HIPAA AND FEES FOR MEDICAL RECORDS – Updated OCR guidance sets limits.
Physicians and other HIPAA covered entity providers are familiar with HIPAA’s rule on fees that may be charged when individuals request copies of their medical records. The federal Office of Civil Rights (OCR), the enforcement agency for the HIPAA Privacy Rule, recently released updated guidance directives on when fees may be imposed and limitations on costs that may be included in assessing such fees. Medical practices, especially those with separate HIPAA and non-HIPAA medical record fee schedules, may be surprised at what the OCR is now saying.
HIPAA Privacy Rule 164.524(c)(4) is at the center of the OCR’s guidance. According to that rule, individuals requesting a copy of their protected health information (PHI) may be charged a reasonable, cost-based fee that includes only (i) the cost of labor for copying the PHI, whether in paper or electronic format; (ii) supplies for creating the paper or electronic media consistent with the individual’s request; and (iii) postage if the individual has requested mailing. The rule also permits assessing a fee for costs in preparing an explanation or summary of the individual’s PHI when agreed to by the individual.
In its guidance, the OCR further clarifies appropriate costs that may be considered in setting a fee and those costs that may not. A fee may reflect labor costs incurred in creating and delivering an electronic or paper copy in the form and format requested or agreed upon by the individual after the requested PHI has been identified, retrieved, compiled/collated, and readied for copying. More specifically, the fee may consider labor costs incurred in –
- Photocopying paper PHI;
- Scanning paper PHI into an electronic format;
- Converting electronic PHI in one format to the format requested by or agreed upon by the individual;
- Transferring (e.g., uploading, downloading, attaching, burning) electronic PHI from the covered entity’s system to a web-based portal when the PHI is not already maintained in or accessible through the portal, portable media, e-mail, app, personal health record, or other manner of delivery of the PHI;
- Creating and executing a mailing or e-mail with the requested PHI.
A fee may not take into account labor costs associated with verification, documentation, searching for, retrieving, segregating or otherwise preparing the PHI for copying; maintaining systems; or recouping capital for data access, storage, or infrastructure, even if such costs are authorized by State law.
Supply costs appropriately considered in setting a fee include paper toner for paper copies and CD or USB drives for electronic media as may have been requested or agreed upon by the individual. However, a covered entity may not require an individual to purchase portable media; rather, individuals have the right to have copies of their PHI mailed or e-mailed to them upon request.
Even if a covered entity’s fee takes into account only permissible costs, that fee also must be reasonable. While conventional wisdom might assume continued increases in legitimate medical record fee costs, the OCR believes advances in automation and technology predict decreasing labor costs and, in certain instances, even disappearance of such costs.
Additional points of clarification from the OCR include the following —
- While a permissible fee may be charged to individuals requesting copies of their PHI, “covered entities should provide individuals who request access to their information with copies of their PHI free of charge,” particularly if the individual requesting access cannot afford the fee.
- A covered entity may not charge a fee when individuals access their PHI through the covered entity’s certified EHR system. A covered entity, the OCR maintains, incurs no labor or supply costs when individuals access their PHI through an available View, Download, or Transmit function on a covered entity’s EHR system.
- Individuals cannot be charged a fee to only inspect their PHI at the covered entity’s office.
The OCR emphasizes that covered entities must give individuals requesting copies of their PHI advance notice of fees that may be charged. In addition, covered entities should post on their web sites an approximate fee schedule for regular types of access requests and should be prepared, upon request, to provide a breakdown on factors that make up their fees. A covered entity may calculate their fees in three ways: actual costs, average costs, or flat fee for electronic copies; the OCR details how each of these calculations can be made.
The OCR specifically addresses fees that may be charged to third parties requesting an individual’s PHI as authorized by the individual. When individuals request that their copied PHI be sent to a named third party, the HIPAA fee rule applies and, the OCR says, “It doesn’t matter who the third party is.” Similarly, if a third party, on behalf and at the direction of an individual, forwards an individual’s request for release of the individual’s PHI to that third party, the HIPAA fee rule applies. On the other hand, if a third party initiates a request for an individual’s PHI on the third party’s behalf and with the individual’s authorization, then HIPAA’s fee limitations do not apply.
Even if State law specifies fees to be charged for medical records, covered entities are bound by the limitations of the HIPAA fee rule unless a covered entity can show that the State’s fee schedule is based on the same types of costs permitted by HIPAA and is reasonable. Iowa law specifies limitations on fees that may be assessed for medical records in two instances: 1) requests for medical records for workers’ compensation purposes, Iowa Administrative Code 876-8.9, and 2) release of medical records to a party adverse to the individual in litigation consistent with a patient waiver or court order whereby fees charged must be consistent with the workers’ compensation fee schedule or as otherwise specified, Iowa Code section 622.10(6). In each of these Iowa-defined situations, individuals authorize release of their medical records not as an exercise of their HIPAA individual rights of access but as required by law and regulation. Arguably, these are the type of third party releases to which the HIPAA fee rule does not apply. Medical practice believing otherwise, however, should then assure that their fee charges in these instances of Iowa law and regulation do not exceed amounts permitted by the HIPAA fee rule.
The OCR’s guidance on medical record fees is contained within a comprehensive release entitled, Individuals’ Right under HIPAA to Access their Health Information, 45 CFR 164.524, found at http://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html. This practical resource includes specific OCR responses to many frequently asked questions (FAQs) on individual rights of access to PHI and fee charges. This OCR guidance document gives important insight into how this chief regulator reads these HIPAA rules. It is well worth the read.