United States Government Accountability Office
Highlights of GAO-18-386, a report to
c
ongressional committees
May 2018
MEDICAL RECORDS
Fees and Challenges Associated with
Patients’
What GAO Found
Available information suggests that the fees charged for accessing medical
records can vary depending on the type of request and the state in which the
request is made. Under the Health Insurance Portability and Accountability Act of
1996 (HIPAA) and its implementing regulations, providers are authorized to
charge a reasonable, cost-based fee when patients request copies of their
medical records or request that their records be forwarded to another provider or
entity. In the case of third-party requests, when a patient gives permission for
another entity—for example, an attorney—to request copies of the patient’s
medical records, the fees are not subject to the reasonable cost-based standard
and are generally governed by state law. According to stakeholders GAO
interviewed, the fees for third-party requests are generally higher than the fees
charged to patients and can vary significantly across states.
The four states GAO reviewed have state laws that vary in terms of the fees
allowed for patient and third-party requests for medical records. For example,
three of the states have per-page fee amounts for patient and third-party records
requests. The amounts charged are based on the number of pages requested
and vary across the three states.
• One of the three states has established a different per-page fee amount for
third-party requests. The other two do not authorize a different fee for patient
and third-party requests.
• One of the three states also specifies a maximum allowable fee if the
provider uses an electronic health records system. The other two do not
differentiate costs for electronic or paper records.
In the fourth state, state law entitles individuals to one free copy of their medical
record. The statute allows a charge of up to $1 per page for additional copies.
Patient advocates, provider associations, and other stakeholders GAO
interviewed identified challenges that patients and providers face when patients
request access to their medical records.
• Patients’ challenges include incurring what they believe to be high fees when
requesting medical records—for example, when facing severe medical
issues that have generated a high number of medical records. Additionally,
not all patients are aware that they have a right to challenge providers who
deny them access to their medical records.
• Providers’ challenges include the costs of responding to patient requests for
records due to the allocation of staff time and other resources. In addition,
according to provider associations and others GAO interviewed, fulfilling
requests for medical records has become more complex and challenging for
providers, in part because providers may store this information in multiple
electronic record systems or in a mix of paper and electronic records.
View GAO-18-386. For more information,
contact
Carolyn L. Yocom at (202) 512-7114
Why GAO Did This Study
HIPAA and its implementing
regulations, as amended by the Health
Information Technology for Economic
and Clinical Health Act, require health
care providers to give patients, upon
request, access to their medical
records, which contain protected health
information (i.e., diagnoses, billing
information, medications, and test
results). This right of access allows
patients to obtain their records or have
them forwarded to a person or entity of
their choice—such as another
provider—in a timely manner while
being charged a reasonable, cost-
based fee. Third parties, such as a
lawyer or someone processing
disability claims, may also request
copies of a patient’s medical records
with permission from the patient.
The 21st Century Cures Act included a
provision for GAO to study patient
access to medical records. Among
other things, this report describes (1)
what is known about the fees for
accessing patients’ medical records
and (2) challenges identified by
patients and providers when patients
request access to their medical
records. GAO reviewed selected
HIPAA requirements and implementing
regulations and guidance, and relevant
laws in four states selected in part
because they established a range of
fees associated with obtaining copies
of medical records. GAO also
interviewed four provider associations,
seven vendors that work for providers,
six patient advocates, state officials,
and Department of Health and Human
Services’ (HHS) officials. The
information GAO obtained and its
analysis of laws in the selected states
are not generalizable. HHS provided
technical comments on this report.