HIPAA generally gives patients or their personal representative the right to access or obtain copies of the patient's protected health information ("PHI") in their designated record set1, and limits the amount that providers may charge patients for PHI to a reasonable cost-based fee. (45 CFR 164.524). In February 2016, the OCR issued guidance ("Guidance") which clarifies allowable fees and identifies additional actions providers should take when charging fees. The OCR's Guidance may be accessed here.

Allowable Charges. The OCR confirmed that a provider may only charge the patient or personal representative for the following:

  1. Labor for copying the requested PHI, whether in paper or electronic form. This includes only the labor for actually creating and delivering the paper or electronic copy in the form and format requested or agreed upon by the patient once the responsive information has been identified, retrieved, collected, compiled and/or collated. For example, allowable costs may include photocopying paper PHI; scanning paper PHI into an electronic format; converting electronic PHI in one format to the format requested by or agreed to by the patient; creating and executing a mailing or e-mail with the responsive PHI; and/or uploading, downloading, attaching, burning, or otherwise transferring electronic PHI from a provider's system to portable media, e-mail, app, personal health record, web-based portal (where the PHI is not already maintained in or accessible through the portal), or other manner of delivery of the PHI. (See also 78 FR 5636). Labor for copying does not include costs associated with reviewing the patient's request; searching for, reviewing, retrieving, segregating, collecting, compiling, or otherwise preparing the responsive information for copying; verifying that only information about the requested patient is included; complying with HIPAA; updating or maintaining record systems; etc. (See also 78 FR 5636). Likewise, it does not include administrative or other costs associated with outsourcing record functions to business associates or others beyond the business associate's labor costs described above.
  2. Supplies for creating the paper copy or electronic media. For paper copies, this would include items such as paper and toner. If the patient requests that an electronic copy be provided on portable media, it includes the cost of the electronic media, e.g., a CD or USB drive. A provider may not require a patient to purchase portable electronic media if, for example, the patient prefers to have the PHI e-mailed or a hard copy mailed to the patient. A provider is not required to obtain new technology to respond to a particular patient's request, so the cost of such equipment would not be an allowable cost of supplies. (78 FR 5636).
  3. Postage. If a patient has requested that a copy, electronic media, summary or explanation of the PHI be mailed or delivered through a courier, the provider may charge postage. (78 FR 5636).
  4. Preparing an explanation or summary of the PHI. If a patient agrees in advance to both (1) receive an explanation or summary of the PHI instead of copies of the actual records, and (2) the fees to be charged for the explanation or summary, the provider may charge for its costs in preparing the explanation or summary.

Although providers may charge the foregoing costs, the OCR Guidance concludes that providers "should" provide copies free of charge, i.e., providers are encouraged to provide PHI without charge, but are not subject to penalties if they elect to charge a reasonable cost-based fee as outlined above.

Calculating Costs. Per the OCR, providers may calculate the costs in three ways:

  1. Actual Costs. A provider may calculate and document its actual costs in responding to a request so long as it limits its fees to the allowable costs discussed above, including reasonable labor rates that are appropriate for the task. For example, a provider may time how long it takes for an appropriately skilled employee or business associate to make and send the copy in the form and format and manner requested or agreed to by the patient, and multiply the time by the reasonable hourly rate of the person copying and sending the PHI. The reasonableness of the hourly rate will depend on the level of skill needed to create and transmit the copy in the manner requested or agreed to by the patient (e.g., administrative level labor to make and mail a paper copy versus more technical skill needed to convert and transmit the PHI in a particular electronic format). The provider may also add on the allowable cost of supplies and postage. Providers who track actual costs must still be prepared to inform patients in advance of the approximate fee for the copies. Of course, tracking actual time and costs can be burdensome in routine disclosures.
  2. Average Costs. In lieu of calculating actual costs for each request, providers may develop a schedule of costs based on average, reasonable labor costs to fulfill standard types of access requests, plus the cost of applicable, allowable supplies. The standard rate may be calculated and charged as a per page fee only in cases where the PHI requested is maintained in paper form and the patient requests a paper copy of the PHI or asks that the paper PHI be scanned into an electronic format. Per page fees are not permitted for paper or electronic copies of PHI maintained electronically. The OCR warned that per page fees for copies of PHI maintained electronically likely do not reflect the actual costs associated with the response.
  3. Flat Fee for Electronic Records. A provider may charge a flat fee for all standard requests for electronic copies of PHI maintained electronically, provided the fee does not exceed $6.50, inclusive of all labor, supplies, and any applicable postage.

Accessing Records. Patients have a right to inspect their records in addition to or in lieu of obtaining copies. (45 CFR 164.524). If a patient chooses to inspect his or her records instead of obtaining a copy, providers may not charge the patient a fee. In its Guidance, the OCR states that providers should have reasonable procedures to enable individuals to inspect their records, either through certified EHR technology or otherwise. Also, the provider may not prohibit or charge the patient who, e.g., uses his or her smartphone or other device to take pictures of or capture their PHI. The provider may adopt policies that protect against inadvertent disclosure of other patients' PHI or otherwise disrupts operations. The provider is not required to allow the patient to connect his or her own device to the provider's system.

Emailing Records. The Guidance affirms that patients generally have a right to have PHI e-mailed to the patient upon request, thereby avoiding the cost of supplies; however, providers may still charge for the labor associated with creating and e-mailing the records. If the provider is to e-mail PHI to the patient over an unsecure network, the provider should advise the patient that the information may be subject to access by third parties. (See 78 FR 5634). A provider may not charge a patient a fee to access PHI that is available through the provider's EHR technology which has been certified as being capable of making the PHI accessible, e.g., by using the view, download and transmit functionality of the certified technology. In such cases, the OCR presumes that there are no associated labor or supply costs.

Notice to the Patient. If a provider intends to charge an allowable fee, the provider must inform the patient in advance of the approximate fee that may be charged. Because the permissible fee will vary based on the form and format and manner of access requested or agreed to by the patient, the OCR requires that the provider inform the patient of the associated fees impacting the form or format of production at the time such details are being negotiated or arranged. Although not required by the HIPAA Privacy Rule, the OCR encourages providers to post on their web sites or otherwise make available to patients an approximate fee schedule for regular types of access requests. In addition, if requested by a patient, a provider should give the patient a breakdown of the charges for labor, supplies, and postage, if applicable, that make up the total fee charged. According to the OCR, this information would likely be requested in any action by the OCR in enforcing the patient's right of access, so entities will benefit from having this information readily available.

Disclosures to Third Parties. The amount a covered entity may charge for disclosures to third parties depends on who requests the copies.

  1. Disclosures at the Request of the Patient. If a patient requests that a provider transmit a copy of PHI directly to a third party, the provider must generally do so. (45 CFR 164.524(c)(3)(ii)). The limits on charges discussed above apply to such requests: the provider may only charge the patient, or, presumably, the third party, an allowable cost-based fee for copying and transmitting the records. This rule applies regardless of whether the provider received the request directly from the patient or the patient's personal representative, or the third party forwarded the patient's request to the provider. Thus, it would appear that attorneys, insurers, or other third parties who request records may cap the charges that a provider would normally impose by having the patient instruct the provider to transfer the records directly to the third party. The patient's request to transmit PHI to a third party must be in writing, signed by the patient, and clearly identify the designated recipient and address to which the PHI should be sent. (45 CFR 164.524(c)(3)(ii)). In such cases, a formal HIPAA authorization containing the elements in 45 CFR 164.508 is not required.
  2. Disclosures at the Request of a Third Party. In contrast, where a third party initiates the request for PHI for his or her own purposes, either through a HIPAA authorization, subpoena, or another HIPAA exception, the cap on charges to the patient do not apply. At times, it may be difficult for a provider to determine whether the request is initiated by the patient or the third party, especially when the third party uses a HIPAA authorization form to convey the patient's request. In such cases, the provider may need to clarify with the patient whether the production is at the patient's request. Also, recall that HIPAA generally prohibits selling PHI, which may include charging a third party too much for copies of the records. (See 45 CFR 164.502(a)(5)(ii)). Unless a provider fits within certain exceptions, the provider may either: (i) charge a third party only a reasonable cost-based fee to cover the cost to prepare and transmit the PHI, or (ii) obtain a HIPAA authorization containing the required disclosures regarding the sale of PHI. (See id.; see also id. at 164.508(a)(4)). The Omnibus Rule commentary confirms that a "reasonable cost-based fee" in this context is broader than in requests by individuals, and includes:

both direct and indirect costs, including labor, materials, and supplies for generating, storing, retrieving, and transmitting the protected health information; labor and supplies to ensure the protected health information is disclosed in a permissible manner; as well as related capital and overhead costs. However, fees charged to incur a profit from the disclosure of protected health information are not allowed.

(78 FR 5607). It would also include "costs that are in compliance with a fee schedule provided by State law or otherwise expressly permitted by other applicable law." (Id.). Aside from HIPAA, there may be other state or federal laws or rules that limit charges for such third-party requests. For example, court rules may allow a witness to recover "reasonable fees" for producing records.

Effect of Other Laws. HIPAA preempts state laws that would otherwise allow a provider to charge fees in excess of those allowed by HIPAA, or charge for items not allowed by HIPAA, e.g., the cost of search, retrieval or review. On the other hand, to the extent a state or federal law places more restrictive limits on charges, then providers must comply with the more restrictive state law. (45 CFR 160.202 and 160.203; see also 78 FR 5636). For example, Idaho's workers compensation regulations require providers to provide the first copy of medical reports to the payor and claimants at no charge. (IDAPA 17.02.04.322).

Conclusion. The OIG Guidance contains significant changes or clarifications to the HIPAA Privacy Rules governing patient access to PHI and charges for such records. If you have not done so, you should review your policies and practices to ensure compliance with the new OIG Guidance.