In January, the Department of Health and Human Services Office for Civil Rights (OCR) released a fact sheet and FAQ regarding patients’ right to access their own medical records under the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
On February 25, OCR released a second set of frequently asked questions focusing on the HIPAA Privacy Rule’s right of patients to access their own protected health information (PHI). The FAQs focus on access issues including access fees, the scope of information covered by the access right and acceptable formats of accessed PHI.
Many questions on the new guidance focus on access fees. The HIPAA Privacy Rule allows covered entities to charge patients a reasonable fee to receive copies of their own PHI. The new guidance acknowledges that covered entities are allowed to charge fees to recoup the cost of labor, supplies and postage, but urges covered entities to voluntarily provide PHI at no cost in the interest of lowering barriers to access. The guidance also reminds covered entities that individuals must be informed of access fees in advance and that OCR regulates how access fees can be calculated, meaning that providing PHI at no cost may actually reduce administrative costs compared to charging an access fee.
The guidance also clarifies what types of costs can be included in calculating the fees. For example, access fees may account for the cost of labor for an employee to photocopy or scan the PHI, but not for the cost of labor for an employee to search for the requested PHI. Additionally, fees may not account for the cost of outsourcing the function of responding to patient requests for PHI.
The new FAQs firmly state that covered entities cannot charge a fee for individuals who wish to view or download their own PHI through a certified electronic health record technology (CEHRT) patient portal. OCR’s reasoning is that the act of accessing PHI through a patient portal doesn’t incur labor or supply costs for the covered entity; therefore, a fee cannot be charged for a patient to use the view, download or transmit function.
The guidance examines even more granular details of access fees. For example, OCR notes that a covered entity cannot charge access fees if an individual wants to simply inspect their own PHI rather than request a copy of that PHI—even if the individual, while inspecting the PHI, “takes notes, uses a smart phone or other device to take pictures of the PHI, or uses other personal resources to capture the information.” Access fees are only permissible if the covered entity itself expends resources to copy or transmit PHI, not if the individual uses their own resources to do so. Another FAQ notes that covered entities are not required to transfer PHI to portable media supplied by an individual (such as a flash drive or writable CD), but, conversely, that covered entities cannot require an individual to purchase a portable media device from the covered entity itself in order to receive PHI.
The guidance dovetails with President Obama’s Precision Medicine Initiative, which uses health information donated by patients to further medical research. OCR cited the need for “robust access to patient data” as one motivation for the guidance, in addition to the need for every patient “to be fully engaged in their care and empowered to make health care decisions that are right for them.”