HIPAA Right of Access Survey

A phone survey indicating how medical record providers are likely to comply with the HIPAA Right of Access.

Survey initiated August 2018 and is ongoing.

Want to view the Patient Record Scorecard? View here.

Contact us about your institution’s score.

Property Name

Location

INDICATES HIPAA Compliance

Sends in Format Requested (Electronic)

Sends to Patient

no unreasonable fees

Woodland Cancer and Neuroscience Center515 Fairchild Court, Woodland, CA, 95695

Woodland, CA

NO

Accepts Requests by Email or Fax

Sends in Format Requested (Electronic)

no unreasonable fees

Woodland Hills Medical Center5601 De Soto Avenue, Woodland Hills, CA, 91367

Woodland Hills, CA

YES

Accepts Requests by Email or Fax

Sends in Format Requested (Electronic)

no unreasonable fees

Woodland Memorial Hospital1325 Cottonwood St, Woodland, CA, 95695

Woodland, CA

NO

Accepts Requests by Email or Fax

Sends in Format Requested (Electronic)

no unreasonable fees

Woodlawn Medical Center7141 Security Blvd., Baltimore, MD, 21244

Baltimore, MD

YES

Accepts Requests by Email or Fax

Sends in Format Requested (Electronic)

no unreasonable fees

Wooster Family Health Center & Surgery Center & Express Care1740 Cleveland Road, Wooster, OH, 44691

Wooster, OH

YES

Accepts Requests by Email or Fax

Sends in Format Requested (Electronic)

no unreasonable fees

Wooster Milltown Specialty and Surgery Center721 East Milltown Road, Wooster, OH, 44691

Wooster, OH

YES

Accepts Requests by Email or Fax

Sends in Format Requested (Electronic)

no unreasonable fees

Zion Medical Center4647 Zion Avenue, San Diego, CA, 92120

San Diego, CA

YES

Accepts Requests by Email or Fax

Sends in Format Requested (Electronic)

no unreasonable fees

HIPAA Right of Access Survey Methodology

We surveyed approximately 3000 health care institutions by phone, including hospitals and laboratories, regarding their processes for releasing digital records (including images) to patients in compliance with the HIPAA Right of Access.  We spoke directly with a representative of the Health Information Management or Patient Records department, or, in the case of images, the Radiology department.

What indicates non-compliance?

Our questions focused on the following aspects of compliance with the HIPAA Right of Access:

Will you send the records directly to the patient
Some institutions reported they would only send the records to another medical professional.

Will you accept a patient’s access requests by email or by fax?
Some institutions required the patient to come in person or to mail a request.

Will you send the records to a patient by email?
Some institutions refused to send electronic records by e-mail.

Do you charge patients for these records – and if so, how much?
Some institutions shared a fee amount; some refused to answer. We analyzed the information as follows:

Per OCR guidance on the Right of Access:

  • We considered an institution to be charging “reasonable fees” if they:
    • did not charge patients,
    • charged a flat fee of $6.50 or less, or reported fees that seemed to be based on reasonable labor costs for copying.
  • We considered an institution to be charging “unreasonable fees” if they:
    • charged per page fees, including fees for records retrieval, or charged a flat fee higher than $6.50.
  • Institutions who did not answer this question are reported as NA (not applicable).

All of the above questions touch on four key aspects of a patient's Right of Access under the HIPAA Privacy Rule. These include the right to:

  1. receive records directly;
  2. submit a request in ways that do not cause unreasonable delay or impose undue burden on the patient;
  3. receive records in the form and format requested, including receiving electronic records by e-mail and;
  4. have all fees for these records be reasonable (reasonable, cost-based fees for the labor needed to make the copy).

Because this survey is based on questions about an institution’s process for releasing records to patients, we were not able to determine whether an institution would release records to patients within 30 days of receiving the request, which is another key aspect of the HIPAA Right of Access.