The Office for Civil Rights (OCR) recently released new guidance and FAQs (OCR Guidance) addressing individuals’ rights to access their protected health information (PHI) under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) set forth at 45 C.F.R. § 164.524. OCR dedicated a good portion of its guidance on permissible and impermissible fees that may be charged to individuals requesting copies of their own PHI. This was seemingly in response to a perceived need for clarification of certain issues, such as what constitutes a permissible labor cost and how to address different state laws.

While HIPAA is typically known for protecting the privacy and security of an individual’s PHI, another key purpose of the law is to provide individuals with access to their health information. OCR takes the position that with more information about their health, individuals will be empowered to take control of their health and well-being.

Permissible Fees

Permissible fees charged to individuals for copies of their PHI may include

  1. Labor Costs (including preparation of an explanation or summary when agreed to by the individual)
    • According to OCR, there has been some confusion as to what constitutes permissible labor costs. The OCR Guidance indicates that permissible labor costs may include only the labor “for creating and delivering the electronic or paper copy in the form and format requested or agreed upon by the individual, once the PHI that is responsive to the request has been identified, retrieved, or collected, compiled and/or collated, and is ready to be copied.” To the contrary, costs associated with reviewing the request for access to PHI and searching for and retrieving the information are excluded from the costs that covered entities may charge to an individual.
  2. Supply Costs related to the creation of either the electronic or paper copy (e.g., paper, toner, CD, USB drive)
    • The ability to charge for a CD or USB is relevant in the event an individual requests that records be copied to a disc or drive. Covered entities generally will prefer to avoid using a disc or drive provided by the individual, out of concern about virus or malware risks. In these cases, covered entities often will require the information to be provided on a new, secured disc or USB.
  3. Postage Costs when the individual requests the information be mailed.

See 45 C.F.R. § 164.524(c)(4).

The OCR also emphasizes that covered entities may not charge individuals for the cost of system and data maintenance or data storage or associated administrative costs associated with outsourcing the function of responding to individual request (i.e., if the covered entity contracted with a business associate to respond to such requests and provide copies). OCR further asserts that covered entities utilizing systems that allow individuals to access their PHI through electronic health record (EHR) technology may not charge labor or supply costs.

Methods for Determining Fees

The OCR Guidance describes the ways in which a covered entity may calculate the fees it charges to individuals requesting copies of their PHI. The fees may be the covered entity’s actual costs, its average costs, or a flat fee. When using actual costs, the covered entity’s costs must be reasonable and must be calculated upon each request. Covered entities not wanting to calculate the fees for each individual request may find using average costs to be more suitable. OCR notes that average costs could be charged as a standard rate. Such standard rate could be calculated as a per-page fee, but only where the PHI requested is maintained in paper form and the individual requests a paper copy and/or asks that the hard copy documents be scanned into electronic format. The OCR Guidance highlights that “per page fees are not permitted for paper or electronic copies of PHI maintained electronically.” The OCR is concerned that many states have not updated their laws authorizing such fees to account for efficiencies that exist when generating copies of information maintained electronically. According to the OCR, this has resulted in individuals being charged with fees that do not appropriately reflect the permitted labor costs associated with generating copies from information maintained in electronic form. The third and final method, charging a flat fee, also has its limitations. The flat fee can only be charged for electronic copies of electronically maintained PHI and cannot exceed $6.50. This flat fee restriction is further explained in the updated FAQ published by the OCR on May 24, 2016, which states that covered entities that do not want to calculate a reasonable cost-based fee for individuals’ requests for electronic copies of electronically maintained PHI may simply charge a flat fee of $6.50 for standard requests.

For all of the methods discussed, OCR emphasizes that individuals must be notified in advance of any fees that could be charged for their requests for PHI, at the time the details of the request are being arranged. The OCR considers failing to provide such notice to be a barrier to the right of access and, therefore, potentially a violation of HIPAA. The OCR encourages covered entities to include approximate fee schedules for standard requests on their websites.

The OCR also addresses access by third parties and whether or not fees may be charged under those circumstances, a common point of confusion with regard to the right of access to PHI. OCR asserts that requests by an individual for PHI directly or a request by an individual that PHI be sent to a third party must be treated the same under HIPAA. If, however, a third party initiates the request for PHI, the limitations on copying fees do not apply. Due to this distinction, covered entities should ask whether the request was a direction from the individual or a request from a third party.

Notwithstanding HIPAA’s allowance for the limited fees described above, the OCR Guidance states,

[C]overed entities should provide individuals who request access to their information with copies of their PHI free of charge. While covered entities should forgo fees for all individuals, not charging fees for access is particularly vital in cases when the financial situation of an individual requesting access would make it difficult or impossible for the individual to afford the fee.

While the OCR appears to prefer that copies be provided at no cost, it does not cite to such a requirement under any law; but, rather, proceeds to give the guidance noted above on charging for such copies. OCR does note it will continue to monitor whether fees charged to individuals create barriers to access that OCR views as critical to an individual’s successful health care.

HIPAA vs. State Law

Finally, the OCR Guidance discusses the relationship between HIPAA and state law. The concept of HIPAA preemption comes into play when two contradictory laws address the same issues. When it comes to an individual's right to access his or her own PHI, HIPAA will preempt and “trump” state law when HIPAA provides individuals with greater access to their PHI. Specifically, if there is a state law that allows covered entities to charge higher fees or to limit an individual’s access, HIPAA will preempt that state law.

A good example of the interplay between HIPAA and state law is the Maryland Confidentiality of Medical Records Act (MCMRA) at Health-General § 4-301 et seq., Annotated Code of Maryland. Like HIPAA, the MCMRA permits health care providers to charge individuals certain fees for copies of their health information, defined as their medical record under MCMRA. The specific fees under MCMRA were recently amended in the 2016 legislative session, effective October 1, 2016. 2016 Md. Laws, ch. 724 (effective Oct. 1, 2016). Under the prior law, health care providers originally were allowed to charge 50 cents per hard-copy page (subject to periodic increases for inflation resulting in a current fee of 76 cents per page), the cost of any electronic media (e.g., CD), the cost of postage paid, and a preparation fee of $15, which was updated on an annual basis. Prior to the recent amendment, the $15 preparation fee allowed under Maryland law would have been preempted by HIPAA when the records were requested by an individual seeking his or her own records, as the type of fee OCR views as creating a barrier to access and therefore prohibits.

The amended MCMRA raises the 50-cent per-page fee in the statute to 76 cents (which will continue to increase for inflation). Under the amended MCMRA, the preparation fee of $22.88 (electronic or hard copy) is now no longer increased for inflation and conditions the fee on compliance with HIPAA’s provisions governing access by individuals (45 C.F.R. §164.524) and any other guidance issued by OCR. Accordingly, MCMRA now only permits health care providers to charge a preparation fee if such fee is permitted under HIPAA and, as a result, the laws are not in conflict on this point.

There is, however, one component of the amended MCMRA that could potentially cause some confusion for Maryland providers who are covered entities under HIPAA. Under the amended MCMRA, providers may charge a per-page fee for electronic information that is no higher than 80 percent of the per-page fee for hard-copy documents. However, as noted above, the OCR asserts that HIPAA does not permit per-page fees for paper or electronic copies of PHI requested by an individual when the PHI is maintained electronically, but does permit charging for actual costs, as discussed below. Given that these federal and state laws do not reconcile with respect to electronic PHI, there seems to be some question as to whether Maryland providers that are covered entities under HIPAA may charge the MCMRA’s new per-page fee for paper or electronic copies of PHI maintained electronically when the records request is from the individual seeking access to that individual’s own records.2

While MCMRA, as amended, subjects the electronic per-page fee to HIPAA’s limitations within 45 C.F.R. § 164.524, it does not seem to provide guidance for providers who want to charge some other fee for medical records which constitute PHI (as most do) that are maintained electronically1. Although the OCR Guidance does not prohibit covered entities from charging actual costs (a per-page fee is considered an average cost) for copies of PHI maintained electronically, MCMRA does not specifically authorize charging of actual costs. Therefore, in order to meet the requirements of both HIPAA and MCMRA, as applicable to individuals requesting their own PHI, it appears Maryland providers subject to HIPAA could charge the permitted electronic per-page fee under MCMRA so long as they cap the total of such charges at their actual costs in compliance with HIPAA, i.e., the lesser of the total per-page fee and the total actual costs. While this approach is not expressly endorsed by HIPAA, the OCR Guidance or MCMRA, it seems to reconcile both laws when an individual requests his or her own PHI that is maintained electronically, such as electronic health records.

Also, it is important to note that other provisions of state law may affect charges that even HIPAA permits. For example, under the MCMRA, Medicaid beneficiaries seeking copies of their medical record, except for an attorney appointed in writing by a person in interest, may only be charged fees up to $20 (which amount is adjusted for inflation) for the first 100 pages. Health-General § 4-304(c)(6), Annotated Code of Maryland. While HIPAA preempts the more general and likely commonly used provisions of the Maryland law, should a Maryland Medicaid beneficiary request copies of his or her medical record and the fees for such copies, as permitted by HIPAA, exceed $20 (as inflated) for the first 100 pages, Maryland law will preempt HIPAA and the individual who is a Medicaid beneficiary will only be required to pay $20 for his or her requested copies.

Maryland is a good example that illustrates HIPAA preemption as there is an MCMRA provision that can turn the tide of preemption the other way in favor of state law.

As noted above, the OCR Guidance is not limited to the issue of copying fees; rather it covers a variety of issues related to an individual’s right of access to his or her PHI. In addition, the level of detail in the guidance and its significant length may signal an area of concern for the OCR regarding covered entities’ compliance with HIPAA’s privacy rules. Covered entities should review their policies and procedures for granting access to individuals’ PHI, including specifically policies and procedures for charging any fees for copies of such information. Such review should include compliance with their states’ parallel laws, and whether they are properly applying the law that provides greater access for individuals. We know that OCR is currently in the early phases of its Phase II audits. Based on the time and effort OCR took to put covered entities on notice regarding its view on individuals’ access to their own PHI and its stated intent to continue reviewing the issue for potential barriers to such access, it is reasonable to expect OCR will include this topic within the scope of such audits and/or more guidance in the future.