Questions and Answers About HIPAA’s Access Right
Building on guidance issued earlier this year (see our Checkpoint article), OCR has issued additional Q&A guidance on individuals’ rights when accessing or obtaining copies of their own protected health information (PHI) under HIPAA. Highlights include—
- Charging for Copies. OCR identifies just four categories of recoverable costs: (1) labor for creating and delivering paper or electronic copies; (2) supplies for creating paper copies or furnishing electronic media (if the individual requests copies on portable media); (3) labor for preparing an explanation or summary of PHI (if the individual chooses to receive the explanation or summary and agrees in advance to pay the applicable fee); and (4) postage if the individual requests that materials be mailed. Noting ongoing confusion, OCR emphasizes that labor costs to search for, retrieve, and prepare responsive information are not recoverable. Moreover, if responding to requests is outsourced to a business associate, a covered entity cannot recover associated administrative costs. Notably, individuals cannot be charged for access to PHI if they don’t ask the covered entity to make copies.
- Calculating Fees. Covered entities must inform requestors in advance of the approximate fee for the requested copies (including any associated fees that may affect the form, format, and manner in which an individual requests PHI) and should make available a fee schedule for typical access requests. Covered entities must be prepared to provide itemization of charges to individuals, on request, or to OCR in an investigation. Charges are limited to a “reasonable, cost-based fee,” which can be calculated using one of three methods: (1) actual cost; (2) average cost, based on a schedule of average labor costs for standard types of requests plus supply costs; or (3) a flat fee for electronic copies, not to exceed $6.50 per request. Note that per-page fees are not permitted for copies of PHI maintained electronically.
- Right to Send PHI to Third Parties. The guidance elaborates on an individual’s right to instruct a covered entity to send PHI directly to a third party, stating that the same timeliness requirements, fee limitations, and form and format mandates apply as when PHI is provided to the individual. In contrast, when a third party requests copies of PHI on its own behalf—for example, pursuant to an authorization—these requirements do not apply. Since different rules apply to authorizations and access requests, it is important for covered entities to understand the nature of a request. And OCR warns that covered entities (or business associates) cannot circumvent the access requirements by requiring individuals directing PHI to a third party to complete an authorization.
- Security. Covered entities may rely on written information provided by an individual to verify that a designated third party is an authorized recipient—but they must implement reasonable safeguards in carrying out the request, such as correctly entering third-party email addresses in their systems. Covered entities must safeguard PHI in transit and are responsible for breach notification if a breach occurs—unless the individual, after receiving a warning and accepting the risks, requests that PHI be sent to the third party in an unsecure manner (such as unencrypted email). If the PHI that is breached is “secured” (using HHS-specified technologies and methodologies), the covered entity is not required to provide breach notification (the Q&A guidance links to the HHS’s webpage on the breach notification rule).
EBIA Comment: The guidance addresses practical considerations not specifically covered in the final regulations (see our Checkpoint article), including a table comparing requests for access with disclosures pursuant to authorizations. Covered entities should review the guidance and check their policies and procedures for compliance. For more information, see EBIA’s HIPAA Portability, Privacy & Security manual at Sections XXVI.E (“Uses and Disclosures Requiring Individual Authorization”) and XXVII.B (“Right to Access Own PHI”). You may also be interested in our recorded webinar “HIPAA Basic Training: Get Your Privacy and Security Compliance on Track for 2016,” as well as our intermediate-level HIPAA privacy and security seminar (live in Portland on April 22, Dallas on May 6, Minneapolis on May 20, Chicago on June 10, and Baltimore/DC area on September 30).
Contributing Editors: EBIA Staff.