New AHIMA-Developed Form and Webinar Aims to Ease ROI Confusion

Among the most confusing issues for release of information (ROI) professionals is understanding how to respond to the many different types of requests for information from patients, their personal representatives, or from third parties. The lack of consistent forms accompanying these requests makes it difficult to determine if records requests should be approved or denied.

To help address these concerns AHIMA has developed a “Patient Request for Health Information Model Form,” that offers a standardized way to submit ROI requests.

The form was reviewed by a number of AHIMA’s trusted partners, including Adam Greene, JD, MPH, a partner at the law firm Davis Wright Tremaine LLC. Greene presented a special webinar on Thursday titled “HIPAA Individual Right of Access or Why Your ROI Process May Not Be Compliant with HIPAA.” This webinar is the first in a planned series to address the “individual right of access” in the Health Insurance Portability and Accountability Act (HIPAA).

Greene’s webinar addressed three of the thorniest ROI areas of confusion:

  1. The difference between patient requests and third party requests for information
  2. The difference between patient request forms and authorization forms
  3. The difference in required responses to patient requests and third party requests for information
Difference between a Patient Request and a Third Party Request

Greene explained that ROI officials at HIPAA-covered entities (CEs) like hospitals, understandably, struggle in determining how and when to release records and/or assess fees for record requests when it’s unclear from the form submitted who is requesting the records. In particular, CEs face headaches when requests are forwarded by third parties. Greene says the Department of Health and Human Services’ Office for Civil Rights (OCR) has received a lot of feedback on this and guidance is expected in the future.

To better understand what to do, it’s important to understand the difference between a request from a patient, a patient’s personal representative, and a third party—such as an attorney or another healthcare provider. For HIPAA’s purposes, a personal representative is someone who, according to Greene, “can stand in the shoes of the patient” and has healthcare decision making authority. An example of a personal representative is a parent of a minor, or a legal guardian. Another way to look at this is if a person is authorized to terminate care at the end of another’s life, then they are considered a personal representative. Typically, this person is not the patient’s attorney, unless for some reason the attorney has been given medical power of attorney.

Due to the lack of standardization in ROI request forms, covered entities can be uncertain how to proceed. Greene points to OCR guidance that states:

“Where it is unclear to a covered entity, based on the form of a request sent by a third party, whether the request is an access request initiated by the individual or merely a HIPAA authorization by the individual to disclose PHI to the third party, the entity may clarify with the individual whether the request was a direction from the individual or a request from the third party. OCR is open to engaging with the community on ways that technology could easily convey this information.”

“I know nobody wants to hear this, but picking up the phone and calling the patient may make the most sense here, because you don’t want to get this wrong,” Greene said.

Calling a patient to verify they sent a request can be construed as violating a patient’s right to access, according to Greene. But if a provider is acting in good faith, Greene believes OCR is likely to view the CE’s actions in a favorable light. In some cases where providers have called the patient, they have learned the patient hasn’t authorized the request at all. When in doubt, Greene advises CEs to check with their own legal counsel.

“I’m not going to pretend that everything is black and white,” Greene said. “There will always be gray areas. OCR indicates they’ll put out guidance. I expect it to be helpful but it won’t solve all problems. We will continue to see third parties like attorneys using patient right of access more and more instead of patient authorizations.”

The other challenge for covered entities is how to assess fees for records requests. Again, Greene pointed to OCR guidance, which states:

“[HIPAA fee limits apply] regardless of whether the access request was submitted to the covered entity by the individual directly or forwarded to the covered entity by a third party on behalf and at the direction of the individual (such as by an app being used by the individual). … as described above, where the third party is forwarding—on behalf and at the direction of the individual—the individual’s access request for a covered entity to direct a copy of the individual’s PHI to the third party, the fee limitations apply.”

AHIMA to Release Patient Request for Health Information Model Form

AHIMA’s new Patient Request for Health Information Model Form is intended to provide a plain language tool that provides patients a standardized mechanism to access their health information from a provider or organization. It is exclusively for access to the patient’s health information by the patient or their designated representative, and is meant to streamline the request to assist providers in complying with the 30-day timeframe for patient access addressed by OCR guidance.

The form was developed by two AHIMA’s Practice Councils and has been reviewed by officials at the Department of Health and Human Services’ Office of the National Coordinator for Health IT (ONC), OCR, and by Greene. The form will be officially unveiled at this year’s CSA Leadership Symposium on July 14, and then uploaded for public use on the website.

A recording of Greene’s webinar and the accompanying slides have been posted for AHIMA members on Engage.

Update: this article previously included reference to an upcoming webinar series from AHIMA to accompany the form’s release on July 14, which has been removed. AHIMA is planning additional HIPAA-related webinars for this year that will focus on topics such as privacy and security and cybersecurity, but not as an ROI-focused series.

Mary Butler is the associate editor at The Journal of AHIMA.


  1. I may not entirely understand the healthcare system but I do believe that the development of a form will simplify this confusion if not eliminate it entirely.
    1. When the form is developed, fields could be included stating clearly the various types of request for the applicant to tick making easy to decide the right authority and fees applicable to the request.
    2. Upload such a form to your website for applicants who wish to apply for their records to read before proceeding to make a request.
    In order jurisdictions around the world, a search fee applies where the hospital or healthcare entity does not hold a record on the patient or client.

    Post a Reply
  2. I appreciated Elijah’s comments regarding the new authorization forms.

    Star-Med, LLC has the technology solution. The Star-Med, Star-Assist technology responds to the concerns note by Elijah, and issues noted in the July 11, 2017 ONC article: Improving the Health Records Request Process for Patients, which described the difficulties, confusion, process time, and effectiveness of the medical records request process for the requestor.

    Star-Assist is a user-friendly electronic gateway to retrieve an authorization form that can be accessed from the requestor’s personal computer, through the medical provider’s portal, or through a dedicated device at the provider location. Star-Assist provides assistance and walks the requestor through completion of the request/authorization. It assures that all HIPAA-mandated components of the authorization are completed, including requestor identification and proof of identity. The result streamlines the process by eliminating the time needed to call the requestor to verify information and/or request for missing information; consequently, eliminating frustration and delays to the requestor.

    Post a Reply

Submit a Comment

Your email address will not be published. Required fields are marked *

Share This

Share This

Share this post with your friends!