Recent confusion surrounding a patient’s ability to obtain their personal medical files, and the possibility that fees are limiting such access, has led to the issuance of revised federal guidance that may change organizational practices regarding the release of an individual’s medical information. In various updates throughout 2016, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has released guidance regarding how healthcare providers may lawfully present access to an individual’s protected health information (PHI), i.e., individually identifiable health information transmitted or maintained in a patient’s medical record,1 under the Health Insurance Portability and Accountability Act (HIPAA), including the appropriate method for determining patient fees to acquire such information.2 After confusion from industry commentators arose due to beliefs that a fee maximum was implemented,3 the OCR opined that “…individuals can be charged only a reasonable, cost-based fee for the labor and supplies associated with making the copy, whether on paper or in electronic form.”4 [Emphasis included] The OCR guidance notes that organizations are permitted to charge individuals based on one of three methods: actual costs, average costs, or a flat fee.5 This Health Capital Topics article will briefly discuss an individual’s right of access to PHI under HIPAA, and detail the three methods that may be utilized in determining the charges that organizations may levy on patients to access their PHI.
Generally, HIPAA provides individuals with a right to “…inspect and obtain a copy of protected health information about the individual in a designated record set, for as long as the protected health information is maintained in the designated record set…”6 [Emphasis added] A designated record set is defined as
“…[a] group of records maintained by or for a covered entity that is: (i) The medical records and billing records about individuals maintained by or for a covered health care provider; (ii) The enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or (iii) Used, in whole or in part, by or for the covered entity to make decisions about individuals.7
Requests for access to PHI maintained in a designated record set may be made by the individual, or the individual’s personal representative, defined as a person who has legal authority to act on behalf of the individual.8 Requests must be honored within thirty days unless an extension applies,9 and PHI provided must be in the form (i.e., electronic or paper) and format (i.e., a summary or complete file) requested by the individual, if it is readily producible in that form and format.10
Covered entities, defined as a “(1) health plan…[;] (2) healthcare clearinghouse…[; and,] (3) healthcare provider who transmits any health information in electronic form…[,]”11 may charge individuals for providing access to, or copies of, PHI.12 Confusion arose regarding the amount of those fees for providing access to PHI after a fact sheet was released by OCR in early 2016, which many health industry stakeholders interpreted as stating that healthcare organizations could not charge patients over $6.50 in total for their PHI.13
In an updated Frequently Asked Questions webpage, the OCR clarified that $6.50 is not the maximum allowable fee. Instead, the OCR noted that covered entities may impose a reasonable, cost-based fee, based on one of three methods:
actual costs, based on labor, supplies, and postage, for creating and delivering the PHI copy, and preparing an explanation or summary of the health information if requested by the individual;
average costs, based on a schedule of labor costs in fulfilling the request; or,
a flat fee
not to exceed $6.50 per request (inclusive of all labor, supplies, and postage) for electronic copies of PHI maintained electronically.14
While the OCR attempted to limit the scope of labor costs by requiring the use of “…the reasonable hourly rate of the person copying and sending the PHI”, a limit on those labor costs remains undefined, as the OCR maintains that a “reasonable” hourly rate may also depend on “…the level of skill needed to create and transmit the copy [of PHI]…(e.g., administrative level labor to make and mail a paper copy versus more technical skill needed to convert and transmit the PHI…”15 According to the OCR, the flat fee is “an option available to entities that do not want to go through the process of calculating actual or average allowable costs for requests for electronic copies of PHI maintained electronically.”16 However, the seeming simplicity of the $6.50 flat fee may be misleading, as covered entities must satisfy other requirements pertinent to charging fees for access to PHI, including:
(1) Covered entities must provide individuals in advance with an approximate fee amount to be charged for the actual cost method (which method is discussed above);
(2) Per-page fees are not allowed for health information maintained electronically; and,
(3) State laws granting individuals one free copy of PHI override the HIPAA fee determination methods for the first copy.17
Of note, the OCR opined in its guidance that HIPAA rules regarding charging for access to PHI override state laws allowing covering entities to charge fees above HIPAA regulations.18
The OCR will likely continue to scrutinize compliance with rules related to an individual’s access to PHI. Proper access to an individual’s PHI is one of the top concerns in the OCR’s enforcement of rights conferred by HIPAA.19 Over the last thirteen years, from April 14, 2003, to May 31, 2016, the OCR received over 134,246 complaints, and initiated over 879 reviews regarding HIPAA compliance.20 Of the HIPAA compliance issues investigated by the OCR thus far in 2016, an individual’s lack of proper access to their PHI served as the third most prevalent reason to file a complaint with the agency, trailing only “…impermissible uses and disclosures of protected health information…” and “…lack of safeguards of [PHI]…”21 Consequently, ensuring compliance with any updated HIPAA guidance regarding an individual’s access to PHI, may be prudent for covered entities under HIPAA, especially in consideration of the current uncertainty regarding the maximum allowable hourly rates due to the lack of an explicit limit.
“Definitions” 45 C.F.R. § 160.103 (January 25, 2013), definition of “protected health information.”
“Individuals’ Right under HIPAA to Access their Health Information 45 CFR § 164.524” Department of Health and Human Services, http://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html#maximumflatfee (Accessed 6/15/16).
“Only $6.50 For Medical Records? Not So Fast” By Marla Durben Hirsch, SCG Health, June 5, 2016, http://www.scghealth.com/blog/only-6-50-for-medical-records-not-so-fast (Accessed 6/15/16); “OCR Clarifies confusion with the $6.50 flat fee charge for PHI” By David R. Broyles and William R. Shenton, Poyner Spruill, LLP, May 27, 2016, http://www.poynerspruill.com/publications/Pages/OCRClarifiesconfusionwiththeflatfeechargeforPHI.aspx (Accessed 6/15/16); “Clarification of Permissible Fees for HIPAA Right of Access – Flat Rate Option of Up to $6.50 is Not a Cap on All Fees for Copies of PHI” Department of Health and Human Services, May 23, 2016, http://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/clarification-flat-rate-copy-fee/index.html (Accessed 6/15/2016).
“New HIPAA guidance reiterates patients’ right to access health information and clarifies appropriate fees for copies” Jocelyn Samuels, Office for Civil Rights, February 25, 2016, http://www.hhs.gov/blog/2016/02/25/new-hipaa-guidance-accessing-health-information-fees-copies.html (Accessed 7/11/2016).
“Access of individuals to protected health information” 45 C.F.R. § 164.524(a).
“Definitions” 45 C.F.R. § 164.501 (January 25, 2013), definition of “designated record set.”
“Uses and disclosures of protected health information: General rules” 45 C.F.R. § 164.502(g).
45 C.F.R. § 164.524(b)(2).
45 C.F.R. § 164.524(c)(2).
45 C.F.R. § 160.103 (January 25, 2013), definition of “covered entity.”
45 C.F.R. § 164.524(c)(4).
Hirsch, June 5, 2016; Broyles, May 27, 2016; HHS, May 23, 2016.
HHS; 45 C.F.R. § 164.524(c)(4).
“Top Five Issues in Investigated Cases Closed with Corrective Action, by Calendar Year” Department of Health and Human Services, http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/data/top-five-issues-investigated-cases-closed-corrective-action-calendar-year/index.html (Accessed 7/13/2016).
“Enforcement Highlights” Department of Health and Human Services, May 31, 2016, http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/data/enforcement-highlights/index.html (Accessed 6/16/2016).