Mary Pat Whaley, FACMPE, CPC
Founder and President, Manage My Practice, Raleigh-Durham, NC
Just when you thought ypoi understood how to charge for medical records, the rules change. In January 2016, the Department of Health and Human Services Office of Civil Rights (HHS OCR) provided clarifications outlined in 45 CFR 164.524: Access of individuals to protected health information (PHI) that gives specific direction to medical practices and other healthcare providers for charging patients for medical records. Highlighted in this article are the most salient parts of the updated rule and frequently asked questions pertaining to the updated clarifications.
Key Clarifications of 45 CFR 164.524
- Covered entities must inform the individual in advance of the approximate/exact fee that will be charged for the copy.
- A covered entity can develop a schedule of costs for labor based on average labor costs to fulfill standard types of access requests (e.g., paper records, electronic records, mailed records, etc.)
- A covered entity may charge individuals a flat fee for all standard requests for electronic copies of PHI maintained electronically, provided the fee does not exceed $6.50, inclusive of all labor, supplies and any applicable postage. While the Health Insurance Portability and Accountability Act Privacy Rule (HIPAA) that establishes national standards to protect individuals’ medical records and other PHI permits the limited fee as described, covered entities should provide individuals who request access to their information with copies of their PHI free of charge.
- The fee limits apply when an individual directs a covered entity to send the PHI to a third party. However, where the third party is initiating a request for PHI on its own behalf, with the individual’s HIPAA authorization (or pursuant to another permissible disclosure provision in the HIPAA Privacy Rule), the access fee limitations do not apply.
- Administrative and other costs associated with outsourcing the function of responding to individual requests for access cannot be the basis for any fees charged to individuals for providing that access.
- A covered healthcare provider cannot charge an individual a fee when it fulfills an individual’s HIPAA covered access request using the view, download and transmit (VDT) functionality of the provider’s certified electronic health record technology (CEHRT).
- HIPAA does not override those state laws that provide individuals with greater rights of access to their health information than the HIPAA Privacy Rule.
- A covered entity may not charge an individual who, while inspecting their PHI, takes notes, uses a smart phone or other device to take pictures of the PHI, or uses other personal resources to capture the information; however, a covered entity is not required to allow the individual to connect a personal device to the covered entity’s systems.
- A covered entity may not withhold or deny an individual access to his PHI because the individual has not paid the bill for healthcare services.
May a covered entity charge individuals a fee for providing a copy of their PHI?
Yes, it may, but only within specific limits. The Privacy Rule permits a covered entity to impose reasonable, cost-based fees to provide the individual (or the individual’s personal representative) with a copy of the individual’s PHI, or to direct the copy to a designated third party. The fee may include only the cost of certain labor, supplies and postage.
Thus, costs associated with updates to or maintenance of systems and data, capital for data storage and maintenance, labor associated with ensuring compliance with HIPAA (and other applicable law) in fulfilling the access request (e.g., verification, ensuring only information about the correct individual is included, etc.) and other costs not included above, even if authorized by state law, are not permitted for purposes of calculating the fees that can be charged to individuals. See 45 CFR 164.524(c)(4).
Further, while the Privacy Rule permits the limited fee described above, covered entities should provide individuals who request access to their information with copies of their PHI free of charge. While covered entities should forgo fees for all individuals, not charging fees for access is particularly vital in cases where the financial situation of an individual requesting access would make it difficult or impossible for the individual to afford the fee. Providing individuals with access to their health information is a necessary component of delivering and paying for healthcare. HHS stated that they will continue to monitor whether the fees that are being charged to individuals are creating barriers to this access, will take enforcement action where necessary, and will reassess as necessary the provisions in the Privacy Rule that permit these fees to be charged.
What labor costs may a covered entity include in the fee that is charged to individuals to provide them with a copy of their PHI?
A covered entity may include reasonable labor under these circumstances:
- Labor for copying the PHI requested by the individual, whether in paper or electronic form, and
- Labor to prepare an explanation or summary of the PHI, if the individual in advance both chooses to receive an explanation or summary and agrees to the fee that may be charged.
Labor for copying includes only labor for creating and delivering the electronic or paper copy in the form and format requested or agreed upon by the individual, once the PHI that is responsive to the request has been identified, retrieved or collected, compiled and/or collated, and is ready to be copied. For example, labor for copying may include labor associated with the following, as necessary to copy and deliver the PHI in the form and format and manner requested or agreed to by the individual:
- Photocopying paper PHI;
- Scanning paper PHI into an electronic format;
- Converting electronic information in one format to the format requested by or agreed to by the individual;
- Transferring (e.g., uploading, downloading, attaching, burning) electronic PHI from a covered entity’s system to a web-based portal (where the PHI is not already maintained in or accessible through the portal), portable media, e-mail, app, personal health record, or other manner of delivery of the PHI; and
- Creating and executing a mailing or email with the responsive PHI.
While we allow labor costs for these limited activities, we note that as technology evolves and processes for converting and transferring files and formats become more automated, we expect labor costs to disappear or at least diminish in many cases.
In contrast, labor for copying does not include labor costs associated with:
- Reviewing the request for access; and
- Searching for, retrieving and otherwise preparing the responsive information for copying. This includes labor to locate the appropriately designated record sets about the individual, to review the records to identify the PHI that is responsive to the request and to ensure the information relates to the correct individual, and to segregate, collect, compile and otherwise prepare the responsive information for copying.
May a covered healthcare provider charge a fee under HIPAA for individuals to access the PHI that is available through the provider’s EHR technology?
The answer is no. The HIPAA Privacy Rule at 45 CFR 164.524(c)(4) permits a covered entity to charge a reasonable, costbased fee that covers only certain limited labor, supply and postage costs that may apply in providing an individual with a copy of PHI in the form and format requested or agreed to by the individual. Where an individual requests or agrees to access her PHI available through the VDT functionality of the CEHRT, we believe there are no labor costs and no costs for supplies to enable such access. Thus, a covered healthcare provider cannot charge an individual a fee when it fulfills an individual’s HIPAA access request using the VDT functionality of the provider’s CEHRT.
May a covered entity that uses a business associate to act on individual requests for access pass on the costs of outsourcing this function to individuals when they request copies of their PHI?
The answer is no. A covered entity may charge individuals a reasonable, cost-based fee that includes only labor for copying the PHI, costs for supplies, labor for creating a summary or explanation of the PHI if the individual requests a summary or explanation, and postage if the PHI is to be mailed. See 45 CFR 164.524(c)(4). Administrative and other costs associated with outsourcing the function of responding to individual requests for access cannot be the basis for any fees charged to individuals for providing that access.
Must a covered entity inform individuals in advance of any fees when the individuals request a copy of their PHI?
The answer is yes. When an individual requests access to their PHI, and the covered entity intends to charge the individual the limited fee permitted by the HIPAA Privacy Rule for providing the individual with a copy of her PHI, the covered entity must inform the individual in advance of the approximate fee that may be charged for the copy. An individual has a right to receive a copy of her PHI in the form and format and manner requested, if readily producible in that way, or as otherwise agreed to by the individual. Since the fee a covered entity is permitted to charge will vary based on the form and format and manner of access requested or agreed to by the individual, covered entities must, at the time such details are being negotiated or arranged, inform the individual of any associated fees that may impact the form and format and manner in which the individual requests or agrees to receive a copy of her PHI. The failure to provide advance notice is an unreasonable measure that may serve as a barrier to the right of access. Thus, this requirement is necessary for the right of access to operate consistently with the HIPAA Privacy Rule.
How can covered entities calculate the limited fee that can be charged to individuals to provide them with a copy of their PHI?
The HIPAA Privacy Rule permits a covered entity to charge a reasonable, cost-based fee for individuals (or their personal representatives) to receive (or direct to a third party) a copy of the individual’s PHI. In addition to being reasonable, the fee may include only certain labor, supply and postage costs that may apply in providing the individual with the copy in the form, format and manner requested or agreed to by the individual. A covered entity may calculate this fee in three ways.
- Actual costs. A covered entity may calculate actual labor costs to fulfill the request, as long as the labor included is only for copying (and/or creating a summary or explanation if the individual chooses to receive a summary or explanation) and the labor rates used are reasonable for such activity.
- Average costs. Instead of calculating labor costs individually for each request, a covered entity can develop a schedule of costs for labor based on average labor costs to fulfill standard types of access requests, as long as the types of labor costs are reasonable as outlined in the Privacy Rule.
- Flat fee for electronic copies of PHI maintained electronically. A covered entity may charge individuals a flat fee for all standard requests for electronic copies of PHI maintained electronically, provided the fee does not exceed $6.50, inclusive of all labor, supplies and any applicable postage.
Are state-authorized costs permitted when providing individuals with a copy of their PHI under the HIPAA privacy rule?
The answer is no, except in cases where the state-authorized costs are the same types of costs permitted under 45 CFR 164.524(c)(4) of the HIPAA Privacy Rule and are reasonable. The bottom line is that the costs authorized by the State must be those that are permitted by the HIPAA Privacy Rule and must be reasonable. The HIPAA Privacy Rule at 45 CFR 164.524(c) (4) permits a covered entity to charge a reasonable, cost-based fee that covers only certain limited labor, supply, and postage costs that may apply in providing an individual with a copy of PHI in the form and format requested or agreed to by the individual. Thus, labor (e.g., for search and retrieval) or other costs not permitted by the Privacy Rule may not be charged to individuals even if authorized by state law.
When a state law requires that a healthcare provider give individuals one free copy of their medical records but HIPAA permits the provider to charge a fee, does HIPAA override the state law?
The answer is no, so the healthcare provider must comply with the state law and provide the one free copy. In contrast to state laws that authorize higher or different fees than are permitted under HIPAA, HIPAA does not override those state laws that provide individuals with greater rights of access to their health information than the HIPAA Privacy Rule does. See 45 CFR 160.202 and 160.203. This includes state laws that: (1) prohibit fees to be charged to provide individuals with copies of their PHI; or (2) allow only lesser fees than what the Privacy Rule would allow to be charged for copies.
When do the HIPAA privacy rule limitations on fees that can be charged for individuals to access copies of their PHI apply to disclosures of the individual’s PHI to a third party?
The fee limits apply when an individual directs a covered entity to send the PHI to the third party. Under the HIPAA Privacy Rule, a covered entity is prohibited from charging an individual who has requested a copy of her PHI more than a reasonable, cost-based fee for the copy that covers only certain labor, supply and postage costs that may apply in fulfilling the request.
May a healthcare provider withhold a copy of an individual’s PHI because the covered entity used the individual’s payment of the allowable fee for the copy to pay instead an outstanding bill for services provided to the individual?
The answer is no. Just as a covered entity may not withhold or deny an individual access to his PHI on the grounds that the individual has not paid the bill for healthcare services, a covered entity may not withhold or deny access on the grounds that the covered entity used the individual’s payment of the fee for a copy of his PHI to offset or pay the individual’s outstanding bill for healthcare services.
Can an individual be charged a fee if the individual requests only to inspect her PHI at the covered entity (i.e., does not request that the covered entity produce a copy of the PHI)?
The answer is no. The fees that can be charged to individuals exercising their right of access to their PHI apply only in cases where the individual is to receive a copy of the PHI, versus merely being provided the opportunity to view and inspect the PHI. The HIPAA Privacy Rule provides individuals with the right to inspect their PHI held in a designated record set, either in addition to obtaining copies or in lieu thereof, and requires covered entities to arrange with the individual for a convenient time and place to inspect the PHI.
The 2016 HHS OCR guidance reiterated the requirements regarding an individual’s right to access their PHI. The clarification of 45 CFR 164.524 encourages healthcare providers and covered entities to understand the scope and application of this Federal Regulation and to follow the requirements to which they are subject. Otherwise, the penalties for noncompliance can be significant.
The information in this article should not be considered as legal advice. For clarifications or additional information about this law, we recommend that you seek legal counsel.