Recently, there has been increased indication that patients, attorneys and the government are fed up with the fees that are being charged by providers when patients request access to or copies of their medical records. Providers who do not understand the type of request being made and the applicable fee rules that apply under state and federal law can become the subject of a patient complaint, government investigation or even lawsuit for inhibiting a patient’s right to access medical records. If found to have charged unlawful fees, providers could incur costly fines, penalties or judgments. Unfortunately, the regulatory requirements that apply to medical record requests have become increasingly complex and understanding the interplay of state and federal law can be challenging. This has led providers to question: Am I charging the correct fees?

Fees for Patient Requests Versus Third Party Requests Under HIPAA

Historically, there has been confusion regarding what fees covered entities may charge when responding to patient requests for access to records. This is evidenced by the fact that the U.S. Department of Health and Human Services Office for Civil Rights (“OCR”), the agency charged with Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) enforcement, released guidance multiple times in 2016 to help clarify the right of access and explain what fees are permitted. For more information generally on the patient right of access under HIPAA and what may be included in a reasonable and cost-based fee, please refer to our prior blog posts here and here.

It is important to note that HIPAA treats requests as patient access requests regardless of whether they are received directly from the patient or from a third party. When a request does not come directly from the patient, the key factor in the determination is whether the request is directed by the patient or simply pursuant to the patient’s authorization. When the access request is forwarded to the covered entity by a third party on behalf and at the direction of the individual, the fee limitations under HIPAA apply to that request. In such circumstances, the covered entity may only charge a reasonable, cost-based fee covering certain labor, supply and postage costs outlined in the regulations. This limitation applies regardless of who the third party is, e.g., a family member, an attorney, a government agency, etc.

In contrast, if a third party initiates a request for records on its own behalf, either with the patient’s authorization or pursuant to another permissible disclosure provision in the HIPAA regulations, HIPAA’s reasonable cost-based fee limitations do not apply.

How State Law Fits In

Assessing preemption between state law and HIPAA has gotten increasingly more complicated, contributing to the issue of providers unwittingly charging patients improper fees. Generally, with respect to patient access, HIPAA will preempt state law where the HIPAA regulations provide for a greater right of access to records, and will not preempt state law when state law provides for a greater right of access.

Applying this principle to permissible fees, it means that whichever law provides lower cost access to records will control. However, because the laws may be set up utilizing different mechanisms for the calculation of fees, the preemption analysis does not take a one-size-fits-all approach and may change based on the facts and circumstances surrounding the request.

For example:

  • If state law requires health care providers to provide one free copy of a patient’s medical record, HIPAA does not preempt that state law and one free copy must be provided before any fees may be charged.
  • State laws often include a per-page permissible fee schedule for the copying and distribution of medical records. For a simple request, the state law per-page fee schedule amount may be less than the HIPAA reasonable, cost-based fee amount. In such a circumstance the state fee schedule amount should be charged. However, for a more complicated request, the HIPAA reasonable, cost-based fee amount may be less than the state-authorized fee schedule amount and in such circumstances the HIPAA fee amounts should be charged.
  • If state law sets a maximum fee amount (e.g., $5.00) which is less than the HIPAA flat fee amount ($6.50), then the provider would be prohibited from charging the HIPAA flat fee.
  • If state law requires that certain requests from third parties pursuant to a patient authorization be treated the same as requests received directly from a patient, the HIPAA fee limitations set forth above may also apply to such third party requests. For example, a recent Wisconsin Supreme Court case ruled that attorneys who request medical information regarding their own clients pursuant to an authorization are to be charged the same fees as the patient would be if making the request directly. For more information on the case, please refer to our blog post here.

Recent Enforcement Activity

Recent activity indicates that OCR will likely be stepping up its enforcement of patient access rights. Complaints regarding appropriate patient access have long been some of the most routine HIPAA complaints received by OCR. As of June 30, 2019, OCR indicated on its website enforcement highlights that patient access complaints currently rank third among the most investigated HIPAA compliance issues. Additionally, OCR has recently indicated that the patient right of access is going to be a renewed area of focus for OCR. Dubbed the “Right of Access Initiative,” OCR promised to “vigorously enforce the rights of patients to receive copies of their medical records promptly and without being overcharged.” Given repeated efforts to educate covered entities on appropriate fees through their published guidance materials, it is not surprising that this has become an area of particular interest for OCR given the continuingly prevalent number of complaints.

While historically patient access complaints have not generally invoked the fines and penalties that other types of HIPAA compliance issues have, that pattern is changing. Fines and penalties will likely become a more common-place tool for enforcing compliance with the patient access requirements. OCR is now requesting information regarding a covered entity’s financial status as part of its standard investigation into access complaints. Additionally, on September 9, 2019, OCR announced its first settlement in the Right of Access Initiative. In that enforcement action, a Florida hospital paid $85,000 to OCR and adopted a corrective action plan to settle a single complaint by a mother regarding timely access to records regarding her unborn child, which were supplied nine months after her initial request. See more information here.

Additionally, the right of access may be enforced by entities other than OCR. The Health Information Technology for Economic and Clinical Health (“HITECH”) Act, gave State Attorneys General the authority to bring civil actions, obtain damages and seek injunctive relief on behalf of state residents for violations of HIPAA. Additionally, where state law provides for a right of access, the state agencies charged with enforcing such laws and regulations (e.g., the state departments of health or provider examining boards) may investigate and potentially penalize providers for non-compliance.

Finally, while HIPAA does not provide a private right of action, various class action lawsuits have been brought in recent years in multiple states focusing on appropriate medical record fees. In such cases, the plaintiffs generally allege that the providers, or in some cases the providers’ contracted record access companies, have improperly charged patients for access to their medical records in violation of federal and state law. These cases demonstrate the potential for providers to face liability directly from patients in addition to fines and penalties from government agencies. In one such case, a Wisconsin health system and a third-party records management company recently agreed to pay $35.4 million to settle a class action lawsuit alleging that the system overcharged for medical record requests.

Practical Takeaways

Understanding current state and federal law, and staying informed of changes through legislative action, regulatory guidance or jurisprudence, is imperative to ensuring that patients are being charged appropriate fees for medical record requests. Because of the recent renewed focus on patient access to medical records, health care providers should review their release of information processes and revise them as necessary to address changing legal requirements or regulatory clarifications. To ensure compliance with the applicable federal and state medical record access requirements and fee limitations, providers should consider the following:

  • Review fee schedules or calculators to ensure that they are compliant with both federal and state law regarding permissible charges and time frames for responding.
  • Ensure that staff charged with responding to record requests receive appropriate education and training on what types of requests they may receive and which fee limitations apply to such requests to ensure that regulations are being followed in every circumstance.
  • If your organization is using the same form for patient access requests as it does for patient authorizations for third party access to records, consider utilizing two separate forms to provide clarity to staff regarding what type of request is being made and which fees will apply.
  • If it is unclear whether a request is an access request initiated by the patient or a third party request authorized by the patient, clarify with the patient. Oftentimes, lawyers and others seeking patient information will have their client-patients sign form request letters. These requests may come on business letterhead and include a cover letter giving it the appearance that it is a third party request when it is actually drafted as a request coming directly from the patient and directing the records be sent to the third party. Covered entities are urged to be cautious when responding to such requests to ensure that they apply the applicable fee limitations as required by law.
  • If your organization contracts with a third-party business associate to provide medical record access services, review contract language, statements of work and fee schedules to assess legal compliance and financial risk.