A health care provider has an extraordinary responsibility when it comes to protecting their patient records. Under the Health Insurance Portability and Accountability Act, the HIPAA privacy rule protects a patient's electronic health record from illegal access, with HIPAA violations being punished severely no matter the status of the health care practitioner or medical practice.
But who exactly can access a patient's medical record, and do they always need a written authorization or a written request before gaining access? While all health care providers who are involved in the patient's medical care can access their health records, other entities that the patient has interacted with can also have access to protected health information, even without the need for patient authorization.
The HIPAA rule defines a "covered entity" as someone or a group of people who have a right to access patient records, granted that they have obtained the necessary permissions to do so. While you as a health care provider automatically have a stronger case to access your patient's medical information, keep in mind that accessing this information falls under a very strict set of rules.
However, it's not only healthcare providers who have access to protected health information. Some other entities and organizations have full rights to access a patient's records at any time, specifically if they come in a type of medical record that doesn't identify the patient.
Here's a list of individuals/organizations that have legal rights to a patient's medical information:
As the subject of their own health record, your patients have a legal right to access their own medical records whenever they want them to. Under HIPAA rule, a healthcare provider has a maximum of 30 days to respond to a patient's request for their own medical records before your practice is hit with a HIPAA violation. You may extend this request past the initial 30 days, but you must give a reason as to why it's taking you that long.
A record request by a patient can usually cover everything that they've experienced under your care, from individual doctor notes to physician records about their condition. While most practices today (especially those that use an electronic health record) use a patient portal to disseminate this information, hard copies are still occasionally asked for as backup.
In the case of stay-at-home nurses and other private medical staff, they also have a legal right to a patient's medical chart and other medical records if duly authorized by the patient themselves. Since their role involves the continuation of treatment at the patient's own home, they're classified as a covered entity under HIPAA rules and should be given a copy of patient records once their permissions are verified.
The only time where there can be unauthorized access from this particular group is if the medical records concern a deceased patient. While some parts of the privacy rule still apply with patient information, generally patient authorization is waived if the person can prove they're a family member and can present a death certificate or another legally verifiable record that the patient is deceased.
There are some cases where a patient's medical care isn't confined to a single practice, usually, if a general or primary care doctor recommends their case to a specialist. HIPAA privacy rules cover another doctor as having the right to patient information, though the privacy rule still applies that they need written authorization from the patient that consents to the passing of their medical history/care from one healthcare provider to another.
Keep in mind that you must always obtain a patient’s permission before sharing their medical information with another physician or doctor, even if it’s within your own practice. For example, a departing physician cannot hand off their notes to a new physician even if they’re under the same network without getting patient authorization, even if the incoming physician may have a legal right to those documents. Given the sensitivity of the information contained in a patient’s medical record, the HIPAA privacy rule will almost always rule to keep their information private unless extremely specific conditions are met.
For patients who have purchased or fall under some sort of insurance plan, the MIB also has the legal right to access their medical records. While the purpose of this access is more to determine their eligibility for insurance coverage, it’s still a standing covered entity that can ask for copies of your patient’s medical records. This can be anything general from their medical chart and doctor’s notes under your treatment, to a comprehensive oversight on their medical history and the type of medical care that they’ve gone through.
One thing to note here is that the MIB is explicitly not covered by the HIPAA privacy rule, as the patient signs their own agreements with the organization. As a non-profit entity, the MIB uses medical information to prevent cases of medical fraud and lower premiums for people who want to buy insurance. If the MIB ever asks for your patient’s medical records, check your state and local regulations about how patient authorization works with this request – or ask your patient about the exact permissions that they’ve allowed their insurance company with regards to getting their data.
The federal and state governments have some jurisdiction over a patient’s medical records, and they have a legal right to ask your practice for medical information if required. This is particularly crucial if the patient has a criminal record or has used a medical condition for justification in a court or civil case, as your medical records will be a crucial piece of evidence. Check your federal and state regulations if you need patient authorization to release records, as the involvement of paperwork like subpoenas can make this a confusing area to navigate.
Another common reason why you may need to hand over medical records to a federal organization is when your patient was involved in a workplace accident. In these cases, the federal government (usually through Occupational Safety and Health Administration or OSHA) will ask for patient records about their treatment and any other pre-existing conditions. This is especially crucial if a case is ruled that your patient receives some sort of settlement or payment for their injury, as your medical records can help determine how much they’re eligible to receive.
Medicare, Medicaid, Veterans Affairs, and Social Security disability all have a right to your patient’s medical records since they pay for some or all of their medical expenses. In these cases, the patient usually already gives consent for these organizations to access their data without prior authorization, although there are cases where you may need to make sure that the patient has given them the proper authorization before releasing their records.
Keep in mind that not every entity that pays for your patient’s healthcare expenses is essentially covered by the HIPAA privacy rule, so you need to check with local regulations about the exact permissions that they need to access your patient’s records. In most cases, where the HIPAA rule doesn’t clarify the exact situation, federal and state laws will apply above all else.
As a healthcare provider, you are afforded protection against litigation under HIPAA rule, but keep in mind that these protections are only applicable if you have no HIPAA violations of your own. The key to avoiding this is working closely with your patient to ensure that you have the requisite medical permissions acquired about their health records.
The HIPAA rule gives a patient extensive protection with their own patient medical records, but it also gives a healthcare provider the necessary permissions to access medical information for the necessary reasons. While health information can still technically be leaked to a non-covered entity, using an electronic medical record can help secure a patient's health record even across providers, and give you an idea of the different health care providers that you can request this information from.
Calysta EMR has extensive experience in using innovative cloud-based solutions to protect patient information and their medical history, while also being a partner to any healthcare provider in keeping an accessible database of medical record information. For more information about how we improve patient access to their electronic record, contact us today.
Read more: How Do You Secure A Patient Record?