Some HIPAA Processes May Need Some Significant Updates

Sep 19, 2017 at 09:54 am by admin


Providing patients with copies of their medical record is not a new concept for medical practices. However, processes in place for doing so may need some significant updates based on guidance issued by the U. S. Department of Health and Human Services (HHS) in 2016. In this guidance, which is based on 45 CFR § 164.524 of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), HHS reiterates the importance of providing individuals with timely access to their protected health information (PHI) in the form and format requested and, if a fee is imposed, it must be reasonable and cost-based. This guidance was issued in large part due to the number of complaints from patients who could not obtain timely access to their PHI or who could not afford the fees charged for copies.


Form, Format and Manner of Access

HIPAA requires covered entities (medical practices, hospitals, health plans, etc.) to provide individuals access to their PHI in whatever form and format they chose, if the covered entity can produce a copy in that specific form and format. This means that practices must be prepared to handle requests for access in a number of ways, such as saving files on a CD, emailing PHI to the patient or simply providing the patient with a paper copy. The point made in the guidance is that covered entities must accommodate the patient's request unless the PHI cannot be produced readily in the requested format.

According to HIPAA rules, covered entities that maintain PHI electronically must be able to provide an electronic copy at the request of the patient. For practices that maintain PHI in paper charts, there is a requirement to provide an electronic copy, at the patient's request, if it is readily producible in electronic form. For example, if a patient requests that the practice scan their lab results and save them as a PDF on a USB drive, the practice would be required to do so if they have that ability. When an individual requests a paper copy of PHI maintained in either paper or electronic form, HHS expects the covered entity to provide a paper copy.


Requiring a Written Request, Verification, and Unreasonable Measures

Many practices have a written process for patients to request copies of records. HIPAA states that a covered entity may require an individual to make their request for access in writing, but HIPAA does not require a written request. HIPAA does require covered entities to take reasonable steps to verify the identity of the individual making the request for access, but this can be done in a number of different ways. Verification may be done orally or in writing, in person, over the phone or through a patient portal.

The guidance states that the covered entity must not impose unreasonable measures on the individual that could create barriers or unreasonably delay access. For example, a practice may not require an individual who wants a copy of their PHI mailed to their home to physically come into the office to complete a medical records release and provide a photo ID. This would be considered an unreasonable measure and could result in potential penalties. In order to reduce the risk of imposing unreasonable measures, covered entities are encouraged to have multiple options for patients to obtain access to PHI.


Timeliness of Access

Timeliness of providing access is also important. Under HIPAA, the covered entity must provide access no later than 30 calendar days from the date of the request. However, HHS prefers that access be provided as soon as possible. If state law requires a shorter period to provide access, then that time frame must be followed.

Charging for Copies

One of the major points of clarification from HHS is the limitation on fees that can be charged for PHI provided directly to the patient or directed to a third party by the patient. HIPAA states that a reasonable, cost-based fee may be charged for providing individuals a copy of their PHI. Reasonable, cost-based fees may include only:

Labor does not include costs associated with reviewing the request for access, searching for and retrieving the PHI, or segregating or preparing the PHI to be copied. Even if state law allows a retrieval fee, it may not be included in the reasonable, cost-based fee to the patient.

Many medical practices, who choose to charge patients for copies of their PHI, have based fees on those allowed by state law, which are typically set at a per page rate. According to the guidance, most state authorized fees are higher than the reasonable, cost-based fees allowed by HIPAA and therefore may not be used.

HHS would prefer that covered entities provide patients with free access to their PHI, but if a covered entity chooses to charge patients for copies they are limited a reasonable, cost-based fee. Fees must be provided to patients in advance of their request for access. HHS states that, in lieu of calculating the actual cost, a flat fee of $6.50 may be charged to patients for electronic copies of records maintained electronically. If this method is used, it is all-inclusive of labor, supplies and postage.


Third Party Access and Copies

Third parties that request PHI based on a signed authorization by the patient are not subject to the cost-based fee limitations and may be charged based on what state law allows. However, if the patient requests their information be sent directly to a third party, the fee limitations do apply. The patient will be responsible for paying for copies in this case, based on the reasonable, cost-based fee or flat fee rate. If a patient requests that their PHI be sent to a third party, the request must be made in writing and include the patient's signature, the name of the third party, and where the information should be sent (mailing address, email, fax number, etc.).

In order to ensure compliance with HIPAA and the patient's right to access PHI, practices are encouraged to review existing policies and procedures pertaining to access as well as the HHS guidance in its entirety.

The guidance may be found at http://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html.

For questions regarding patient rights to access and charging for copies of PHI, please contact Loretta Duncan at LorettaD@svmic. com.


© 2017 SVMIC. Reprinted with permission. This article is intended for educational/informational purposes only and is not intended to constitute legal advice.

Loretta Duncan, FACMPE, is a Senior Medical Practice Consultant with SVMIC and specializes in assisting policyholders with HIPAA compliance.

Sections: Business