This archived news story is available only for your personal, non-commercial use. Information in the story may be outdated or superseded by additional information. Reading or replaying the story in its archived form does not constitute a republication of the story.
Robert Sznewajs remembers the moment he and his wife, Virginia, heard the stunning news: She was suffering from cancer and did not have long.
"When the doctor said she had three to nine months to live, needless to say, that got our attention. My first thought was, 'We need to go someplace and do something to beat this.'"
He immediately started searching for the best cancer facilities in the country. However, to be considered for admission, Sznewajs discovered that he had to submit his wife's medical records for review.
"I had no idea there were medical records and that we had the right to ask for them. So I went to the medical records department to ask for my wife's records, but was refused. Instead, I was told to make a formal request."
Asking for access to a loved one's medical records may seem like a simple, straightforward request. It isn't.
To avoid the sort of frustration that Sznewajs faced during a time when his energy could've been better focused on his wife's health care and comfort, you first need to understand HIPAA, or the Health Insurance Portability and Accountability Act of 1996.
What Is HIPAA?
- HIPAA is federal law designed to protect your health and medical information from misuse.
- With HIPAA, you have rights over your health information
- Rules and limits are set regarding who can look at and receive your health information
Who Must Comply? Health plan and health care providers that use electronic transactions must comply with HIPAA. This includes doctors, nurses, hospitals, pharmacies, health insurance companies, and government programs covering Medicare or Medicaid.
Providers that do not use electronic transactions (i.e. they still use paper billing, applications, etc.) do not fall under HIPAA.
What Are Your Rights? You can ask at any time for your "designated record set." This includes records that identify you and are used to make a decision about you. Examples are application forms, explanation of benefit forms, claims and medical records. HIPAA does not entitle you to get certain types of records, including psychotherapy notes, records compiled for purposes of litigation and certain clinical lab records.
If covered by HIPAA, organizations must provide copies of the requested records within 30 days (this may be extended another 30 days if a reason is given for the delay). You may have to pay for the cost of copies or mailing.
For better results and follow through, you can make your request directly to the privacy office or privacy officer. You can make a verbal request, but a written request creates a paper trail that establishes the date of request and helps you focus your request to the records that you need.
"The volume is almost overwhelming, but I found that the records contained a wealth of information. For example, some of the notes in the records indicated differences between the treatment that my wife received and what the doctor said to us. It would've been helpful to know what was in those records during consultation to help us with our decisions and to reconcile the treatment with what the doctor was saying," says Sznewajs.
As in Sznewajs's case, because the designated record set can contain thousands of documents, you may need to talk to the privacy officer so that you get the right amount of relevant information.
While you have the right to see and obtain your designated record set, old records or information not directly maintained by that organization may be difficult to retrieve, creating delays.
What You Can Do If You Are Denied If you still cannot get access to your records, you can file a complaint with the privacy office, or directly to the Office of Civil Rights via www.hhs.gov/ocr/hipaa/ or toll-free at (866) 627-7748. Access to Records for Other People OK, remember how HIPAA protects and limits access to your medical and health information? This means your access to other people's information is also restricted--even if you are a family member, as Sznewajs discovered.
As a parent or legal guardian, you are generally allowed access to your minor children's designated record set. However, in certain states, parents must be denied access if their children request that information related to certain sensitive conditions, such as sexually transmitted diseases or drug abuse, be kept confidential.
In addition, parents who have lost their parental rights would not have access to their children's records. For example, a parent who is paying for health insurance coverage but is under investigation by Children's Protective Services can lose his or her right to parent, and thus be denied access to records.
If you are looking after someone but are not a parent or legal guardian of an adult patient, such as a friend or a relative, you may ask for access to records. HIPAA allows a hospital and its staff to provide parents and care-givers access--but does not require them to provide access. Here's where the law gets tricky.
You may be allowed access if providing you this information is in the patient's best interests. For example, if you are looking after a relative or friend who is unconscious, the hospital staff may grant you access to medical records after deciding that providing this information is to the patient's benefit.
If you want access but are denied by hospital staff members who are uncertain about the legalities of providing such information, you can ask to see the privacy officer. Nevertheless, access remains at the discretion of the staff and privacy officer.
Sznewajs eventually obtained his wife's medical records by engaging an attorney to draft a request and to obtain power of attorney for his wife.
To guarantee access to another person's records, you must obtain power of attorney. Power of attorney gives you legal rights over another person's medical information. It also releases the information provider from legal liabilities because permission has explicitly been given by the patient.
The Bottom Line
For access to your own information, know that HIPAA entitles you to your designated record set. To get timely access and relevant information, know your rights, define what you need and discuss your request with the right people in the organization.
"What I was trying to do was to take the stress off the patient, but it was hard to adapt to the legal process. You really have to adapt to the system--the sooner you figure that out and follow the system, the better your state of mind," says Sznewajs. "The process may not be intuitive or logical but does try to protect that information for the right reasons."
For information about others, you may be at the mercy of the discretion of the facility. To guarantee access, obtain power of attorney. Get the power of attorney early so that you can devote your time and energy to the things that matter.
As Sznewajs says, "Then you can concentrate on care for the patient. At the end of the day, that's what we're really focusing on."
Reprinted with permission from myRegence.com