By now most healthcare professionals have been forced to deal with attorney requestors misusing the HHS/OCR guidance on Right to Access in order to obtain copies of their clients’ medical records for litigation purposes at the nominal rates allowed under the Privacy Rule. The Right to Access medical records does not provide attorneys the right to receive an executed Custodian of Records Affidavit that is intended for litigation purposes.
What Is the Intent of Right to Access?
The spirit and intent of HIPAA-defined Right to Access is to maintain high access and low costs for patients – not attorneys. The unfortunate consequence of this misuse is an increased volume of calls from attorneys threatening medical practices when it is the attorneys who do not understand the intricacies of HIPAA and the HITECH Act, and the time and energy invested into producing compliant records. Ultimately, when attorneys misuse the right granted to patients for a copy of their records, someone has to pay the costs to produce those records, and medical practices and providers are left taking a loss on the unpaid portion of the bill.
Since the HHS/OCR guidance in 2016, the health information management industry has seen an increase in attorneys requesting records under the guise of Right to Access and then contacting medical offices asking where the missing Custodian of Records Affidavit is located. They often ask “didn’t you read my request!?”. These requests are familiar to medical staff because they are litigation requests with a twist – they include all the traditional elements of an attorney request with an additional letter from the attorney masquerading as a patient letter because it has been signed by the patient.
What is a Custodian of Records and the Purpose of an Affidavit In Relation to Right to Access?
The Custodian of Records is the person designated by the Covered Entity responsible for keeping records in the ordinary course of business. In litigation, business records, such as medical records, are often allowed into evidence at trial with an affidavit signed by the Custodian of Records which states that the records are true and accurate, complete and maintained in the ordinary course of business. This affidavit is standard and similar across most jurisdictions. This Custodian of Records Affidavit saves the attorney the time and expense of hauling the Custodian of Records into Court to state under oath the same statements listed within the text of the affidavit. However, most attorneys demand this affidavit be completed and signed before a Notary Public when there is no pending court case or when the case will not actually go to trial (and the records will never be seen by a judge or jury).
Completion of a Custodian of Records affidavit takes additional time and resources. It is not appropriate for attorneys to submit requests for an affidavit accompanied by a request under the guise of a Right to Access request truly for the patient. The “reasonable cost-based fees” allowed under the guidance do not begin to cover the actual costs of producing records, nor additional work like completing affidavits. With per physician operating losses growing by 7.5% from 2016 to 2017 alone, it is irresponsible to expect practices and providers to shoulder the additional burden of this cost when HIPAA allows for reasonable fees under a compliant authorization from attorneys.
How Should I Handle Right to Access Requests with an Affidavit component?
Right to Access requests are requests coming from the patient or their personal representative. Additional requests not made by the patient, like in a cover letter from an attorney, are not required to be fulfilled under the Right to Access guidance. This is because the HHS/OCR guidance does not allow Covered Entities or their Business Associates to recoup the labor costs for sifting through these attorney request packets. Your staff may recognize this type of packet as a litigation request that includes an extra letter from the attorney signed by the patient. When a Right to Access request arrives at your organization with supplemental requests, you may fulfill the Right to Access component and invoice according to your chosen reasonable cost-based fee.
Of course, any compliant litigation request, whether it’s via an executed HIPAA Authorization signed by a patient or a subpoena with a Custodian of Records Affidavit should be fulfilled. Additionally, requests should be fulfilled if a patient is representing him or herself in a court proceeding (acting pro se) with a Custodian of Records Affidavit along with a Right to Access request where the patient has asked for this affidavit to be completed.
As a seasoned release of information vendor, ScanSTAT can only speak to our experience of best practices. Consult with your attorney to ensure your practice’s compliance with federal and state law.
Release the Burden of Right to Access Requests
In a rapidly changing industry, it’s difficult to keep up with the changes and nuances of complicated privacy practices like Right to Access. Supporting reasonable and responsible PHI exchange, like a patient’s right to access their medical records and interoperability, is not mutually exclusive with requesting attorneys follow proper established channels for their litigation requests.
If you’d like more information on how to handle complicated Right to Access requests, check out our website for more articles on Right to Access or our White Paper on the burdens Right to Access creates for providers and practices. If you’d like more information on getting rid of the time and energy burden of these requests all together, request a demo today.
This FAQ is for informational purposes only and does not constitute legal advice. Seek your own legal counsel to ensure compliance with federal and state law.