51% of Healthcare Providers Are Not Fully Compliant with HIPAA Right of Access

HIPAA Compliance Certification

Healthcare providers are providing patients with copies of their medical records, but a majority have been found not to be fully compliant with the HIPAA right of access.

A study was conducted by medRxiv, a health manuscript archiving company, to assess compliance with all requirements of the HIPAA right of access. Researchers sent genuine requests for patient records to 51 healthcare providers.

The record requests were made to populate a new consumer platform that helps patients access their health information and medical records. In each case, patients gave their authorization for the records to be obtained by the researchers.

The researchers scored each healthcare provider based on their response to the requests. A 1-star rating was given to a provider that accepted a request for patient record via email or fax.  A 2-star rating was given if a provider met the requirements of HIPAA, but only after the issue had ben escalated to a supervisor on more than one occasion.

A 3-star rating was given to a provider that met the requirements of HIPAA with just one escalation event, and a 4-star rating was given to providers that were fully compliant and staff did not need to escalate the request to a supervisor.

MedRxiv gave a 5-star rating to providers that went above and beyond the requirements of HIPAA and responded to a records request within 5 days, provided those records free of charge, and accepted non-standard forms.


Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

51% of providers only achieved a 1-star (27%) or 2-star (24%) rating. 20% were given a 3-star rating and 30% received a 4-star rating. 18% of providers received a 5-star rating.

The researchers note that had they not escalated their issue to a supervisor, 71% of requests would not have been dealt with in a HIPAA compliant manner.

In addition to the records requests, 3,003 healthcare providers were surveyed by telephone and were asked about their policies and procedures relating to the HIPAA right of access.  The survey suggests 56% of healthcare providers are not fully compliant with all aspects of the HIPAA right of access.

The common areas where healthcare providers were not in compliance was refusal to send medical records electronically. Around a quarter of providers appeared not to be aware that there were restrictions on the amount patients could be charged for obtaining a copy of their medical records.

The survey shows there is considerable room for improvement. Not only must healthcare providers make sure their employees are aware of company policies and procedures, those policies and procedures should be checked to make sure the company is in full compliance with all requirements of the HIPAA right of access.

About Liam Johnson
Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: https://www.linkedin.com/in/liamhipaa/