Introduction and AMA booklet:
It seems it is becoming more common for doctors to list things like "malingering, "drug-seeking behavior," "OUD," or "non-compliant" in the Electronic Health Record (EHR) of a chronic pain patient (CPP). Many times patients have no idea these things are even listed in their records. Once in your chart, it could follow you everywhere. So we will answer some basic questions here and hope to give you concrete steps to take. AMA has an excellent resource "Patient Records Electronic Access Playbook."
Is my EHR the same as what I see in my patient portal?
No. A patient portal gives you access to some health information but is not all of your information listed in your Electronic Health Records. If you want to know what's listed in your EHR (including doctor's notes), you'll need to ask your provider. We cover steps on how to do that later in this article.
Patient Portal: According to Healthit.gov, a patient portal is "a secure online website that gives patients convenient, 24-hour access to personal health information from anywhere with an Internet connection." Some of the following may be listed in your patient portal:
- Recent doctor visits
- Discharge summaries
- Lab results
Some patient portals also allow you to:
- Securely message your doctor
- Request prescription refills
- Schedule non-urgent appointments
- Check benefits and coverage
- Update contact information
- Make payments
- Download and complete forms
- View educational materials
Electronic Health Record (EHR): According to Healthit.gov, a patient's EHR is "a digital version of a patient’s paper chart. EHRs are real-time, patient-centered records that make information available instantly and securely to authorized users. While an EHR does contain the medical and treatment histories of patients, an EHR system is built to go beyond standard clinical data collected in a provider’s office and can be inclusive of a broader view of a patient’s care. EHRs are a vital part of health IT and can:
- Contain a patient’s medical history, diagnoses, medications, treatment plans, immunization dates, allergies, radiology images, and laboratory and test results
- Allow access to evidence-based tools that providers can use to make decisions about a patient’s care
- Automate and streamline provider workflow
One of the key features of an EHR is that health information can be created and managed by authorized providers in a digital format capable of being shared with other providers across more than one health care organization. EHRs are built to share information with other health care providers and organizations – such as laboratories, specialists, medical imaging facilities, pharmacies, emergency facilities, and school and workplace clinics – so they contain information from all clinicians involved in a patient’s care."
Do I have the right to see my EHR?
YES! Become familiar with HIPAA including Right to Access and Information Blocking under The Cures Act.
Health Insurance Portability and Accountability Act (HIPAA): According to (HIPAA) you are entitled to see your Protected Health Information (PHI) which includes Electronic Health Records.
Here are some FAQ's regarding your rights under HIPAA to access your records. Some of the information here includes the following:
- Accessing and obtaining copies of one’s health information for one’s own purposes is a right, not a privilege. A disclosing provider or plan covered under HIPAA can refuse access only in very limited circumstances.
- This right extends to a broad array of information, including labs, images, prescription history, physician notes, diagnoses, and similar information.
- The right includes access to an electronic copy of one’s health information contained in an electronic health record (EHR) or otherwise maintained in an electronic format, whenever the provider or its business associate is capable of producing an electronic copy, not just if they are willing to produce such information.
- Functions specified in ONC’s regulations on Certified EHR Technology empower individuals to take advantage of this HIPAA right because ONC’s rule makes transmission by the consumer a required functionality of certified EHR software.
Click here for more detailed information including videos explaining HIPAA.
Right to Access under HIPAA: "The HIPAA Privacy Rule generally requires HIPAA-covered entities (health plans and most healthcare providers) to provide individuals, upon request, with access to protected health information (PHI) about them in one or more “designated record sets” maintained by or for the covered entity. This includes the right to inspect, obtain, or both, a copy, as well as to direct the covered entity to transmit a copy to a designated person or entity of the individual’s choice. This right applies for as long as the covered entity (or its business associate) maintains the information, regardless of the date the information was created, and whether the information is maintained in paper or electronic systems onsite, remotely, or is archived." In other words, you have the right to access all protected health information with a few exclusions. These exclusions include Psychotherapy notes and Information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding."
Information Blocking under The Cures Act: "In general, information blocking is a practice by a health IT developer of certified health IT, health information network, health information exchange, or health care provider that, except as required by law or specified by the Secretary of Health and Human Services (HHS) as a reasonable and necessary activity, is likely to interfere with access, exchange, or use of electronic health information (EHI)." In other words, and action taken to prevent you from accessing your medical records could be in violation of the Information Blocking laws."
How quickly will I get my records once I request them?
"Under the HIPAA Privacy Rule, a covered entity must act on an individual’s request for access no later than 30 calendar days after receipt of the request. If the covered entity is not able to act within this timeframe, the entity may have up to an additional 30 calendar days, as long as it provides the individual – within that initial 30-day period – with a written statement of the reasons for the delay and the date by which the entity will complete its action on the request. See 45 CFR 164.524(b)(2).
These timelines apply regardless of whether:
- The PHI that is the subject of the request is maintained by the covered entity or by a business associate on behalf of the covered entity, or the covered entity uses a business associate to fulfill individual requests for access. The 30-day clock starts on the date that the covered entity receives a request for access, so any delay in obtaining the necessary information from a business associate or forwarding the request to the business associate for action “uses up” part of the allotted time. Alternatively, the 30-day clock starts when, instead of the covered entity, a business associate receives a request directly from an individual because the covered entity instructed the individual through its notice of privacy practices (or otherwise) to submit the access request directly to its business associate for processing.
- The covered entity negotiates with the individual on the format of the response. Covered entities that spend significant time before reaching agreement with individuals on format are depleting the 30 days allotted for the response by that amount of time.
- The PHI that is the subject of the request is old, archived, and/or not otherwise readily accessible.
These timelines are outer limits, and it is expected that many covered entities should be able to respond to requests for access well before these outer limits are reached. However, in cases where a covered entity is aware that an access request may take close to these outer time limits to fulfill, the entity is encouraged to provide the requested information in pieces as it becomes available, if the individual indicates a desire to receive the information in such a manner."
Can they charge me for copies of my EHR?
Yes, they can, but there is a state specific max amount they're allowed to charge. According to AMA's "Patient Records Electronic Access Playbook," "If state law sets a limit on fees, then this amount is considered “reasonable” and you cannot exceed this amount. You are still limited to your costs, however. For example, if state law provides that you can charge $0.75 per page, but your actual copying costs for paper copies is $0.12 per page, then you may only charge $0.12 per page. If state law is silent, then reasonableness would be based on a comparison to your
peers. For example, if your costs are triple that of other similar providers (because highly paid staff are doing the copying or you are delivering copies through an expensive courier service), then a patient can claim that your costs are unreasonable and violate HIPAA"
Appendix C (pages 78-89) of the AMA document also lists the maxi allowable charge per state
What are the steps to getting copies of my EHR?
In today's climate of fragmented health care, we recommend always requesting your EHR including doctor's notes. We suggest the following steps:
- Request your records including all lab reports and doctor's notes. We recommend putting it in writing, and if necessary send it in a certified letter requiring a signature receipt so you have evidence in case they state they never received your request.
- If they refuse or ignore your request, send another letter stating they are in violation of HIPAA and Information Blocking Law under the Cures Act, and request your records again.
- Remember they have 30 days from the time they receive the request unless they inform you thy need an extension. If they need an extension, they can have a 30-day extension.
- Keep in mind they may charge you but they have a limit. If you are simply asking to inspect or review your records and not requesting copies, they can't charge you.
- We recommend keeping your records organized in a binder so you can easily find what you're looking for.
Will my doctor punish me for requesting my records or other protected health info (PHI)?
Since you are entitled to your records according to HIPAA, a doctor shouldn't retaliate against you for requesting them. We do suggest you make sure you're not asking for them in an accusatory way. Be respectful and make sure you tell them you're just requesting these for your records at home.
What should I do if there are errors in my EHR?
According to HHS
- If you think the information in your medical or billing record is incorrect, you can request a change or amendment to your record. We suggest putting it in writing via a certified letter in which you request a signature receipt.
- The health care provider or health plan must respond to your request. If it created the information, it must amend inaccurate or incomplete information.
- If the provider or plan does not agree with your request, you have the right to submit a statement of disagreement that the provider or plan must add to your record.
Content created by Bev Schechtman on August 1, 2022