Primary Benefit/Goal: The more engaged a patient is with their healthcare information, such as being able to see their information in writing, the more engaged they are with their care. This leads to higher quality outcomes and higher patient satisfaction.

Guaranteed Access: Patients are guaranteed access to everything in their health records, with few exceptions such as psychotherapy notes, regardless of their billing status or money owed. Information must be provided even if the patient may not understand it and even if a negative reaction is expected from the patient except in circumstances where the information is believed to trigger an extreme response such as self harm or suicide. 

Requests: Patients may request their information at any time. Providers must verify identity of the requester, that the requester is authorized, and must not make the process unreasonably delay or be a barrier to the access of this information.  Providers must provide information in any format requested by the patient if readily producible, including electronically if the information is in a digital format. Unsecured email is OK if patient requests it, though providers should politely remind the patient this transmission method is not secure, then proceed with the request without trying to convince the patient to use a different method. 

Fees are limited: Must be reasonable and cost based; only for labor involved for copying or creating a summary or explanation, cost of supplies, and postage.  No fees are allowed for search and retrieval. Patients must be notified in advance of any fees and providers are encouraged to provide free copies.

Documentation: All requests should be documented and dated in a central location. 

Third Party: The patient has the right to request delivery to a third party but the request must be written and signed by the requester. Electronic or virtual written and signed requests are allowed.  

Duplicate or Repeat Requests: Should be fulfilled. 

Deadline: Information should be provided as quickly as possible but no later than 30 days from the date of request.

From HHS.gov: Free CME Training to Educate Providers about the HIPAA Right of Access

OCR has launched a video training module  for health care providers on patients’ right of access under the HIPAA Privacy Rule.  The video module provides an in-depth review of the components of the HIPAA right of access and ways in which it enables individuals to be more involved in their own care.  The module provides helpful suggestions about how health care providers can integrate aspects of the HIPAA access right into medical practice. Upon completion of this activity, participants will receive free Continuing Medical Education (CME) credit for physicians and Continuing Education (CE) credit for health care professionals.  The program requires registration but is free of charge.

HIPAA does not govern the length of time patient medical records are kept but instead those requirements fall under state law.

In Florida the requirement for keeping medical records is 5-7 years:

• According to Rule 64B8-10.002(3), FAC : A licensed physician shall keep adequate written medical records, as required by Section 458.331(1)(m), Florida Statutes, for a period of at least five years; however, medical malpractice law requires records to be kept for at least seven years.
• From the date of last contact with the patient
• Must include any data used to make decisions for said patient

HIPAA has a requirement that data associated with complying with HIPAA policies be kept for 6 years from the date that HIPAA policy was last used. This includes policies, procedures, assessments, and records of any actions taken to comply with HIPAA policies.

Of special note, this includes:

• Patient authorizations for the disclosure of PHI
• Disaster contingency plans - Covered entities must have contingency plans that establish policies and procedures for responding to an emergency or other occurrence (fire, system failure and natural disaster) that damages systems that contain e-PHI (45 CFR §164.308(a)(7)(i)). 

Other data holding requirements: Beyond these legally required limits patient data should be kept long enough to defend against personal injury or breach of contracts disputes.

Disclaimer - We are not lawyers. You should always consult with a legal professional to determine if you are in compliance with the law, what extra data holding policies they recommend, and what level of insurance you should have to protect your practice. Always check your insurance policy(and provide it to your IT heads or us if we are your external IT department) to make sure you meet its IT requirements for enforcing your policy should you ever need to use it.

*TIP: Hiring an IT company like BeyondITSystems.com to provide managed services which conform to best practices can save you money on your insurance and get you higher limits for less money. It's best to have BeyondITSystems review both your applications as you shop for insurance and your policy once its written to look for specific practices that can save you money and further protect your business.