Introduction and AMA booklet:
It seems it is becoming more common for doctors to list things like "malingering, "drug-seeking behavior," "OUD," or "non-compliant" in the Electronic Health Record (EHR) of a chronic pain patient (CPP). Many times patients have no idea these things are even listed in their records. Once in your chart, it could follow you everywhere. So we will answer some basic questions here and hope to give you concrete steps to take. AMA has an excellent resource "Patient Records Electronic Access Playbook."
Is my EHR the same as what I see in my patient portal?
No. A patient portal gives you access to some health information but is not all of your information listed in your Electronic Health Records. If you want to know what's listed in your EHR (including doctor's notes), you'll need to ask your provider. We cover steps on how to do that later in this article.
Patient Portal: According to Healthit.gov, a patient portal is "a secure online website that gives patients convenient, 24-hour access to personal health information from anywhere with an Internet connection." Some of the following may be listed in your patient portal:
Some patient portals also allow you to:
Electronic Health Record (EHR): According to Healthit.gov, a patient's EHR is "a digital version of a patient’s paper chart. EHRs are real-time, patient-centered records that make information available instantly and securely to authorized users. While an EHR does contain the medical and treatment histories of patients, an EHR system is built to go beyond standard clinical data collected in a provider’s office and can be inclusive of a broader view of a patient’s care. EHRs are a vital part of health IT and can:
One of the key features of an EHR is that health information can be created and managed by authorized providers in a digital format capable of being shared with other providers across more than one health care organization. EHRs are built to share information with other health care providers and organizations – such as laboratories, specialists, medical imaging facilities, pharmacies, emergency facilities, and school and workplace clinics – so they contain information from all clinicians involved in a patient’s care."
Do I have the right to see my EHR?
YES! Become familiar with HIPAA including Right to Access and Information Blocking under The Cures Act.
Health Insurance Portability and Accountability Act (HIPAA): According to (HIPAA) you are entitled to see your Protected Health Information (PHI) which includes Electronic Health Records.
Here are some FAQ's regarding your rights under HIPAA to access your records. Some of the information here includes the following:
Click here for more detailed information including videos explaining HIPAA.
Right to Access under HIPAA: "The HIPAA Privacy Rule generally requires HIPAA-covered entities (health plans and most healthcare providers) to provide individuals, upon request, with access to protected health information (PHI) about them in one or more “designated record sets” maintained by or for the covered entity. This includes the right to inspect, obtain, or both, a copy, as well as to direct the covered entity to transmit a copy to a designated person or entity of the individual’s choice. This right applies for as long as the covered entity (or its business associate) maintains the information, regardless of the date the information was created, and whether the information is maintained in paper or electronic systems onsite, remotely, or is archived." In other words, you have the right to access all protected health information with a few exclusions. These exclusions include Psychotherapy notes and Information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding."
Information Blocking under The Cures Act: "In general, information blocking is a practice by a health IT developer of certified health IT, health information network, health information exchange, or health care provider that, except as required by law or specified by the Secretary of Health and Human Services (HHS) as a reasonable and necessary activity, is likely to interfere with access, exchange, or use of electronic health information (EHI)." In other words, and action taken to prevent you from accessing your medical records could be in violation of the Information Blocking laws."
How quickly will I get my records once I request them?
"Under the HIPAA Privacy Rule, a covered entity must act on an individual’s request for access no later than 30 calendar days after receipt of the request. If the covered entity is not able to act within this timeframe, the entity may have up to an additional 30 calendar days, as long as it provides the individual – within that initial 30-day period – with a written statement of the reasons for the delay and the date by which the entity will complete its action on the request. See 45 CFR 164.524(b)(2).
These timelines apply regardless of whether:
These timelines are outer limits, and it is expected that many covered entities should be able to respond to requests for access well before these outer limits are reached. However, in cases where a covered entity is aware that an access request may take close to these outer time limits to fulfill, the entity is encouraged to provide the requested information in pieces as it becomes available, if the individual indicates a desire to receive the information in such a manner."
Can they charge me for copies of my EHR?
Yes, they can, but there is a state specific max amount they're allowed to charge. According to AMA's "Patient Records Electronic Access Playbook," "If state law sets a limit on fees, then this amount is considered “reasonable” and you cannot exceed this amount. You are still limited to your costs, however. For example, if state law provides that you can charge $0.75 per page, but your actual copying costs for paper copies is $0.12 per page, then you may only charge $0.12 per page. If state law is silent, then reasonableness would be based on a comparison to yourpeers. For example, if your costs are triple that of other similar providers (because highly paid staff are doing the copying or you are delivering copies through an expensive courier service), then a patient can claim that your costs are unreasonable and violate HIPAA"
Appendix C (pages 78-89) of the AMA document also lists the maxi allowable charge per state
What are the steps to getting copies of my EHR?
In today's climate of fragmented health care, we recommend always requesting your EHR including doctor's notes. We suggest the following steps:
Will my doctor punish me for requesting my records or other protected health info (PHI)?
Since you are entitled to your records according to HIPAA, a doctor shouldn't retaliate against you for requesting them. We do suggest you make sure you're not asking for them in an accusatory way. Be respectful and make sure you tell them you're just requesting these for your records at home.
What should I do if there are errors in my EHR?
According to HHS
Do I have the right to see who has accessed my EHR?
The answer is yes, you do, as explained here:
"Under the HIPAA Privacy Rule, an individual, under certain circumstances, has the right to receive an accounting of disclosures — HIPAA Accounting — of that individual’s protected health information (PHI) made by a covered entity in the last six years prior to the date on which the account is requested.
The HIPAA Privacy Rule requires certain information to be included in a HIPAA accounting made by a covered entity. This information must include disclosures of protected health information that occurred during the six years prior to the date of the request of the accounting. The accounting must include disclosures to or by business associates of the covered entity.
An individual may request a HIPAA accounting of disclosures of PHI for a period of time less than six years from the date of the request. If such request is made, the accounting must include disclosures of PHI that occurred during this shorter time period.
Generally, the HIPAA accounting of disclosures of PHI must include, for each disclosure:
The covered entity must provide the requested accounting no later than 60 days after receipt of such a request.
If the covered entity is unable to provide the accounting within the 60 days, the covered entity may extend the time to provide the accounting for up to an additional 30 days, provided that:
Under the HIPAA Privacy Rule, the covered entity must provide the first accounting to an individual in any 12 month period without charge.
The covered entity may charge a reasonable, cost-based fee (i.e., a fee based on costs incurred by the covered entity with respect to responding to the accounting) for each subsequent request for an accounting by the same individual within the 12 month period, provided that:
Content updated by Bev Schechtman 7/19/23