On January 7, 2016, the U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) released new guidance clarifying an individual’s right to access his or her medical record under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). On February 25, 2016, OCR released additional guidance explaining the permissible reasonable cost-based fees for copies of medical records. Under HIPAA, individuals have an enforceable, legal right to request copies of their medical records maintained by covered entities. The purpose of the guidance is to help remove barriers and resolve any misunderstandings related to individuals accessing their health information.
Requests for Access
Upon request, individuals can access their protected health information (“PHI”) in one or more “designated record sets” maintained by a health care provider. A designated record set is defined as a group of records maintained by or for a covered entity that includes: (1) medical records and billing records; (2) enrollment, payment, claims adjudication and medical management record systems; or (3) any other records used by covered entities to make decisions about individuals. State laws that provide a greater right of access to PHI than HIPAA, or that are not contrary to HIPAA, still apply and are not preempted by HIPAA. Patients are not required to state a reason why they are requesting their medical records.
Under limited circumstances, a covered entity may deny an individual’s request for access to all or a portion of the PHI requested. In certain circumstances, an individual has a right to have the denial reviewed by a licensed health care professional designated by the covered entity who did not participate in the original decision to deny (45 CFR 164.524 (a)). A covered entity cannot deny access to an individual’s medical record if the individual has failed to pay his or her medical bill(s).
Covered entities are required to take reasonable steps to verify the identity of an individual requesting access to his or her medical record. However, the verification process may not impose unreasonable measures on an individual that serve as barriers to or unreasonably delay the individual from obtaining access to his or her medical record. Examples of unreasonable measures include:
- Requiring an individual to physically come to the covered entity’s office in order to provide proof of identity in person when the individual is requesting a copy of his or her medical record to be mailed to a home address;
- Requiring the use of a web portal for requesting access to the individual’s medical record as not all individuals will have ready access to the portal; and
- Requiring the individual to mail an access request as this would unreasonably delay the covered entity’s receipt of the request and, thus, the individual’s access.
Timelines for Providing Access
Covered entities should respond to a request for access as soon as possible but must respond to an individual’s request for access no later than 30 calendar days after receiving the request. If a covered entity is unable to provide access within 30 calendar days, the covered entity may extend the time by no more than an additional 30 days. The covered entity must provide the individual with a written statement giving the reason(s) for delay and the date by which the entity will complete the request.
Form and Format of Access
Covered entities are required to provide the individual with access to PHI in the form and format requested by the individual so long as it can be readily producible. If the covered entity cannot produce the PHI in the form and format requested by the individual, then the covered entity should provide the individual with a readable hard copy form of his or her PHI or in a format mutually agreed upon by both parties. Mail and email are generally considered readily producible formats to view medical records.
HIPAA permits a covered entity to charge a reasonable and cost-based fee for creating a copy of the individual’s record. Although OCR suggests that covered entities provide individuals with copies of their medical records free of charge, this is not a mandate under HIPAA. However, if state law requires health care providers to provide one free copy of a patient’s medical record, HIPAA does not preempt that state law. Covered entities are encouraged to examine the financial situation of the individual requesting access and consider whether it will be impossible for the individual to afford the fee.
Reasonable and cost-based fees include:
- Labor for copying the PHI (whether in paper or electronic form);
- Supplies for creating the copy (e.g., paper, toner, CD or USB drive);
- Labor to prepare a summary of the PHI (if requested); and
- Postage if the individual wants a copy mailed.
A covered entity is not permitted to charge a fee associated with the maintenance and storage of data, labor associated with ensuring HIPAA compliance (e.g., verification of an individual requesting a medical record) and other costs not included above, even if authorized by state law. OCR further clarifies the labor fee for producing the medical record copy, which cannot include costs associated with reviewing the request for access, search or retrieval of PHI and segregating or otherwise preparing PHI in response to the request. A covered entity can only charge for labor costs associated with creating and delivering a copy of the medical record in the format requested by the individual. These labor costs can include:
- Scanning paper PHI into an electronic format;
- Converting electronic information in one format to the format requested by the individual;
- Transferring electronic PHI from a covered entity’s system to a web-based portal, portable media, email, app, personal health record or other manner of delivery; and/or
- Creating and executing a mailing or email.
OCR suggests three practices covered entities can use to calculate the reasonable, cost-based fee for medical record copies:
- Actual Costs. A covered entity may calculate actual labor costs to fulfill the request as long as the labor included is only for copying and the labor rates used are reasonable for such activity. The covered entity may add to actual labor costs any applicable supply (e.g., paper, CD or USB drive) or postage costs.
- Average Costs. A covered entity can develop a schedule of costs for labor based on average labor costs to fulfill standard types of access requests as long as they are allowed under HIPAA and are reasonable. Covered entities cannot charge per page fees for paper or electronic copies of PHI maintained electronically.
- Flat Fee for Electronic Copies of PHI Maintained Electronically. A covered entity may charge individuals a flat fee for all standard requests for electronic copies of PHI maintained electronically, provided that the fee does not exceed $6.50, inclusive of all labor, supplies and any applicable postage.
Fee Limits for Disclosures to Third Parties
When an individual directs a covered entity to send a copy of his or her medical record directly to a third party, the reasonable, cost-based fee limit under HIPAA applies to that request. In this instance, a covered entity is permitted to charge only a reasonable, cost-based fee that covers certain labor, supply and postage costs as mentioned above. This limitation applies regardless of who the third party is.
In contrast, if a third party initiates a request for PHI on its own behalf, with the individual’s HIPAA authorization (or pursuant to another permissible disclosure provision in the Privacy Rule), the access fee limitations do not apply. If it is unclear whether a request is an access request initiated by the individual or merely a HIPAA authorization by the individual to disclose PHI to the third party, the covered entity should clarify with the individual.
In light of this guidance, covered entities of all types should take the following necessary steps to ensure that they are providing their patients with reasonable access to their medical records.
- Review and audit medical record access policies to ensure access is provided appropriately and in a timely manner;
- Ensure the verification process does not create any barriers to, or unreasonably delay the individual from, obtaining access to his or her PHI;
- For electronic access, monitor patient portals to ensure there are appropriate authentication controls; and
- Identify labor and supply costs associated with producing medical record copies to ensure fees are reasonable and cost-based.