Introduction and AMA booklet:
It seems it is becoming more common for doctors to list things like "malingering, "drug-seeking behavior," "OUD," or "non-compliant" in the Electronic Health Record (EHR) of a chronic pain patient (CPP). Many times patients have no idea these things are even listed in their records. Once in your chart, it could follow you everywhere. So we will answer some basic questions here and hope to give you concrete steps to take. AMA has an excellent resource "Patient Records Electronic Access Playbook."
Is my EHR the same as what I see in my patient portal?
No. A patient portal gives you access to some health information but is not all of your information listed in your Electronic Health Records. If you want to know what's listed in your EHR (including doctor's notes), you'll need to ask your provider. We cover steps on how to do that later in this article.
Patient Portal: According to Healthit.gov, a patient portal is "a secure online website that gives patients convenient, 24-hour access to personal health information from anywhere with an Internet connection." Some of the following may be listed in your patient portal:
- Recent doctor visits
- Discharge summaries
- Medications
- Immunizations
- Allergies
- Lab results
Some patient portals also allow you to:
- Securely message your doctor
- Request prescription refills
- Schedule non-urgent appointments
- Check benefits and coverage
- Update contact information
- Make payments
- Download and complete forms
- View educational materials
Electronic Health Record (EHR): According to Healthit.gov, a patient's EHR is "a digital version of a patient’s paper chart. EHRs are real-time, patient-centered records that make information available instantly and securely to authorized users. While an EHR does contain the medical and treatment histories of patients, an EHR system is built to go beyond standard clinical data collected in a provider’s office and can be inclusive of a broader view of a patient’s care. EHRs are a vital part of health IT and can:
- Contain a patient’s medical history, diagnoses, medications, treatment plans, immunization dates, allergies, radiology images, and laboratory and test results
- Allow access to evidence-based tools that providers can use to make decisions about a patient’s care
- Automate and streamline provider workflow
One of the key features of an EHR is that health information can be created and managed by authorized providers in a digital format capable of being shared with other providers across more than one health care organization. EHRs are built to share information with other health care providers and organizations – such as laboratories, specialists, medical imaging facilities, pharmacies, emergency facilities, and school and workplace clinics – so they contain information from all clinicians involved in a patient’s care."
Do I have the right to see my EHR?
YES! Become familiar with HIPAA including Right to Access and Information Blocking under The Cures Act.
Health Insurance Portability and Accountability Act (HIPAA): According to (HIPAA) you are entitled to see your Protected Health Information (PHI) which includes Electronic Health Records.
Here are some FAQ's regarding your rights under HIPAA to access your records. Some of the information here includes the following:
- Accessing and obtaining copies of one’s health information for one’s own purposes is a right, not a privilege. A disclosing provider or plan covered under HIPAA can refuse access only in very limited circumstances.
- This right extends to a broad array of information, including labs, images, prescription history, physician notes, diagnoses, and similar information.
- The right includes access to an electronic copy of one’s health information contained in an electronic health record (EHR) or otherwise maintained in an electronic format, whenever the provider or its business associate is capable of producing an electronic copy, not just if they are willing to produce such information.
- Functions specified in ONC’s regulations on Certified EHR Technology empower individuals to take advantage of this HIPAA right because ONC’s rule makes transmission by the consumer a required functionality of certified EHR software.
Click here for more detailed information including videos explaining HIPAA.
Right to Access under HIPAA: "The HIPAA Privacy Rule generally requires HIPAA-covered entities (health plans and most healthcare providers) to provide individuals, upon request, with access to protected health information (PHI) about them in one or more “designated record sets” maintained by or for the covered entity. This includes the right to inspect, obtain, or both, a copy, as well as to direct the covered entity to transmit a copy to a designated person or entity of the individual’s choice. This right applies for as long as the covered entity (or its business associate) maintains the information, regardless of the date the information was created, and whether the information is maintained in paper or electronic systems onsite, remotely, or is archived." In other words, you have the right to access all protected health information with a few exclusions. These exclusions include Psychotherapy notes and Information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding."
Information Blocking under The Cures Act: "In general, information blocking is a practice by a health IT developer of certified health IT, health information network, health information exchange, or health care provider that, except as required by law or specified by the Secretary of Health and Human Services (HHS) as a reasonable and necessary activity, is likely to interfere with access, exchange, or use of electronic health information (EHI)." In other words, and action taken to prevent you from accessing your medical records could be in violation of the Information Blocking laws."
How quickly will I get my records once I request them?
"Under the HIPAA Privacy Rule, a covered entity must act on an individual’s request for access no later than 30 calendar days after receipt of the request. If the covered entity is not able to act within this timeframe, the entity may have up to an additional 30 calendar days, as long as it provides the individual – within that initial 30-day period – with a written statement of the reasons for the delay and the date by which the entity will complete its action on the request. See 45 CFR 164.524(b)(2).
These timelines apply regardless of whether:
- The PHI that is the subject of the request is maintained by the covered entity or by a business associate on behalf of the covered entity, or the covered entity uses a business associate to fulfill individual requests for access. The 30-day clock starts on the date that the covered entity receives a request for access, so any delay in obtaining the necessary information from a business associate or forwarding the request to the business associate for action “uses up” part of the allotted time. Alternatively, the 30-day clock starts when, instead of the covered entity, a business associate receives a request directly from an individual because the covered entity instructed the individual through its notice of privacy practices (or otherwise) to submit the access request directly to its business associate for processing.
- The covered entity negotiates with the individual on the format of the response. Covered entities that spend significant time before reaching agreement with individuals on format are depleting the 30 days allotted for the response by that amount of time.
- The PHI that is the subject of the request is old, archived, and/or not otherwise readily accessible.
These timelines are outer limits, and it is expected that many covered entities should be able to respond to requests for access well before these outer limits are reached. However, in cases where a covered entity is aware that an access request may take close to these outer time limits to fulfill, the entity is encouraged to provide the requested information in pieces as it becomes available, if the individual indicates a desire to receive the information in such a manner."
Can they charge me for copies of my EHR?
Yes, they can, but there is a state specific max amount they're allowed to charge. According to AMA's "Patient Records Electronic Access Playbook," "If state law sets a limit on fees, then this amount is considered “reasonable” and you cannot exceed this amount. You are still limited to your costs, however. For example, if state law provides that you can charge $0.75 per page, but your actual copying costs for paper copies is $0.12 per page, then you may only charge $0.12 per page. If state law is silent, then reasonableness would be based on a comparison to your
peers. For example, if your costs are triple that of other similar providers (because highly paid staff are doing the copying or you are delivering copies through an expensive courier service), then a patient can claim that your costs are unreasonable and violate HIPAA"
Appendix C (pages 78-89) of the AMA document also lists the maxi allowable charge per state
What are the steps to getting copies of my EHR?
In today's climate of fragmented health care, we recommend always requesting your EHR including doctor's notes. We suggest the following steps:
- Request your records including all lab reports and doctor's notes. We recommend putting it in writing, and if necessary send it in a certified letter requiring a signature receipt so you have evidence in case they state they never received your request.
- If they refuse or ignore your request, send another letter stating they are in violation of HIPAA and Information Blocking Law under the Cures Act, and request your records again.
- Remember they have 30 days from the time they receive the request unless they inform you thy need an extension. If they need an extension, they can have a 30-day extension.
- Keep in mind they may charge you but they have a limit. If you are simply asking to inspect or review your records and not requesting copies, they can't charge you.
- We recommend keeping your records organized in a binder so you can easily find what you're looking for.
Will my doctor punish me for requesting my records or other protected health info (PHI)?
Since you are entitled to your records according to HIPAA, a doctor shouldn't retaliate against you for requesting them. We do suggest you make sure you're not asking for them in an accusatory way. Be respectful and make sure you tell them you're just requesting these for your records at home.
What should I do if there are errors in my EHR?
According to HHS
- If you think the information in your medical or billing record is incorrect, you can request a change or amendment to your record. We suggest putting it in writing via a certified letter in which you request a signature receipt.
- The health care provider or health plan must respond to your request. If it created the information, it must amend inaccurate or incomplete information.
- If the provider or plan does not agree with your request, you have the right to submit a statement of disagreement that the provider or plan must add to your record.
Do I have the right to see who has accessed my EHR?
The answer is yes, you do, as explained here:
"Under the HIPAA Privacy Rule, an individual, under certain circumstances, has the right to receive an accounting of disclosures — HIPAA Accounting — of that individual’s protected health information (PHI) made by a covered entity in the last six years prior to the date on which the account is requested.
What Information Must be Included in a HIPAA Accounting?
The HIPAA Privacy Rule requires certain information to be included in a HIPAA accounting made by a covered entity. This information must include disclosures of protected health information that occurred during the six years prior to the date of the request of the accounting. The accounting must include disclosures to or by business associates of the covered entity.
An individual may request a HIPAA accounting of disclosures of PHI for a period of time less than six years from the date of the request. If such request is made, the accounting must include disclosures of PHI that occurred during this shorter time period.
Generally, the HIPAA accounting of disclosures of PHI must include, for each disclosure:
- The date of the disclosure;
- The name of the entity or person who received the protected health information and, if known, the address of such entity or person;
- A brief description of the protected health information disclosed; and
- A brief statement of the purpose of the disclosure that reasonably informs the individual of the basis for the disclosure. In lieu of such a statement, the accounting may consist of a copy of a written request for disclosure, if that request was made:
- By the Secretary of the Department of Health and Human Services, to investigate or determine the covered entity‘s compliance with this subchapter.
- Under circumstances for which written authorization to use or disclose PHI was not required.
By When Must the HIPAA Accounting be Provided?
The covered entity must provide the requested accounting no later than 60 days after receipt of such a request.
If the covered entity is unable to provide the accounting within the 60 days, the covered entity may extend the time to provide the accounting for up to an additional 30 days, provided that:
- The covered entity, during the initial 60 days, provides the requesting individual with a written statement of the reasons for the delay and the date by which the covered entity will provide the accounting; and
- The covered entity may have only one such extension of time for action on a request for an accounting.
Can a Covered Entity Charge a Fee for a HIPAA Accounting?
Under the HIPAA Privacy Rule, the covered entity must provide the first accounting to an individual in any 12 month period without charge.
The covered entity may charge a reasonable, cost-based fee (i.e., a fee based on costs incurred by the covered entity with respect to responding to the accounting) for each subsequent request for an accounting by the same individual within the 12 month period, provided that:
- The covered entity informs the individual in advance of the fee; and
- The covered entity provides the individual with an opportunity to withdraw or modify the request for a subsequent accounting in order to avoid or reduce the fee."
Content updated by Bev Schechtman 7/19/23