EBIA Weekly Newsletter

OCR Clarifies Flat-Fee Option for Recovering Costs to Copy PHI

   June 2, 2016

FAQ: Is $6.50 the maximum amount that can be charged to provide individuals with a copy of their PHI?; News Release: Clarification of Permissible Fees for HIPAA Right of Access (May 23, 2016)


News Release

HHS’s Office for Civil Rights (OCR) has announced a clarification of the amounts that covered entities (or business associates on their behalf) may charge individuals for access to their own protected health information (PHI). Earlier guidance (see our Checkpoint article) includes three permissible methods for calculating recoverable costs: actual costs to fulfill a specific request; a schedule of average costs to fulfill standard types of requests; or, for electronic copies of PHI maintained electronically, a flat fee not to exceed $6.50.

Responding to questions prompted by the earlier guidance, OCR has issued a new FAQ explaining that the $6.50 flat fee is not the maximum amount that can ever be charged for electronic copies, but rather is an option available to entities that do not want to calculate actual or average costs under the other two permissible methods. For example, OCR notes that entities generally using the average-cost or flat-fee method may receive unusual or uncommon types of requests that they had not considered when setting up their fee structure and, in these cases, may wish to calculate actual costs to provide the requested copy. This is permissible so as long as the costs are reasonable and limited to the type allowed by the privacy rule. Entities choosing to calculate actual costs in these circumstances still must—as in other cases—inform the individual in advance of the approximate fee that may be charged for providing the copy requested.

EBIA Comment: With OCR’s phase 2 audit protocol underway (see our Checkpoint article), covered entities and business associates should take special note of OCR’s continued emphasis on the individual right to access PHI and the recoverable costs associated with that right. As with other aspects of the privacy, security, and breach notification rules, OCR’s updated audit protocol (see our Checkpoint article) can provide a useful self-assessment tool. For more information, see EBIA’s HIPAA Portability, Privacy & Security manual at Sections XX.C (“HIPAA Compliance Audits by OCR”) and XXVII.B (“Right to Access PHI in Designated Record Set”).

Contributing Editors: EBIA Staff.