Study Reveals Widespread HIPAA Access Violations

A recent study of 51 healthcare providers and 3,003 institutions, published last week on the medRXiv website, revealed widespread noncompliance with HIPAA requirements regarding patients’ right of access to their own medical records. The study was conducted on behalf of Ciitizen Corporation, a medical records storage platform for patients.

The researchers sent record requests to the 51 providers on behalf of 30 patients who were beta users of the Ciitizen platform, and surveyed the other institutions’ policies and procedures by telephone. Based on the scoring of responses, more than half of the respondents were out of compliance with the HIPAA right of access.

Providers were scored based on whether they accepted record requests by email or fax, sent records by email if requested, provided records within 30 days, and charged only a reasonable fee – all of which HIPAA mandates. In many cases, the researchers had to follow up, explaining HIPAA requirements and sometimes escalating the request to a supervisor, before the records were provided at all. Before these additional education efforts, 85% of respondents in both parts of the study refused (or said they would refuse) to send records by email.

Only 18% of respondents went “above and beyond” by providing the requested records within five days or without charge, or by accepting requests that did not use the provider’s specific form. Overall, 71% of all requests would not have been satisfied in a fully compliant manner without some follow-up, a disappointing result given that the HIPAA rules went into effect in 1996.