Recently, there have been several important communications from the Office of Civil Rights (OCR) and the Office of National Coordinator (ONC) regarding patient access to medical information.
OCR FACT SHEET AND FAQs
In January 2016, OCR released a Fact Sheet and the first in a series of FAQs, entitled "Individuals’ Right under HIPAA to Access their Health Information 45 CFR § 164.524.” In a January 7, 2016, blog post, OCR Director Jocelyn Samuels introduced the new Fact Sheet, stating the Individual Right of Access in the HIPAA Privacy Rule “…is critical to enabling individuals to take ownership of their health and well-being….Unfortunately, based on recent studies and our own enforcement experience, far too often individuals face obstacles to accessing their health information, even from entities required to comply with the HIPAA Privacy Rule. This must change.”
The Fact Sheet summarizes the existing HIPAA rules on the right of individuals to access and receive a copy of their protected health information (PHI). It also reiterates the rules (largely stemming from the Omnibus Rule) regarding the form and format of individual requests and access, responding to requests by individuals for a copy of their PHI to be sent to a designated third party, and fees that may be charged for copies of PHI.
On February 25, 2016, OCR released the second set of FAQs regarding this topic (which is combined with the Fact Sheet and found in the link above).
The Fact Sheet and FAQs are detailed and comprehensive. Providers should review the entirety of the guidance from OCR. A brief summary of notable information from the Fact Sheet and FAQs and our analysis of this guidance are provided below.
ACCESS VS. AUTHORIZATION
The FAQs provide the following new guidance on the distinction between access and authorization:
- Covered entities may require that an individual’s request for a copy of his or her own PHI be in writing.
- When an individual directs the covered entity to send the copy of PHI to another designated person, the request must be made in writing, signed by the individual, and clearly identify the designated person and where to send the copy of the PHI.
- Covered entities may require the use of their own forms for these requests for access, provided the form does not create a barrier or unreasonably delay the individual from obtaining access to his or her PHI.
- The FAQs emphasize that covered entities should not use an authorization form for these access requests. The FAQs state: “As explained elsewhere in the guidance, a HIPAA authorization is not required for individuals to request access to their PHI, including to direct a copy to a third party – and because a HIPAA authorization requests more information than is necessary or that may not be relevant for individuals to exercise their access rights, requiring execution of a HIPAA authorization may create impermissible obstacles to the exercise of this right. Where it is unclear to a covered entity, based on the form of a request sent by a third party, whether the request is an access request initiated by the individual or merely a HIPAA authorization by the individual to disclose PHI to the third party, the entity may clarify with the individual whether the request was a direction from the individual or a request from the third party.”
The distinction between what is a request by a patient for a copy to be provided to a third party (which falls under access right) and a request by a third party based on a patient authorization (which does not fall under the access right) seems very unclear even with the new guidance. The FAQs state: “Where the third party is initiating a request for PHI on its own behalf, with the individual’s HIPAA authorization (or pursuant to another permissible disclosure provision in the Privacy Rule), the access [rules] do not apply. However,… where the third party is forwarding – on behalf and at the direction of the individual – the individual’s access request for a covered entity to direct a copy of the individual’s PHI to the third party, the [access rules] apply.” But when is a third party “initiating” a request versus “forwarding” a request from a patient? The FAQs answer: “Where it is unclear to a covered entity, based on the form of a request sent by a third party, whether the request is an access request initiated by the individual or merely a HIPAA authorization by the individual to disclose PHI to the third party, the entity may clarify with the individual whether the request was a direction from the individual or a request from the third party.” While likely challenging for covered entities to analyze every request from a third party for a patient’s medical record, there is a significant risk for not doing so. On March 1, 2016, at the HIMSS16 conference, Deven McGraw, Deputy Director of Health Information Privacy at OCR, stated that she believes requiring a patient to sign an authorization form to access his or her own information is a potential HIPAA violation on the grounds that it may create an unreasonable barrier to access. This is a much more strict view of this issue than has previously been communicated. Covered entities should be aware of the increased focus on this issue by OCR.
SCOPE, TIMELINESS AND OTHER DETAILS OF ACCESS
Regarding various additional details related to access, the FAQs provide the following guidance:
- A covered entity may not require an individual to come physically to a facility to pick up his or her records, insist that an individual submit a request through a web portal or require an individual to give a reason why he or she is requesting access.
- Covered entities must provide an individual with access to all of his or her PHI in the designated record set (DRS), subject to certain limited exceptions (such as psychotherapy notes). Covered entities are not, however, required to create new information, such as explanatory materials or analyses, that does not already exist in the DRS.
- Individuals do not have a right to access PHI that is not in a DRS – such as PHI in a peer review file. But the FAQs reiterate that including PHI in a peer review file (or other file outside of a DRS) does not shield the PHI itself.
- An individual has the right to access PHI that is maintained by a business associate if the business associate maintains a DRS on behalf of the covered entity. The FAQs also note that if the same PHI that is the subject of an access request is maintained in both the DRS of the covered entity and the business associate, the PHI need only be produced once in response to the request for access.
- A covered entity must act on an individual’s request for access no later than 30 calendar days after receipt of the request. If the covered entity is not able to act within this timeframe, the entity may have up to an additional 30 calendar days, as long as it provides the individual – within that initial 30-day period – with a written statement of the reasons for the delay and the date by which the entity will complete its action on the request.
- The FAQs note that “these timelines are outer limits, and it is expected that many covered entities should be able to respond to requests for access well before these outer limits are reached.” Additionally, the FAQs state that if it may take close to these outer time limits to fulfill the request, the covered entity “is encouraged to provide the requested information in pieces as it becomes available, if the individual indicates a desire to receive the information in such a manner.”
Covered entities should ensure that they can provide access to all PHI in a DRS, not just in the “medical record.” The “medical record” is commonly defined by hospitals in a more limited fashion than HIPAA’s broad definition of PHI in a DRS. Obtaining PHI from a business associates will likely not be necessary in many instances when the business associate only has the same PHI as the covered entity or only has PHI that is not in a DRS. It may be a good exercise for covered entities to determine in advance which business associates will have PHI that does not fall within these categories so that they know which business associates to contact to obtain PHI when needed to respond to a request.
The FAQs reiterate and clarify the following issues related to fees that may be charged in response to a request for access:
- Covered entities may to impose a reasonable, cost-based fee to provide an individual with a copy of his or her PHI, or to direct the copy to a designated third party.
- Fees may include only the cost of certain labor, supplies and postage. Labor fees are limited to the reasonable costs associated only with the labor for copying the PHI requested. Labor for copying includes only labor for “creating and delivering the electronic or paper copy” and does not include reviewing the access request, searching for, retrieving and otherwise preparing the information. Individuals may be charged for the costs of supplies for creating the paper copy (e.g., paper, toner) or electronic media (e.g. CD or USB drive); however, a covered entity may not require an individual to purchase portable media as individuals have the right to have their PHI e-mailed or mailed to them upon request. And, the actual cost of postage may be included when the individual requests the information be mailed.
- Covered entities must inform the individual in advance of the approximate fee that may be charged for the copy, including any associated fees that may impact the form, format or manner in which the individual requests to receive the copy.
- Covered entities may (i) use the actual cost, (ii) develop an average standard rate based on schedule of costs for labor or (iii) charge a flat fee provided the flat fee does not exceed $6.50. An average standard rate can be a per page fee only where the request is for a paper copy or the individual asks for the paper to be scanned into an electronic format. The OCR does not consider per page fees for copies of PHI maintained electronically to be reasonable.
- Covered entities may charge patients limited fees for providing copies of PHI but not for access to their PHI. Thus, a covered entity may not charge an individual to access his or her PHI through the View, Download and Transmit functionality of certified EHR technology.
- Coordination with state law in this area is essential. The FAQs reiterate that hospitals must charge the lower of the two rates set by HIPAA and state law. That is, if state law establishes a lower fee for a copy of a medical record then state law applies and HIPAA is preempted; if HIPAA establishes a lower fee then HIPAA applies and state law is preempted. Accordingly, in most cases it will be necessary to calculate the fee both ways to determine which formula yields a lower fee and that fee must be used.
- The fee limitations apply also to requests by an individual for a copy of PHI to be sent to a third party as directed by the individual under the individual’s right of access. But the fee limitations do not apply to requests for PHI from a third party based on a patient authorization.
- A covered entity may not withhold an individual’s PHI on the grounds that the individual has not paid his or her bill for health care services. Further, a covered entity may not apply the fee for a copy of the PHI received from an individual to the individual’s unpaid bill for health care services.
While the interpretation that only labor costs of “copying” the record, when in electronic format, may be included may seems overly restrictive as it does not allow for legitimate labor costs when producing copies of electronic records, OCR has made this interpretation clear and covered entities should ensure that labor costs for producing an electronic copy of PHI do not include costs of searching for, retrieving, and otherwise preparing the copy. Additionally, it is especially important to review state law on medical records fees. Because either HIPAA or state law can apply (whichever is less expensive), covered entities have little choice but to calculate the costs under each formula and then use whichever is lower.
ONC DATA BRIEF
In October 2015, the ONC released Data Brief 30 Trends in Consumer Access and Use of Electronic Health Information. That Data Brief is an interesting look at the metrics of patient access activity, providing national estimates of consumers’ access and use of their electronic health information based upon nationally representative surveys conducted from 2012 to 2014.
Information from the Data Brief shows that individuals utilizing electronic access to their medical records increased significantly – from 28 percent to 38 percent – from 2013 to 2014.
Approximately one-third of individuals who accessed their information electronically downloaded information from their online medical record in 2014, similar to the rate in 2013. In 2014, 33 percent of individuals used their online medical records to share information with at least one other party (e.g., family member, health care provider, someone else involved with their care), which was down from 44 percent in 2013. In both 2013 and 2014, about one in ten individuals used their online medical records to transmit their data to another system, such as a PHR or app.
Related to the concerns expressed by OCR in this area, the Data Brief notes that 27 percent of individuals either didn’t believe they had a right or were unaware of their right to an electronic copy of their medical record.
The online HIPAA compliance program sponsored by Bricker & Eckler and INCompliance, will be revised to reflect OCR’s updated guidance. Information about the program can be found here. Comprehensive HIPAA information is available in our HIPAA Resource Center.