GAO Opens Pandora's Box of Records Access, Finds Variable Fees, Widespread Frustration

A new report by a government agency documents apparent widespread noncompliance by providers regarding giving patients and family members access to their medical records. Excessive fees, tardiness and inappropriate denials are among the problems identified by the Government Accountability Office (GAO).

These issues persist even though two years ago the HHS Office for Civil Rights (OCR) published several explicit guidance documents regarding access requirements and rights (RPP 2/16, p. 1). At least since 2014, RPP has also highlighted these and other instances of provider failures (RPP 6/14, p. 1). GAO stopped short of suggesting any remedies, and OCR officials offered none when asked to comment on a draft of the report, save for the possible issuance of guidance on one aspect of fees.

RPP also contacted OCR directly to comment on the report and answer some questions, but an agency spokeswoman did not provide responses prior to deadline.

Former OCR regulator Deven McGraw was one of the agency’s strongest advocates for patients and was intimately involved in drafting the 2016 guidance. She tells RPP that although the landscape painted by the report is “disappointing,” GAO presents an accurate representation of problems afflicting patients and providers regarding access. McGraw also argues that the report offers “ammunition for those who want to use it,” particularly for advancing electronic access to records, especially through patient portals. She is now the chief regulatory officer for Ciitizen, a personal health records start-up.

But the report struck a nerve with Chris Carpenter, founder of a records retrieval firm, who declares that it “reads like a crime story with no ending.” Carpenter, founder of ChartSquad, a five-year-old firm that works exclusively for patients, has been battling with varying degrees of success all the access problems GAO laid out in the May 14 report.

Carpenter tells RPP that OCR needs to devote more resources to enforcement and should take a more global approach when investigating complaints. “Clearly, it’s a sizeable issue that places a considerable burden on the public,” he says of access problems.

The right to access one’s medical records or those of a family member and under other circumstances is part of the HIPAA privacy rule, which falls under OCR. Although it sounds simple, the situation has become something of a Pandora’s box. Federal regulations overlap with state laws, there are differing categories of allowable fees, and organizations evince an ignorance of, or blatant disregard for, their responsibilities.

As GAO explained, “allowable fees for accessing medical records vary by type of request—that is, whether a patient or third party is making the request—and by state. Federal laws establish limits on the fees that may be charged for two of the three types of requests for medical records: (1) patient requests, when patients request access to their medical records, and (2) patient-directed requests, when patients request that their records be sent to another person or entity, such as another provider.”

This document is only available to subscribers. Please log in or purchase access.


Would you like to read this entire article?

If you already subscribe to this publication, just log in. If not, let us send you an email with a link that will allow you to read the entire article for free. Just complete the following form.

* required field