Home  |   Subscribe  |   Resources  |   Reprints  |   Writers' Guidelines

February 2019

Medical Record Requests Continue to Challenge Hospitals
By Elizabeth S. Goar
For The Record
Vol. 31 No. 2 P. 14

A study painted a bleak picture of release of information, but hope may be found in a new effort to reimagine the process.

There were few if any surprises in a recent study that found the medical records request processes in US hospitals to be “complicated and burdensome” for the patient, as well as riddled with inconsistencies and largely noncompliant with federal and state regulations. The study, published in JAMA Network Open, also found a lack of transparency and wildly varying fee schedules and timeframes—all despite recent legislation and governmentwide initiatives requiring better patient access to medical records.

“I’ve been working on this topic for at least seven years, and while it has improved, we still have a long way to go in terms of giving patients easy access to their health records. I’m especially not surprised by the disconnect between the forms and phone calls [to facilities],” says Kim Murphy-Abdouch, MPH, RHIA, FACHE, a clinical associate professor at Texas State University, adding that the study revealed “no new concerns.”

Lack of Compliance
In “Assessment of US Hospital Compliance With Regulations for Patients’ Requests for Medical Records,” researchers sought to evaluate the current state of medical records request processes in US hospitals, including compliance with federal and state regulations and ease of patient access. They conducted a cross-sectional study of medical records request processes in 83 top-ranked hospitals.

In addition to evaluating the request forms used by each hospital, the researchers called each facility to ascertain what information can be requested, the formats in which it could be released, how long it took to process requests, and the associated fees.

“We did go into [the research] knowing that patients were experiencing problems, so we knew we’d find barriers. But the problem was much greater than we thought,” says Carolyn Lye, first researcher and a student at Yale School of Medicine. “We know from HIPAA that patients can request their entire record, but only about 53% of hospitals provided that option to patients on their authorization forms—although all said they could provide all records over the phone. This was surprising because hospitals clearly weren’t being transparent to patients.

“Patients shouldn’t have to call to figure out what their rights are,” she adds. “They should be able to figure it out from the primary way they request [the information], which is the authorization form.”

Other key study findings include the following:

• Requestable information: Just 11% of participating hospitals provided the option of receiving physician orders, while nearly 90% provided the option of selecting release of laboratory results. Nearly all (92%) provided the option of an “other” category for requesting information not explicitly listed on the authorization form. When called, all the hospitals said they were able to release entire medical records to patients.

• Formats of release: More hospitals shared in telephone calls than on authorization forms that they were able to release information in person (83% vs 48%) or via fax (24% vs 17%), e-mail (47% vs 33%), and CD (66% vs 42%). Fewer hospitals stated in telephone calls than on the forms that they were able to release information via patient portals (25% vs 40%).

• Costs of release: On the authorization forms, 35% of hospitals disclosed exact costs, 22% said a fee would be charged but not how much, and 43% did not specify any fees. When called, 82 hospitals disclosed costs for paper formats. Of those, 59% stated costs above the federal recommendation of a $6.50 flat fee for electronically maintained records.

• Processing times: Among the telephone calls, 71 hospitals provided mean times of release for paper copies and 10 provided a maximum time of release. Of the hospitals that provided mean times, 21% were less than seven days, 25% were seven to 10 days, 31% were 11 to 20 days, 5% were 21 to 30 days, and 4% were more than 30 days. Of the 81 hospitals that provided times of release, seven had ranges extending beyond their states’ requirements before applying the single 30-day extension granted by HIPAA.

“Other than processing times, it seemed like there was so much variability across formats and costs because each hospital can create its own request process. … Authorization forms looked wildly different across hospitals, with some easy to understand and some confusing,” Lye says. “Just that variability [alone] makes it difficult for patients to request their medical information.”

Lye and her coresearchers hope the study sparks serious discussion about the barriers to patient access. Lye suggests that the next step should be to evaluate the release process from the patient’s experience by evaluating what happens when they request their records.

Until then, she hopes that hospitals will understand that they are creating the barriers to patient access by failing to comply with federal and state regulations and limiting transparency. Correcting these issues not only will increase accessibility but also should reduce costs.

“Patients shouldn’t have to go through so much trouble,” Lye says. “We need to continue to move toward electronic release, which will in turn minimize costs and labor to the health system.”

Alarm Bells
While few release of information (ROI) experts found any surprises in the JAMA study, there were areas of concern. For Rita Bowen, MA, RHIA, CHPS, CHPC, SSGB, vice president of privacy, compliance, and HIM policy for MRO, a member of the Association of Health Information Outsourcing Services, most alarming was the “discordance between information provided on authorization forms and that obtained from the simulated patient telephone calls in terms of requested information, formats of release, and costs.”

She notes that, because most hospitals with EMR systems have created a “record abstract queue,” the information released electronically should be consistent. Additionally, the presence of a “complete legal record queue” should regulate consistency if the full legal medical record is requested.

Also concerning were the findings that requested health information was not provided to patients and/or to their stated representative, Bowen says, adding that “disconnects can occur when a generic authorization is received—for example, ‘for any and all information.’”

However, a simple follow-up call to the requester will clarify exactly what is needed and whether an abstract is sufficient, she says. This will help ensure that requesters are “obtaining the correct information instead of sending unnecessary pages of electronic printouts of administrative records [such as] daily medication administration records or daily labs when the cumulative summary may provide the detail needed,” Bowen says.

Compliance issues also can arise when a hospital’s ROI policies and procedures are outdated and in-house staffs don’t stay up to date with both federal and state regulations. When ROI is outsourced, a review of the policy and procedures for covered entities and business associates should be conducted to ensure agreement before staff training occurs.

“As to the compliance around costs and processing timeframes, this should be stipulated either in the facility’s policy and procedures or the agreed-upon policies of the ROI process if outsourced,” Bowen says.

Murphy-Abdouch was most concerned with the study’s revelation that little progress had been made in differentiating between requests from patients and those from others, such as health plans and attorneys. It demonstrates a disconnect and a lack of understanding about patient rights when it comes to their medical information, she says.

“Access to patient health information is a customer service issue,” Murphy-Abdouch says. “The way to improve patient communication is to consider it part of what we do in health care. We take care of the patient, and that includes access to their health record. But unless we have some sort of education campaign on a broad scale, it’s not going to get better.”

Even small steps can help, such as requiring frontline staffers to recite a brief script when asking patients to acknowledge receipt of the notice of privacy practices (NPP).

“Patients are asked to acknowledge receipt of the NPP, but are often asked to ‘sign the HIPAA form,’” Murphy-Abdouch notes. “We suggest that patients be advised as follows: ‘This is our notice of privacy practices. It describes how your private health information may be used and shared. It also outlines your health privacy rights to receive a copy of your health information, correct any errors you may identify, and to limit who has access to your health information.’”

Reimagining the Process
Despite the lack of progress when it comes to improving the overall ROI process, there is a bright spot on the otherwise grim horizon. In September 2018, a group of HIT experts led by X4 Health unveiled the “Health Record Request Wizard,” a prototype tool that streamlines and simplifies the records request process and promotes digital formats.

Supported by a grant from the Commonwealth Fund, the Wizard is a digital smart form utilizing branch logic and skip patterns to help consumers articulate what they need, in what format, and by when. The result is a highly specific, HIPAA-compliant document delivered to the provider’s medical records specialist.

The Wizard builds on the model form previously created by AHIMA, which also collaborated on its creation. The development of the Wizard involved testing with both consumers and HIM professionals, input that allowed the group to reimagine the way consumers request records rather than simply walking them through filling out the form, according to Christine Bechtel, president and chief strategist with X4 Health.

“Hospitals and many health care providers view HIPAA as a big scary thing, and because of that their default position is often ‘HIPAA means no,’” she says. “The No. 1 driver of hospital behavior is a view that HIPAA must be complied with at all costs, even at the [expense] of patient care coordination. [It’s] why no one has introduced innovation into the HIPAA form in decades.”

Bechtel envisions the ROI process as a chance to improve care. “What if we view medical records requests as an opportunity for better patient and family engagement?” she asks.

In fact, when the group developing the Wizard shared the results of its consumer focus group, which was made up of men and women who had requested their own or a family member’s health record within the previous 18 months, with a group of HIM professionals, “they were flabbergasted to learn that the traditional HIPAA form wasn’t working for anyone,” Bechtel says. “Medical record specialists are diligent, hard-working people who are trying to meet these requests, but the systems they work with make it very challenging, and the form patients fill out is problem No. 1.”

The Wizard prototype, which is live, is intentionally designed to operate without requiring integration with an EMR. It walks users through the following 12 basic steps to ensure they are getting precisely what they need, how they need it:

• Determine which institution/data source the requester is inquiring about.

• Collect information about who is making the request.

• Collect information about whose data are being requested.

• Determine what data are being requested, and why (optional).

• Determine the timeframe of the request.

• Select the types of records being requested.

• Determine deadlines for receiving the request.

• Determine to whom the data are to be delivered and how.

• Collect additional supporting documentation if the requester isn’t also the patient.

• Collect information to support the requester’s remote identity verification.

• Generate a well-structured request form and send to the medical records department for processing.

• Generate and e-mail a PDF copy of the request to the requester.

“The challenge everyone runs up against is that, as a patient or a family caregiver, we don’t understand the implications of what we are asking for, so we ask for our full record and the institution has to default to the lowest common denominator, which is the paper record,” Bechtel says.

It’s why hospitals are “stuck in the paradigm of paper right now. That’s their predominant way of thinking,” she adds. “The Wizard starts with options and builds in skip logic because understanding what consumers need can lead to an exquisitely clear request for records.”

To encourage adoption of the Wizard, one of the collaborators, Swellbox, has offered to host the solution for up to five hospitals or other data holders. It will make the tool available at no cost to any interested organization.

“This is not a technology we at X4 Health are selling. We just want to get the word out that everything anyone could possibly need to build a version for themselves is available right now,” Bechtel says. “I couldn’t care less if it’s this exact tool, how it looks, or who builds it. What we did was to give the industry a great starting point that is deeply informed by consumers and HIM professionals, so we hope everyone takes what we learned from this implementation and makes it better.”

— Elizabeth S. Goar is a freelance writer based in Tampa, Florida.


Rita Bowen, MA, RHIA, CHPS, CHPC, SSGB, vice president of privacy, compliance, and HIM policy for Association of Health Information Outsourcing Services member organization MRO, identified the following areas where better communication could improve the release of information process for all parties.

• Make patients more aware of their rights when requesting health information.

• Ensure health information is shared automatically through continuing care data (CCD) elements. Patients should seek out health care settings with the ability to collect CCD elements within their EHRs.

• Provide more patient education regarding the use of patient portals. Ensure that information will be added to the portal in a timely fashion. These “open note” efforts should continue in an effort to provide patients with access to their health information and better coordinate their care.

“For example, the 21st Century Cures act has proposed that there be an API [application program interface] available and that the patient record [be] made available to the API without special effort. But first the patient must be taught how to use the information via an API,” Bowen says. “More stories should be published for patients, educating them on why it is paramount to their health and health outcomes.”