I just re-read an email newsletter by Monica Oss of Open Minds asking the question: “Who Owns Patient Records?“. The answer to this question varies from state to state, with some locales not having clear statutory requirements. In Florida, the provider owns the record but must provide a copy of it if the patient requests it. In fact, the HIPAA privacy standards make it very clear that the provider is responsible for sharing records with a patient (making copies) if a patient so requests. One of the major exceptions to this requirement is psychotherapy notes, which the behavioral health provider is not responsible to share with the patient and must not share with anyone else (like an insurance company) without the patient’s specific permission.
This matter is complicated when a provider uses an Electronic Medical Record (EMR) that is hosted by a software company. Why should that matter, you ask. Well, in the case of the hosted product, the software resides on the company’s servers, not on the provider’s computer. The provider pays to use the software; they don’t own anything. Unless the provider prints everything out, they do not really have possession of a record; the software company does.
What happens when they decide to go to another software program? The first company may be willing to provide them with reports and printouts of their records, but getting that into a new program can be a challenge. And if the old company is willing to work with the new one to transfer the data, the process can be very time-consuming and costly…and some companies won’t even do it.
And if the EMR is free, the provider may be agreeing to share some of the data they enter so the software company can sell it to other companies…all within the confines of their role as a Business Associate, of course. You do have a BAA with the software company, right? And of course, you have a good contract that you have read and understood before you signed it, right?
Hmmm…..this ownership question is complicated.
Please share your comments below.
Daphney says:
What about requests from a clients health insurance in order to pay for services. Do you have to send records if you do not have a release?
Kathy says:
As I understand HIPAA, you are not allowed to send psychotherapy notes to an insurer without specific permission from the client. You certainly must send all the info on a HCFA form to get paid by the insurer (provider, date of service, what the service was, the charge, diagnosis), but you should have gotten the client’s signature and permission for that before you saw them. If you did not get that permission and the client will not give it after the fact, you will need to try to collect payment from the client. And good luck with that!
Kathy says:
That is a caveat worth repeating. You may be custodian of the patient’s record, but you should always assume that someone else may at some time be reading that record. And make sure you have made arrangements to keep that record for the length of time required by your state law!
Vince Bellwoar says:
Here in PA it’s pretty straightforward. We, the provider, is the custodian of the records and the owner is the patient. While HIPAA is clear about patients rights to access their records, patients have to pay for those records. And yes, psychotherapy records can be kept separate and then patient may not get easy access to these, but I see few providers taking the time to keep a separate file of psychotherapy notes. Most feel it is a waste of time.
These days, always write your notes with the belief that your patient, your patient’s insurer and your patients lawyer will read the record. Vince