On March 1, 2016, the Office for Civil Rights of the US Department of Health and Human Services ("OCR") released additional guidance in the form of Frequently Asked Questions ("FAQs") addressing patient access to medical records and what covered entities may – and may not – charge for copies of these records. The clarification will severely limit health care providers and health plans, as well as business associates of these entities, in the way they may generate revenue through record copying.
The HIPAA Privacy Rule (45 CFR Section 164.524(c)) permits covered entities to charge "a reasonable, cost-based fee" to provide an individual with his or her protected health information ("PHI"). This section also permits the individual to direct that the covered entity send the copy of the PHI to any designated third party. In calculating the fee, the covered entity may take into account only the following costs:
- Labor for copying the PHI requested by the individual, whether in paper or electronic form. Labor for copying includes only labor for creating and delivering the electronic or paper copy in the form and format requested or agreed upon by the individual, once the PHI that is responsive to the request has been identified, retrieved or collected, compiled and/or collated, and is ready to be copied. Labor for copying does not include costs associated with reviewing the request for access, searching for and retrieving the PHI, which includes locating and reviewing the PHI in the medical or other record, and segregating or otherwise preparing the PHI that is responsive to the request for copying.
- Supplies for creating the paper copy (e.g., paper, toner) or electronic media (e.g., CD or USB drive) if the individual requests that the electronic copy be provided on portable media. However, a covered entity may not require an individual to purchase portable media; individuals have the right to have their PHI e-mailed or mailed to them upon request.
- Labor to prepare an explanation or summary of the PHI, if the individual in advance both chooses to receive an explanation or summary and agrees to the fee that may be charged.
- Postage, when the individual requests that the copy, or the summary or explanation, be mailed.
The FAQs make it clear that covered entities cannot pass through the cost of general or administrative overhead for operating a medical records department (personnel costs of supervisory personnel, computer licensing costs, percentage of maintenance or janitorial services, based on the square footage of the department, etc.).
There are also some additional items in the FAQs that will make it harder for covered entities to outsource the operation of their medical records release function to outside entities. For example:
- The various state-established fee schedules for copying medical records no longer provide a "safe harbor" for copy service charges, if the covered entity's actual costs (determined above) are lower than the fee schedule. The FAQs also implicitly do not permit the use of the fee schedules to compute the production of electronic copies of medical records using the "printed paper equivalent." For example, if a covered entity produces a copy of a record electronically, it may not calculate how many printed pages the electronic copy contains and charge on that basis; it may only charge the actual costs of making the electronic copy and the cost of the media.
- Covered entities may charge individuals a flat fee for standard requests for electronic copies of PHI maintained electronically of no more than $6.50 (including labor, supplies, and postage).
- If a patient directs that a copy of his or her PHI go to an attorney, the covered entity cannot charge a different price for this "attorney copy." This restriction does not seem to apply in litigation cases in which a copy is subpoenaed from a covered entity by an attorney enclosing the patient's authorization, but it does eliminate the ability of the covered entity to "upcharge" counsel when the patient herself requests disclosure of her PHI to the attorney.
- Patients now have the explicit right to request e-mail copies of their PHI, and to have those copies sent to themselves or to any other person or entity. The FAQs clarify that where a covered entity notifies an individual of the security risks of unencrypted e-mail and the individual accepts those security risks and requests a copy of their PHI by e-mail, the covered entity must provide the PHI by e-mail; however, under these circumstances, the covered entity is neither responsible for breach notification nor liable for disclosures of PHI that occur in transit.
- Patients may not be charged a fee to access and view their PHI.
Because the FAQs are considered explanations of existing regulations, their effective date is the date of publication, or March 1, 2016. We fully expect the plaintiffs' bar to begin cataloging violations of these FAQs; a number of class action lawsuits against providers for failure to adhere to the copy charge limitations have already been filed in other circumstances that predate this more restrictive guidance.
If you have any questions about the implementation of the FAQs or how they may affect your operations, please contact one of our HIPAA team members on the right side of this webpage.