A clear signal to increased enforcement where covered entities do not honor PHI requests for access as required by HIPAA
The U.S. Office for Civil Rights (OCR) has been actively releasing new information regarding the Health Insurance Portability and Accountability Act of 1996 (HIPAA) compliance, including releasing a frequently asked question (FAQ) aimed at clarifying the rules for fees charged to patients in need of access to medical records.
HIPAA requires covered entities to allow patients access to their records. If patients want a copy of their records, covered entities are permitted to charge a reasonable, cost-based fee to cover the cost of labor, supplies and postage. Until recently, there was very little official guidance on what constitutes reasonable. A recent FAQ was released that clarifies this issue.
Fees for Labor
According to the FAQ, the cost of labor should solely be for fees related to copying records. It includes reasonable costs for copying the PHI requested by the individual, in paper or electronic form and the cost to prepare an explanation or summary of the PHI. This is only if the person chooses to receive an explanation or summary in advance and agrees to the fees.
The cost of labor also includes labor for creating and delivering the electronic or paper copy if the form is requested by the individual. It is calculated from the time the PHI is identified, retrieved or collected and compiled or collated to when it is prepared to be copied. Examples include photocopying paper PHI, scanning paper PHI into an electronic format and converting electronic information in one format to the format requested by or agreed to by the individual.
According to the FAQ, there has been confusion about what constitutes a prohibited search and retrieval cost. In the past, charging a patient for labor costs related to search and retrieval was not allowed. However, the clarification ensures the fees charged are solely what the OCR considers “copying” for purposes of applying 45 CFR 164.524(c)(4)(i) while not interfering with a person’s ability to access a copy of their records.
Labor can be charged for the cost of preparing an explanation or summary of the PHI, in advance, if the individual chooses to receive an explanation or summary and agrees to the fee that may be charged. The fee for labor does not include the cost associated with reviewing the request for access or searching/retrieving the PHI. Importantly, the OCR points out that it expects labor costs to disappear or at least diminish in most cases. This is due to new technology and further automation of processes used to convert and transfer files.
Fees for Supplies and Postage
Supplies include the cost of creating the paper copy and providing the record on electronic media. Examples include the cost of paper toner, CD or USB drive, respectively. A covered entity may not require a person to buy portable media. Furthermore, the person has the right to have his/her protected health information emailed or mailed upon request. Care must be taken, in such instances, to ensure compliance with other HIPAA requirements to ensure the privacy and security of the information being sent. Moreover, postage may be charged when the individual requests the copy, or the summary or explanation, be mailed.
The OCR clarifies how to calculate a reasonable, cost-based fee. According to the FAQ, a covered entity may calculate the fee by determining the actual cost, average cost or using a flat fee for electronic medical records.
A covered entity may calculate actual labor costs to fulfill the request, as long as the labor included is only for copying (and/or creating a summary or explanation if the individual chooses to receive a summary or explanation) and the labor rates used are reasonable for such activity. These approximate costs must still be approved in advance by the individual.
Average cost is determined by creating a schedule of costs for labor based on the average labor costs to fulfill standard types of access requests as long as the types of labor costs included are the ones the Privacy Rule permits a fee for. The covered entity may add the cost of any applicable supply to that amount.
Finally, a flat fee can be charged for all standard requests for electronic copies of PHI that are maintained electronically. The fee cannot be more than $6.50, which includes the cost of labor, supplies and applicable postage.
Due to the varying costs of fees, a covered entity must inform the individual of the cost while the details are being arranged. This helps preserve the patient’s right to access, which is mandated by the Privacy Rule.
The FAQ further explains that labor or other costs not permitted by the Privacy Rule cannot be charged to individuals even if authorized by state law. Plainly stated, “[t]he bottom line is that the costs authorized by the State must be those that are permitted by the HIPAA Privacy Rule and must be reasonable.” If the state permits an amount that exceeds the covered entity’s cost to provide the PHI, charging a patient that amount would be unreasonable and impermissible under the Privacy Rule.
However, the HIPAA requirements do not override state laws that require providers to provide one free copy of a medical record. This includes state laws that prohibit fees to be charged to provide individuals with copies of their PHI or allow only lesser fees than what the Privacy Rule would allow to be charged for copies.
The OCR also addresses the release of PHI to a designated third party. According to the FAQ, PHI can be released to a third party if requested by an individual. The request must be in writing and signed by the individual or entity designated by that person. It must clearly identify the designated person or entity where to send the PHI. An electronically executed request is acceptable and must include an electronic signature, as well as a faxed or mailed copy of the signed request. The same requirements for providing the PHI to the individual, such as the timeliness requirements, fee limitations, prohibition on imposing unreasonable measures and form and format requirements, apply.
A covered entity may not deny an individual’s access request to send PHI to a third party for other purposes. Disagreement with the individual about the worthiness of the third party as a recipient of PHI, or even concerns about what the third party might do with the PHI (except for the express reasons listed in the Privacy Rule, such as in cases where life or physical safety is threatened), are not acceptable reasons to deny the request.
Denial of Access
A covered entity may deny an individual access to all or a portion of the requested PHI in only very limited circumstances. For example, a covered entity may deny a request if a licensed health care professional determines, in the exercise of professional judgment, that the request is reasonably likely to endanger the life or physical safety of the individual or another person.
Although the Privacy Rule allows for the fees, the OCR encourages covered entities to not charge fees for the records, as patient access to Protected Health Information is a necessary component of delivering and paying for healthcare. The OCR will continue to monitor the fees being charged to individuals and determine whether those costs are creating barriers to the access and will enforcement action where necessary.
To read the full version of the recently released FAQ, click here.
You can also view this post on MiraMed’s blog.
Phil C. Solomon is the publisher of Revenue Cycle News, a healthcare business information blog and serves as the Vice President of Global Services for MiraMed, a healthcare revenue cycle outsourcing company. As an executive leader, he is responsible for creating and executing sales and marketing strategies which drive new business development and client engagement. Phil has over 25 years’ experience consulting on a broad range of healthcare initiatives for clinical and revenue cycle performance improvement. He has worked with industry’s largest health systems developing executable strategies for revenue enhancement, expense reduction, and clinical transformation. He can be reached at firstname.lastname@example.org
The post Look Back on OCRs Guidance Regarding Patients’ Access to PHI appeared first on REVENUE CYCLE NEWS.