A patient walks in to the Health Information Management Department to request an electronic copy of his medical records. He completes an authorization form and then hands a USB to the Release of Information Coordinator stating that he would like all of his health information placed on the flash drive. The information requested includes electronic as well as hard copy records. Is the healthcare facility required to honor the individual’s request by placing the patient’s health information on this device?
Here are my thoughts…
- According to HIPAA, the covered entity must produce a copy of the electronic record in the form and format requested by the patient. If the form and format are not readily producible, the information must be produced in an electronic format as agreed to by the covered entity and the individual.
- This provision does not require covered entities to purchase new software or systems in order to accommodate electronic requests for a specific form that the covered entity does not currently possess, provided the covered entity can produce a copy of the information in an electronic form.
- In terms of placing all the protected health information on the patient’s flash drive, HIPAA does not require the covered entity to accept external portable media from individuals if they have determined it to be an unacceptable risk. On the other hand, the covered entity cannot require an individual to purchase a portable media from the facility in order to fulfill the request.
- In this particular case, the patient had a hybrid medical record with the majority of information in hard copy form. According to HIPAA, if a portion of the patient’s medical record is maintained in paper, it does not have to be converted to an electronic format.
- Regardless of how the PHI is produced, the key is for the patient and the covered entity to come to an agreement that is acceptable for both sides. If the individual declines any of the electronic formats that are available, the covered entity must provide a hard copy as an option to fulfill the access request.
What are your thoughts?