On Jan. 7, 2016, the Office of Civil Rights (OCR) issued new guidance (Guidance) on the right of individuals under the HIPAA Privacy Rule to access their protected health information (PHI). In the Guidance, the OCR indicated that based on its enforcement experience, many individuals are having difficulties obtaining such access even as technology evolves, and new treatments make it important for individuals to have ready access to their PHI.
The Guidance was issued in an effort to provide clarifications on various aspects of the right to access PHI. The clarifications provided by the OCR address the permissible charges for providing medical records to patients, submission of requests to access PHI, the manner for providing access to PHI, whether PHI may be sent to individuals via unencrypted e-mail and various other questions regarding this right.
With respect to charges for medical records, the Guidance reminded covered entities that it is permissible to charge a reasonable, cost-based fee if the individual requests a copy of the medical records provided such fee includes only the cost of:
- labor for copying the requested PHI;
- supplies for creating the paper copy or electronic media (e.g., CD), if the individual requested that the electronic copy be provided on portable media;
- postage, if the individual requested that the records be mailed; and
- preparation of an explanation or summary of the PHI, if agreed to by the individual.
The Guidance noted that charges for the records may not include costs associated with verification, documentation, searching or retrieving the PHI, maintaining systems, recouping capital for data access, storage or infrastructure or other costs not permitted under the Privacy Rule even if such costs are allowed under state law. The Guidance also emphasized that a covered entity may not deny an individual access to PHI because the individual has not paid the bill for the services provided by the covered entity.
Given the importance of the individual’s ability to have ready access to PHI, the Guidance emphasized that although the Privacy Rule allows covered entities to require that individuals submit requests to access PHI in writing and mandates verification of the identity of the requestor, a covered entity cannot impose unreasonable measures on requesting PHI access that become barriers to access.
For example, a physician practice cannot require an individual who asked that a copy of her medical record be mailed to her house to physically come to the physician’s office to request access and provide proof of identity in person. Similarly, covered entities cannot require use of a web portal for requesting access because not everyone has an easy access to the portal. The OCR also noted that a covered entity may not require an individual to mail an access request because this would unreasonably delay the provider’s receipt of the request and the individual’s access to PHI.
The Guidance also noted that access to PHI must be provided in the manner requested by the individual and that an individual may request to receive the PHI via mail or e-mail. With respect to e-mail, the OCR clarified that individuals may receive a copy of their PHI by unencrypted e-mail and that it is expected that all covered entities have the capability to transmit PHI by e-mail, except in limited cases where e-mail cannot accommodate the file size of the requested documents.
The OCR noted that if an individual requests that PHI be sent to the individual via unencrypted e-mail, the covered entity needs to provide a warning to the individual that there is risk that the PHI could be accessed by a third party while in transit and confirm that the individual still wants to receive her PHI by unencrypted e-mail. If after receiving such warning the individual still requests PHI to be sent via unencrypted e-mail, the covered entity must comply with the request. While an individual can choose to receive copies of her PHI by unsecure methods, a covered entity cannot require an individual to accept unsecure e-mail in order to receive access to PHI.
The Guidance also clarified that while covered entities must adopt reasonable safeguards in implementing the individual’s request (e.g., using correct e-mail address), covered entities are not responsible for a disclosure of PHI while in transmission to the individual based on the individual’s request to receive the PHI in an unsecure manner after being warned of and accepting the risks associated with the unsecure transmission.
The right to access PHI is an important right granted to individuals under HIPAA and is a common cause of privacy complaints to the OCR. Covered entities would be well-served by carefully reviewing the Guidance and confirming that their access to PHI policy and procedures are consistent with the clarifications outlined in the Guidance.