Patient Rights
Obtaining a Copy of Patient Health Records
Per the US Federal HIPAA law, a patient or their personal representative is entitled to obtain a copy of the patient's Health Information (PHI) included in the Designated Record Sets of the healthcare organization (Covered Entity). No written authorization from the patient or their personal representative is required
If a patient or their personal representative requests electronic access to their health records that their healthcare provider maintains electronically, the healthcare provider must provide the patient with access to the information in the requested electronic form and format, if it is readily producible in that form and format, or if not, in an agreed upon alternative, readable electronic format
"A covered entity also must provide access in the manner requested by the individual, which includes arranging with the individual for a convenient time and place to pick up a copy of the PHI or to inspect the PHI (if that is the manner of access requested by the individual), or to have a copy of the PHI mailed or e-mailed, or otherwise transferred or transmitted to the individual to the extent the copy would be readily producible in such a manner. Whether a particular mode of transmission or transfer is readily producible will be based on the capabilities of the covered entity and the level of security risk that the mode of transmission or transfer may introduce to the PHI on the covered entity’s systems (as opposed to security risks to the PHI once it has left the systems). A covered entity is not expected to tolerate unacceptable levels of risk to the security of the PHI on its systems in responding to requests for access; whether the individual’s requested mode of transfer or transmission presents such an unacceptable level of risk will depend on the covered entity’s Security Rule risk analysis. See 45 CFR 164.524(c)(2) and (3), and 164.308(a)(1). However, mail and e-mail are generally considered readily producible by all covered entities. It is expected that all covered entities have the capability to transmit PHI by mail or e-mail (except in the limited case where e-mail cannot accommodate the file size of requested images), and transmitting PHI in such a manner does not present unacceptable security risks to the systems of covered entities, even though there may be security risks to the PHI while in transit (such as where an individual has requested to receive her PHI by, and accepted the risks associated with, unencrypted e-mail). Thus, a covered entity may not require that an individual travel to the covered entity’s physical location to pick up a copy of her PHI if the individual requests that the copy be mailed or e-mailed."
While it’s reasonable for your healthcare provider to use an existing mechanism (such as their patient portal or secure email) to send you health records electronically, if they choose to insist on sending information ONLY by fax or by mail when they have a copy of your record in an electronic format, they may be in violation of the US Federal HIPAA rule
If you encounter this issue, you can provide input about your healthcare provider to us using this form. If your input meets necessary requirements, we will file a complaint on your behalf with the healthcare organization, your State Attorney General's office, and, if applicable, the Office of Civil Rights (OCR) of the US Department of Health and Human Services (HHS) with an intent to resolve the issue so that in the future your healthcare provider will be able to share your health records electronically
Generally speaking, a healthcare provider should be able to accommodate your request to upload your qualified health records through your Personal Upload Portal if they have an electronic copy of your health record you are requesting and if it's not possible to use their existing tools and mechanisms (such as secure email or a patient portal) to provide your records electronically
Your provider may provide a warning about risks of a third party intercepting the content if they are concerned about privacy and security, or they can offer additional reasonable safeguards (e.g., they can encrypt files and provide a password separately)
Definitions
Protected Health Information (PHI)
Protected Health Information or PHI is all individually identifiable health information created, received, maintained, or transmitted by a covered entity or its business associate, which relates to:
the patient’s past, present, or future physical or mental health or condition,
the provision of health care to the patient, or
the past, present, or future payment for the provision of health care to the patient
In any format, whether electronic, paper, or oral
Designated Record Set
The Designated Record Set is comprised of the patient’s Health, Administrative and Financial Records, and their location information (whether they are paper-based or in electronic systems)
Under HIPAA, a record is any item, collection, or grouping of information that includes patient information and is maintained, collected, used, or disseminated by or for the healthcare organization
The list of designated record sets must be updated whenever there are changes in the record keeping systems
A copy of each list of designated Record sets must be retained for at least six years from the date when it was created, or from the date when it was last in effect, whichever is later