Access and Privacy:
What Urgent Care Centers Need to Know

HIPAA Compliance and the Right of Access Initiative in Urgent Care

In the early 2000s, technology was making great strides across all industries. Access to information and data was increasing productivity, boosting creativity, and allowing businesses to measure their performance. The medical community was no exception.

Although the first EMR was developed in the early seventies to improve patient care through third-party access to patient medical records, industry-wide adoption began with an influx of money, support, and incentives by the Bush and Obama administrations.

What began as a resource for doctors and other medical practitioners is fast becoming a way for patients to become more involved in their own healthcare journey—beginning with information.

Today’s patients are no longer willing to simply receive treatment and advice. They are smart consumers who will evaluate their options before seeking medical care. HIPAA and the Right of Access Initiative supports their right to their health records and requires that healthcare organizations provide it.

Patients’ right to access their health records was recently tested when a Florida woman requested in writing to see the fetal heart monitor records for her unborn baby. The hospital did not provide the records with in the required 30 days. The hospital said it had no record of the mother’s request. Following two requests from the woman’s attorney, the hospital initially provided the lawyer with an incomplete set of the records, and finally, a full set of records more than nine months after the initial request.

Under HIPAA rules, providers have a maximum of 30 days to comply with a records request. The hospitals delayed response cost them $85,000 which was paid to settle the complaint with the Office for Civil Rights (OCR) and the U.S. Department of Health and Human Services. While the hospital didn’t admit wrongdoing, it will be monitored for a year to ensure compliance and will initiate a corrective action plan to prevent further non-compliance.

Providing patients with their healthcare records is not a privilege—it’s the law.

If the recent settlement teaches us anything, it should be that urgent care clinics’ responsibility must be taken seriously. A quick and complete response to patient records is required. Complaints due to non-compliance will be examined and, if proven true, enforced with fines and corrective action.

Responsible Stewardship

Patients have given your clinic and its personnel their trust with their most personal and private health information. Every person on your urgent care staff who has access to electronic health records should be well schooled on the responsibility of keeping records accurate, current, and secure.

When patients request access to their health records, your staff should know and understand the process and the time-sensitivity required to respond to the requests, and the right procedures to ensure no PHI is released inappropriately or unlawfully.

What are your responsibilities?

According to the U.S. Department of Health and Human Services (HHS), “Providing individuals with easy access to their health information empowers them to be more in control of decisions regarding their health and well-being.”

While HIPAA protects the patient privacy and security, it also establishes patients’ rights to information. The following is an overview of your responsibilities (based on guidelines from the HHS website).

(1)  Most health care facilities and health plans are required by HIPAA to provide people, upon request, access to protected health information (PHI) in one or more “designated record sets” maintained by or for the covered entity. This includes the right to inspect or obtain a copy (or both) of the PHI, and/or to transmit a copy to a designated person chosen by the individual.

(2)  Individuals have the right of access to this information as long as it is maintained by a covered entity or a business associate on behalf of the covered entity, regardless of the date the information was created.

(3)  A covered entity cannot impose unreasonable measures on person making the request that are a barrier to access or create delays.

(4)  A covered entity must make take reasonable steps to verify the identity of the individual.

(5)  The “Designated Record Set” includes:

  • Medical records and billing records
  • Enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan
  • Other records that are used by or for the covered entity to make decisions about individuals

(6)  Record means: any item, collection, or grouping of information that includes PHI, and is maintained, collected, used, or disseminated by or for a covered entity.

(7)  Patients legally have the right of access to:

  • medical records
  • billing and payment records
  • insurance information
  • clinical laboratory test results
  • medical images, such as X-rays
  • wellness and disease management program files
  • clinical case notes
  • other information used to make decisions about individuals

(8)  An individual does not have a right to access:

  • PHI that is not part of a designated record set because the information is not used to make decisions about individuals (such as certain quality assessment or improvement records, patient safety activity records, or business planning, development, and management records)
  • Psychotherapy notes that are maintained separate from the rest of the patient medical record
  • Information compiled for use in a civil, criminal, or administrative action or proceeding.

(9)  A covered entity is required to provide the individual with access to the PHI in the form and format requested, if readily producible in that form and format, or if not, in a readable hard copy form or other form and format as agreed to by the covered entity and individual.

(10)  A covered entity must provide access to the PHI requested, in whole, or in part, no later than 30 calendar days from receiving the individual’s request but are encouraged to respond as soon as possible. (Some reasonable extensions are allowed.)

(11)  Under certain limited conditions, a covered entity can deny a request for access to all or a portion of the PHI requested based on exceptions in the regulation.

(12)  A covered entity can require individuals to request access in writing, as long as individuals are informed of this requirement.

In urgent care situations, practitioners may see a patient only once or twice, but every component of the patient record informs future decisions for the patient’s broader healthcare team. As they become the driver behind their own healthcare journey, patients will likely ask more questions, consider more options, and make more thoughtful decisions about their care.

When we share information thoughtfully, practitioners have more data on which to base decisions, patients become more involved in their health, outcomes improve, and new insights into population health move healthcare forward.

For more questions and answers about HIPAA’s Access Rights, visit Health and Human Services online.