The Office of Civil Rights (“OCR”) recently issued new guidance (“Guidance”) concerning the right of individuals to access their protected health information (“PHI”) under the HIPAA Privacy Rule. The OCR explained in the Guidance that based on its enforcement experience and recent studies, individuals continue to have difficulty accessing information - even from entities required to comply with the HIPAA Privacy Rule. This is also despite improvements in technology that make access more readily available. Bottom line is that individuals must have access to their PHI and health providers need to be providing such access.

However, the Guidance further clarifies a number of issues, including permissible charges for providing information to patients, security issues, submission of requests for information, and the manner for providing access to information.

CHARGES FOR RECORDS

The Guidance reiterates that Covered Entities may charge a reasonable, cost-based fee for providing a requested copy of medical records, as long as the fee covers only the cost of:

  • Labor for copying requested PHI;
  • Supplies for creating the paper copy or electronic media if the individual requested that the electronic copy be provided on portable media;
  • Postage, if the individual requested that the records be mailed; and
  • Preparation of an explanation or summary of the PHI, if agreed to by the individual.

The charges may not include costs associated with verification, documentation, searching or retrieving the PHI, maintaining systems, recouping capital for data access, storage or infrastructure or other costs not permitted by the Privacy Rule, even if they would be allowed pursuant to state law. Finally, the Guidance emphasized that non-payment of bills for medical services is not grounds for denying an individual access to PHI.

SECURITY AND INFORMATION DELIVERY ISSUES

The Guidance also further confirms that PHI must be provided in the manner requested by the individual Covered Entities, including via mail or email. This includes providing a copy of PHI via unencrypted email. However, in such instance the Guidance requires that the Covered Entity or Business Associate must provide a brief warning that there is some risk that the individual’s PHI could be read or accessed by a third party while in transit.

If the individual confirms that they still want to receive the PHI by unencrypted email, then the Covered Entity or Business Associate must comply with the request. While Covered Entities must adopt reasonable safeguards while fulfilling an individual’s request - for example using the correct email address - they are not responsible for disclosure of PHI sent on an unsecure network if that is how an individual requested it after being warned of and accepting the risks.

PATIENT ACCESS

The Guidance explains that information included in “designated record sets” that patients have a right to access under HIPAA include:

  • Medical records and billing records about individuals maintained by or for a covered healthcare provider;
  • Enrollment, payment, claims adjudication and case or medical management record systems maintained by or for a health plan; and
  • Other records that are used to make decisions about individuals.

Information that is excluded includes (i) psychotherapy notes (the personal notes of a mental health care provider documenting or analyzing the contents of a counseling session) which are maintained separately from the rest of the patient’s medical record; and (ii) information compiled in reasonable anticipation of, or for use in, a civil, criminal or administrative action or proceeding.

The Guidance also emphasized that while the Privacy Rule allows Covered Entities to require individuals to submit requests in writing and verification of the identity of the requestor, the Covered Entity cannot impose unreasonable measures that would become barriers to access.

CONCLUSION

While we have touched upon a number of important issues raised in the Guidance, there is more to know and learn. The OCR has also posted a fact sheet and the first in a series of “frequently asked questions” documents on its website.