Medical Records: Privacy and Access Rights Granted by HIPAA
Listen to the podcast to hear Deven discuss:
what HIPAA is and what it was created to do
how HIPAA guarantees people access to their health information
tips for requesting and then keeping track of your medical records
Learn more about Ciitizen.
Deven McGraw is the chief regulatory officer for Ciitizen, a tech company creating a platform that helps people collect, organize, and share their medical records digitally. Before joining Ciitizen, she directed U.S. health privacy and security policy as deputy director for health information privacy at the Department of Health and Human Services Office for Civil Rights, the office that oversees HIPAA policy and enforcement. She also served as acting chief privacy officer for the Office of the National Coordinator for Health IT. McGraw also served as an adviser to the Patient-Centered Outcomes Research Network, as well as the All of Us Research Initiative.
— Last updated on June 29, 2022, 2:47 PM
Jamie DePolo: Hello. Thanks for listening. Our guest today is Deven McGraw, the chief regulatory officer for Ciitizen, a tech company creating a platform that helps people collect, organize, and share their medical records digitally. Before joining Ciitizen, she directed U.S. health privacy and security policy as deputy director for health information privacy at the Department of Health and Human Services Office for Civil Rights, the office that oversees HIPAA policy and enforcement. She also served as acting chief privacy officer for the Office of the National Coordinator for Health IT. Deven also served as an adviser to the Patient-Centered Outcomes Research Network as well as the All of Us Research Initiative.
Today, we’re going to talk about medical records and HIPAA. Deven, welcome to the podcast.
Deven McGraw: Thank you very much. I’m glad to be here.
Jamie DePolo: So to start, most people know the acronym HIPAA, but I’m willing to bet that not everyone knows what all those letters stand for. So you were one of the people that was around when HIPAA started. Could you tell us the full name of it and exactly what the act aimed to do?
Deven McGraw: So HIPAA actually stands for the Health Insurance Portability and Accountability Act. So the I is for insurance and the P is for portability. Not for privacy and information privacy. So it’s interesting to think about how we got out of that statute the set of privacy rules that now govern health information held by our doctors and our hospitals and our health plans. It’s because there were a set of provisions in that HIPAA statute that were intended to take some administrative costs out of the healthcare system by digitizing and standardizing the payment transactions that take place every day between health insurance plans and doctors and hospitals.
Because Congress recognized that digitizing that data might create some privacy risks, they said to the Department of Health and Human Services, please come up with regulations to protect the data that we are now going to be digitizing and standardizing. So therefore, the Department of Health and Human Services took several years actually, but in 1999 they established the very first versions of the privacy and security regulations that protect health information in most doctors offices and all hospitals that are collected by health insurance plans.
HIPAA as we know it actually came out of an insurance portability statute, which is interesting.
Jamie DePolo: It is. HIPAA was specifically aimed at electronic medical records. It really wasn’t being talked about before things started being digital.
Deven McGraw: No, that is absolutely true. However, the regulators recognize that data isn’t just digital. There were still a lot of paper records being used by hospitals and by doctors’ offices. So the HIPAA privacy rule actually is what I like to call medium agnostic, which means it covers all data in any form, whether it’s on paper, whether it’s in spoken form, or whether it’s actually in digital form. The HIPAA security rule sets out detailed expectations around electronic data, but you’re absolutely right that the whole genesis of HIPAA way back in 1996 was about, “We’re digitizing data.” Suddenly, we need to protect it.
Jamie DePolo: Okay. So the privacy angle of HIPAA is what people seem to talk about the most. That’s where they seem to connect it. But what I think a lot of people don’t know is that HIPAA also guarantees people access to their medical records in a timely manner. So could you talk a little bit about that?
Deven McGraw: Oh, absolutely. It has been part of the HIPAA privacy rule that individuals have the right to access their health information and get copies of it really from the very beginning, from way back in 1999. I actually have to give a huge amount of credit to the regulators at the time for recognizing that this right of people to access their information was as important as protecting it.
Jamie DePolo: So could you talk about the timeliness, because I don’t know that a lot of people know that they can request their records and that the entities really have… there is a time limit on when they need to get back to people if my understanding of the Act is correct.
Deven McGraw: Oh, your understanding is absolutely correct. The element of the right of access are extensive. I think there are a lot of people that don’t fully understand the scope of their rights. You have a right to get a copy of your health information within 30 days of requesting it. You also have the right to get that information in the form or format that you want it in. So if you like to keep a paper binder of your health information you can get it on paper. If you would prefer that it be sent to you by email so you can keep it in your computer or send it to you on a CD you can get it that way. You get to choose, as an individual, how you want your records in the way that’s most convenient for you, as long as they have the capability to give it to you in the way that you’re asking.
Again, you have the right to get it in 30 days, and you have the right to get it without being charged an exorbitant amount of money for it. Entities can charge reasonable cost-based fees, but only to the extent it’s necessary to cover the labor associated with making that copy. So back in the paper days that meant how much time did it take for somebody to stand in front of a photocopier and make copies of every single page. But in the digital era, how much labor does it take to actually make a copy by pressing a button to sort of download something or upload it onto a CD or press go and press send on the email. It’s very little. So the amount that they can actually charge by law is very small, and in fact, we’re seeing that most institutions don’t charge patients at all because they want to do right by patients, I think for many of them, but also because the amount they could charge is so small it’s actually not worth doing.
Jamie DePolo: That makes sense. Now, do you know at this point in time, are pretty much all facilities and providers using electronic medical records or are some places still using paper?
Deven McGraw: There are some physician practices that are still using paper. Most hospitals that I know of, in fact it could be as high as 99% — there’s always some that are not — but for the most part all hospitals are using electronic medical records. Now, most physician practices are. The number who are not is very small. Oftentimes, it’s a lot of providers who are getting ready to transition to retirement and the effort to adopt electronic medical records is not insignificant, and they just are sort of ready to finish out their lives as doctors and not maybe go the route of electronic medical records. But there’s significant financial incentives from the federal government to adopting those records, and they were enormously successful at spurring the healthcare industry to adopt electronic medical records.
So it’s pretty rare now to walk into an office or a hospital and not see computers as opposed to those files that we used to see, the paper files that we used to see when we went to the doctor even as short a time ago as 5 years ago.
Jamie DePolo: I guess the issue that I sometimes have is a lot of the different providers I go to use different systems. So I have a portal for this doctor and a different portal for that doctor and yet a third portal for another doctor. From my end, I find it can be difficult just to keep track of accessing all the different types of electronic medical records systems that the different doctors choose to use.
Deven McGraw: And much less remembering your password.
Jamie DePolo: I think this is probably reducing competition and things like that, but is there any move to sort of standardize that at all? Is that being talked about?
Deven McGraw: Absolutely. A couple of things to note, so the information that’s in each of those portals that you have at all of the many doctors that you see is actually just a snapshot. It’s important information for you, but it’s not actually all the information that you have a right to.
You have a right, under HIPAA, to way more information than is exposed to you in those portals. The federal government has initiatives underway to increase the amount of information that will be in each of your portals so that you can see your X-ray images and you can see the note that your doctors and your nurses may have made for your last hospitalization, everything, your pathology report, everything that you would have a right to should ultimately be in that portal. Today, they’re not required to be but in the future they will be. So one could argue that the problem might actually get worse. Now you have way more information but you have it in five different places.
The other thing that the federal government has proposed is requiring the electronic medical records to basically have pathways, application programming interfaces, ATIs, that will enable you to hire an app or a service to go in and collect all of your data from all of your portals so that it’s centrally all in one place. This is something that Ciitizen is doing. Collecting all that data for you so that you only have one place where you need to go and all of your data is in one place.
So they’re not going out and telling all the doctors you have to use only this one portal. The standard way that they have to make these pathways available will be a requirement so that you as a consumer, you as a patient, can choose the service that you want to use and then have all of your information routinely collected by that app on your behalf. You can then use it and share it as you see fit, which gives patients a tremendous amount of power that today they lack because their data is in five different portals. It's not all the data they have a right to, and yet they want to take more control of their health, they want to seek out other treatment options. They want to make sure their data is made available for research programs that they care about.
So the environment is going to change for the better really soon. We expect these rules that were proposed by the federal government earlier this year to be finalized either close to the end of this calendar year or maybe sort of leading into the first quarter of 2020, and then within 2 years, all those capabilities are supposed to be installed throughout the country.
So change is afoot and it’s going to be… the environment I think will look very different for patients and their data in the next 2 to 3 years.
Jamie DePolo: I know your company, Ciitizen, as you said, you’re working to develop a way for people who have been diagnosed with cancer to gather and manage all the medical records from the different doctors and hospitals. But what if somebody has a disease other than cancer or doesn’t really have a disease at all, just wants to gather all the health updates and their annual physicals. What are some other ways people can request and then keep track of their medical records? What would you suggest?
Deven McGraw: I encourage people to get copies of their medical records even though it is an investment of time today, because we don’t have these automated capabilities in place yet, the ones that I just talked about. You can get your records from all of your medical providers.
My tip for people is, number one of course, to get those records because they will be enormously helpful for you. To ask the provider — so if it’s a doctor’s office it might just be the nurse if it’s a small practice, but if it’s a larger practice or a clinic or a hospital they have a medical records department. You go to the medical records department and say, “I’m a patient and I want copies of all of my medical records.” Let them know a time span from when you’ve been seen: “I would like all my medical records from my last year,” “I would like all my medical records from my last 5 years.” Say you’re trying to catch up. You haven’t done this routinely and you want to get all the records because you need them.
You don’t have to give a reason. If you want them, you can get them. Then tell them how you want to get them. Do you want them mailed to your house? Do you want them sent to you by email? Within 30 days you should get those. If they’re going to charge you, they have to give you an estimate of how much it’s going to cost, and if you get that estimate and it looks like the fee is too high, like it’s hundreds of dollars, that’s too much money. Chances are the entity is not following HIPAA.
If they refuse to give you your records in the format you want or if they refuse to give you your records in 30 days, then we encourage people to actually file a complaint with the Office for Civil Rights at the Department of Health and Human Services in Washington DC. They have an online forum for people to do that because it is your right to get these records. The government is taking a stronger stand at enforcing those rights and recently actually had an enforcement action that they announced where they fined a hospital because they were declining to give a patient the records that she was requesting. So this issue is getting a lot more attention.
I think it’s becoming easier for people to get their records, but it is your right to get them cheaply. It is your right to get them in 30 days. It is your right to get them in the form or format that you want, unless you’re asking for it in some crazy format that someone can’t produce.
Jamie DePolo: Stone or tablet or something like that.
Deven McGraw: Yeah right, can you please send them by carrier pigeon? That might be a little bit much. But if you’re getting them by mail or you want them by email or you want them sent to you on a CD, you make that request and they’re required to honor it. So I would encourage people to do that.
Jamie DePolo: Now, when people are getting these records or requesting these records, you mentioned CT scans or X-rays. Are those able to be sent now or is that something that is coming in the next year or so?
Deven McGraw: They’re not available in portals today but they are part of your right of action. You can ask for them to be sent to you. Usually, those files are very large and they probably need to be sent to you on a CD or some sort of portable media like again, a compact disc, or a thumb drive. You might have to buy one of those. The institution might charge you.
I will say that the hospital won’t take your thumb drive and load it up with your X-rays, because if they insert that thumb drive into their system they have introduced the potential for viruses or malware that might be on your drive. So they won’t take somebody else’s portable media and install it in their system. But if you ask them to send it to you on a thumb drive or some sort of disc they should be able to get that for you. Then you’ll be able to get copies of those images for yourself. You can keep them on the disc or upload them on to your computer or in some sort of cloud storage if you use it to store larger files.
You have the right to get them now, you’ll just have to get them in some sort of portable media because files are really large and they’re not available in portal, at least not yet.
Jamie DePolo: And what about, I know this could take some tracking down for some people. What if they’ve never collected their health records and now think that would be a good thing to do, but then they have to actually go back and figure out all the doctors that they’ve seen and all the institutions that they’ve been to. Or is it easier to start with, “Let’s just start now and I’ll collect with everything that happened in the last year and go forward.”
Deven McGraw: I tend to encourage people to certainly start with what you know from the last year because that’s going to be a little bit fresher in your mind. That’s not going to work for some people. I mean, I know people who have had a cancer diagnosis that the treatment worked for them and they’re in remission and it’s been a couple of years, and they’re thinking, “I really would like to get copies of those records from my first treatments because I might need them down the road.” So they do have to kind of go back and try to reconstruct what happened. One potential source that can be very helpful in sort of rediscovering the roadmap of your health, which providers you saw, are your health plan records, because unless you were not insured at the time of your treatment there was a claim submitted by every single provider who saw you to your health plan, and your HIPAA right of access also extends to your health plan records.
Jamie DePolo: I didn’t realize that. Okay.
Deven McGraw: You can ask for the records of your healthcare claims or those explanation of benefit notices that you get in the mail and some people keep them. I used to keep them. I don't know why I kept them, but I did used to keep them. Even if you don’t keep them, they are a record that you can go back to. It may help you sort of rediscover the breadcrumb trail of all the places where you were seen and all the healthcare providers who took care of you so that you don’t just have to rely on your own memory, which, depending on the passage of time, may not be as good as it once was. It’s tough sometimes, I think, for people to reconstruct all of that.
Again, we’re finding with our users that they know the name of places where they received care but may not necessarily remember the names of all of the physicians that they saw. But most of the time the hospital will have the record of the care that was delivered, and you won’t necessarily need to remember the names of the individual doctors. But again, the health plan records could be a clue to where you were seen if you don’t remember.
Jamie DePolo: That’s a great point. I had not considered that because I guess I’m imagining, too, especially if someone was diagnosed with cancer 5, 6, 7 years ago, had treatment, is at a state of no evidence of disease, and kind of doesn’t want to think about that because it was so unpleasant, just contacting the insurance company sounds like a very great way to start for things that are several years old.
Deven McGraw: Definitely. Again, we call it the breadcrumb trail. Where were you? Where were you seen? The health plan, again, unless you were paying out of pocket for your care, which is unlikely paying fully out of pocket for your care, which is unlikely in the case of most serious illness, the health plan will know where you were.
Jamie DePolo: Now, is there any limit on how far you can go back?
Deven McGraw: Yes. It’s not a limit in the law, but it’s a limit because institutions and physician practices don’t keep records indefinitely. There is not a federal law that sets a single standard for how long they need to keep records. Usually that’s a matter of state law, and it tends to vary, but I think for care, more than 10 years ago, it’s extremely hard to get those records. They just may not exist anymore, which is another reason why we encourage people to get the records now because if you wait too long they may no longer exist. They may have been destroyed. That would be unfortunate, particularly if you had a recurrence of an illness and wanted to go back to the records from your initial treatment and they’re no longer available.
Jamie DePolo: That’s an excellent point. Deven, thank you so much. This has been really informative and helpful. I think a lot of people are going to benefit from the information you’ve shared.
Deven McGraw: Great. I’m glad that I could be helpful, and I thank you for the opportunity to talk about this.