Sharing our standard Patient Access Request
Have you ever filled out a HIPAA Authorization? It might have been called a “HIPAA Release Form” or an “Authorization to Disclose Medical Records” or any number of other confusing titles. In all likelihood, you’ve signed one as a user of the US healthcare system.
These forms let covered entities (like doctors or hospitals) share your medical records. And because there is no standard template for HIPAA Authorizations, most hospitals write their own versions. Here are a few examples for you to look at.
There’s something you should know about HIPAA authorizations though: you don’t actually need one to access your own medical records. In fact, it’s illegal for hospitals to require you to sign one before giving you your medical records.
As a patient, you already have a right to access your medical records. That’s a key tenet of HIPAA. So having to sign an authorization to view your own information is sort of like being asked by a bank to sign a document authorizing them to give you your money back. It’s unnecessary and redundant.
Patients still need to formally request their medical records though. Last year, the Department of Health and Human Services (HHS) confirmed that a patient’s request “must be in writing, signed by the individual, and clearly identify the designated person and where to the send the [Protected Health Information].” Those are more lenient requirements than those for HIPAA Authorizations, but at the end of the day you’re still signing a form to get your medical records. Is there really a big difference?
Yeah, there is. Signing a HIPAA authorization may not just be an inconvenience. It also may not mandate hospitals to respect your rights under HIPAA. In the same guidance from last year, HHS provided a table showing the differences between a HIPAA Authorization and a “Right of Access” (the patient access request). As seen in the image below, HIPAA Authorizations do not bind hospitals to the same timeliness and fee limitations.
So to confirm, if you sign a HIPAA Authorization, your hospital may be able to take longer than 30 days to give you your medical records or charge excessive fees in exchange for the information. That’s a big deal.
At PatientBank we help people gather and share their medical records — now from over 5,000 distinct healthcare facilities. And for months we’ve generated requests for patients using a template we developed that qualifies for all of the protections listed in HIPAA. We call it a Patient Access Request.
In an attempt to simplify and formalize this process — both for patients requesting information and medical records departments responding to requests for information — we are sharing our Patient Access Request with the public. We’ve had our form vetted rigorously by lawyers, and we hope open-sourcing it will benefit the system in two major ways:
- It will make it easier for patients to request their medical records.
- It will provide a standard for patient requests that medical records departments can trust.
This release is only the first version of our Patient Access Request, and we expect it to evolve as we receive feedback — especially from medical records departments across the country.
For now, take a look and try using it to request your medical records. And let us know how it goes! The PatientBank team would love to hear from you via email at support@patientbank.us or on twitter @patientbankhq!
