may be contained within the requested file.
On the federal level, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) not only regulates how patients’ health information is handled to protect privacy but also gives patients the right to see and obtain a copy of their records. In most cases, once a request for medical records is made, a provider covered by HIPAA must furnish a copy within 30 days, which may be extended another 30 days for good cause. During this period, providers must share any notes or records they have created, copies of any test results, and any information provided to them about the patient by another physician if that information was used to determine the patient’s diagnosis and/or treatment. However, health-care providers may deny access to certain records, usually those related to mental health, if they believe that the viewing of these records could endanger the patient’s physical health.
Although most states have similar requirements regarding making medical records accessible to patients, they differ with respect to timing.1 In California, for instance, providers must permit inspection of medical records within 5 working days from the date of request and ensure that a copy of the medical record is transmitted to the patient within 15 days.2
In Colorado, however, hospitals must provide discharged patients with copies of their medical records within 10 days of their request and provide inpatients the opportunity to inspect their records within 24 hours.3 Physicians must provide copies of patient medical records to patients within a reasonable time or 30 days. In Hawaii, the turnaround time is tighter still, with providers required to furnish a copy of a patient’s medical record on request. However, should they fail to meet this deadline, they are allowed a 10-day grace period before being penalized. The list of states with a shorter time period than provided for in HIPAA goes on from there to include Maryland,4 Nebraska,5 Nevada,6 New York,7 Tennessee,8 Texas,9 Virginia,10 Washington,11 Wisconsin,12 and Wyoming.13
For the remaining states, the HIPAA requirements apply either because the state’s laws mirror HIPAA or because they require providers to make medical records accessible within “a reasonable time” or in a “timely manner,” or do not specifically set forth a time period. Under these circumstances, the law is preempted by HIPAA.14
Although states may differ in terms of what records must be produced to the patient on request (the California Medical Association, for instance, requires complete and current information regarding the patient’s diagnosis, treatment, and prognosis), all states agree that patients are entitled to inspect and obtain copies of their records. As a result, patients’ requests for their medical records are to be taken seriously. If possible, providers should have patients sign consent forms agreeing to medical-record release terms prior to treatment to avoid confusion about what materials to produce down the line.
- Idaho, Kansas, Kentucky, North Carolina, and Vermont have no laws specifically granting patients access to their medical records. As a result, the requirements and obligations of HIPAA apply.
- California Health and Safety Code, §123110. Available from: http://www.leginfo.ca.gov/cgi-bin/calawquery?codesection=hsc
- Code of Colorado Regulations 1011-1:II-5.2; Colorado Revised Statutes Annotated, §25-1-802. Available from: https://www.sos.state.co.us/CCR/NumericalCCRDocList.do?deptID=16&deptName=1000%20Department%20of%20Public%20Health%20and%20Environment&agencyID=144&agencyName=1011%20Health%20Facilities%20and%20Emergency%20Medical%20Services%20Division%20(1011,%201015%20Series) and http://www.healthinfolaw.org/node/3225/
- Maryland Code, Health—General, §4-309. Available from: http://marylandcode.org/ghg-4-309/
- Nebraska Revised Statutes, §71-8403. Available from: http://nebraskalegislature.gov/laws/statutes.php?statute=71-8403
- Nevada Revised Statutes, §629.061. Available from: https://www.leg.state.nv.us/nrs/NRS-629.html#NRS629Sec061
- New York Public Health Law, §18. Available from: https://www.health.ny.gov/professionals/patients/patient_rights/access_to_patient_information.htm
- Tennessee Code Annotated, §63-2-101 and §68-11-304. Available from: http://law.justia.com/codes/tennessee/2010/title-63/chapter-2/63-2-101 and http://law.justia.com/codes/tennessee/2010/title-68/chapter-11/part-3/68-11-304/
- Texas Health and Safety Code Annotated, §241.154 and §181.102; Texas Administrative Code, §133.42; and §165.2; and Texas Occupational Code Annotated, §159.006. Available from: http://www.healthinfolaw.org/node/3192/, https://texreg.sos.state.tx.us/public/readtac$ext.TacPage?sl=R&app=9&p_dir=&p_rloc=&p_tloc=&p_ploc=&pg=1&p_tac=&ti=25&pt=1&ch=133&rl=42, http://www.healthinfolaw.org/state-law/tex-healthsafety-code-ann-%C2%A7-181102, https://texreg.sos.state.tx.us/public/readtac$ext.TacPage?sl=R&app=9&p_dir=&p_rloc=&p_tloc=&p_ploc=&pg=1&p_tac=&ti=22&pt=9&ch=165&rl=2, and http://codes.lp.findlaw.com/txstatutes/OC/3/B/159/159.006
- Virginia Code Annotated, §32.1-127.1:03 and §54.1-2403.3; 18 Va. Admin. Code,85-20-26. Available from https://vacode.org/32.1-127.1:03/, http://law.justia.com/codes/virginia/2006/toc5401000/54.1-2403.3.html, and http://www.healthinfolaw.org/node/3205/
- Revised Code of Washington, §70.02.080. Available from: http://www.healthinfolaw.org/state-law/wash-rev-code-%C2%A7-7002080
- Wisconsin Statutes, §146.83. Available from: http://law.justia.com/codes/wisconsin/2014/chapter-146/section-146.83
- Wyoming Statutes Annotated, §35-2-611 and §33-26-402; Wyoming Board of Medicine Rules and Regulations, chapters 3 and 4. Available from: http://www.healthinfolaw. org/state-law/requirements-patient-examination-and-copying-recordswyo-stat-ann-%C2%A7-35-2-611, http://law.justia.com/codes/ wyoming/2011/title33/ chapter26/section33-26-402, and http://wyomedboard.wyo.gov/resources/boardof-medicine-rules-and-regulations
- There are some states with hybrid laws where the HIPAA requirements apply to covered entities, plus additional requirements for entities not covered by HIPAA. For example, in Montana, non-covered health-care providers must give patients access to medical records within 10 days of receiving a written request (Montana Code Annotated, §50-16-541; available from: http://leg.mt.gov/bills/mca/50/16/50-16-541.htm). In Ohio, the law does not specify a time period for access to records maintained by non-covered providers (Ohio Revised Code, §3798.03 and §3701.741;Ohio Administrative Code 3701-83-07 and 3701-84-07; available from: http://www.healthinfolaw.org/node/2549/, http://codes.ohio.gov/orc/3701.741, http://codes.ohio.gov/oac/3701-83-07, and https://www.odh.ohio.gov/en/rules/final/3701-80-to–89/f3701-84.aspx). In Utah, non-covered health-care providers must permit patients to inspect or obtain a copy of records unless access is restricted by law or judicial order, and providers must comply with HIPAA deadlines when providing a copy of a patient’s records (Utah Code Annotated, §78B-5-618; available from http://le.utah.gov/xcode/Title78B/Chapter5/78B-5-S618.html).