Practices Must Comply with New Medical Record Transfer Rules

Patients have a right to have their entire medical record transferred (subject to some exceptions, such as for mental health records) to any provider they choose.

The HIPAA final rule provides some specific guidance on transfer of medical records:

(a) If your practice maintains EHR, you must provide a copy of the medical record in at least one readable electronic format. The record can, for example, be provided on a disc, by sending a secure email, or through a secure Web-based portal. Although a practice is not required to purchase software or hardware to accommodate requests for specific formats, a practice must be able to provide some form of readable electronic copy. A hard copy may be provided if the patient rejects the electronic formats. The file turned over to the patient should include all of the protected health information (PHI) held by the covered entity, even if this is a combination of electronic and hard copies.

(b) Practices can reject using a patient's own flash drive or other device to transfer the records if there are security concerns. Additionally, if secure e-mail is not available, but the patient wants the record e-mailed to them via unencrypted e-mail, the practice can send the recordsafter advising the patient of the risk their information could be read by a third party.   I also recommend having the patient sign off on a written acknowledgment of the risk involved.

(c) Be sure you are prepared to transmit an electronic copy of a patient’s medical record directly to a third person if designated by the patient in writing.  Policies and procedures must exist within the practice to verify the identity of any such person.

(d) While practices can charge patients for copying medical records, every practice should be familiar with the limitations set by the final rule.  Labor costs for copying PHI, whether in paper or electronic form, are one factor that may be included in the reasonable, cost-based fees charged to individuals. This might include time the staff spent creating or copying electronic files, scanning, and burning PHI to media. Reasonable, cost-based fees may also include the costs of supplies (e.g., discs, flash drives) or postage, depending on how the patient asks for the record to be transferred. Be aware that under the final rule, a practice cannot charge a retrieval fee for electronic copies or for any costs related to new technology, maintaining systems for electronic PHI, data access or storage infrastructure. Each practice should also determine the state law requirements on patient record copying, since state law will preempt HIPAA if the state law imposes a lower copying charge.

Finally, the final rule decreased the time a practice has to respond to requests for a medical record.  A practice now only has 30 days to respond to a record request but may obtain a one-time extension of 30 days if the practice provides a written explanation to the patient explaining the reason for the delay and the expected date of completion.

For more information, please visit the Departments of Health and Human Services online at