• E-mail
• Print
• RSS

HIPAA’s inspect and copy requirement

HIPAA Weekly Advisor, April 19, 2002

Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!

Q: Our hospital has had a procedure for patients to request a copy of their medical record for a long time, so we thought we were in good shape to support HIPAA's "inspect and copy" requirement. Now I'm hearing some hospitals talk about giving patients access to their computerized medical record and other systems, rather than the paper record. I'm confused. Are we OK or not?

A: It is likely you'll need to review and revise organizational procedures surrounding inspection and copying of records to reflect today's realities and HIPAA's regulations.

The HIPAA privacy rule grants individuals the right to inspect and copy an organization's "designated record set." It's a basic privacy principle to allow patients to see what personal data an organization keeps and uses. It's similar to the principle in the Fair Credit Reporting Act that lets you see your own credit report.

The rule carefully avoids limiting this data to the medical record for several reasons. We all know that confidential data is kept in many places and forms in addition to the medical record. Also, HIPAA requirements apply to entities other than hospitals. For example, health care insurers have medical data, but not necessarily a comprehensive medical record for each beneficiary. So the HIPAA rule-writers had to use more generic language.

Keep in mind that we have the privacy rule because of increased risks associated with standardization of electronic data. So, the emphasis is on the information scattered throughout our electronic systems, but does not ignore the risks to private information on paper.

Here is a key portion of the definition of a "designated record set" from the privacy rule § 164.501:

"A group of records maintained by or for a covered entity that is: i. The medical records and billing records about individuals maintained by or for a covered health care provider ii. The enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or iii. Used, in whole or in part, by or for the covered entity to make decisions about individuals."

Therefore, each hospital must carefully consider and define exactly what records and perhaps which computer systems, make up its official designated record set. Based on the above definition, this includes more than just the medical record. The method of inspection may vary. For example, the rule preamble states that requests to inspect information maintained electronically can be satisfied by "print[ing] a copy of the information and allow[ing] the individual to view the print-out on-site."

Methods of copying may also vary. The preamble states that "if the covered entity maintains health information electronically and the individual requests an electronic copy, the covered entity must accommodate such request, if possible."

Editor's note: Excerpted from the April 2002 issue of Briefings on HIPAA and answered by Kate Borten, CISSP. Since managing the first comprehensive information security programs at Massachusetts General Hospital in the mid '90s and later at CareGroup, Kate formed The Marblehead Group, Inc., a national security and privacy consulting firm focused on the healthcare industry. If you have a question for her, send an e-mail to HIPAA Weekly Advisor editor Brian Driscoll at bdriscoll@hcpro.com.

Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!

• E-mail to a Colleague
• Print
• RSS
• Archive