By Matt Fisher, Esq
Twitter: @matt_r_fisher
Host of Healthcare de Jure – #HCdeJure
A patient contacts their physician’s office and asks for a copy of their medical record. The expected response would seem to be obvious. Sure, we will copy the record and send it to your shortly. Not only will the record be sent, but it will be sent in an easily accessible format and exactly as requested.
The reality is a bit more complicated. When a patient asks for their record, the outcome is not so straightforward with factors such as actually timing, cost, and others influencing the response. The variability occurs despite the right under HIPAA for an individual to request access to their medical record.
Pursuant to the HIPAA Privacy Rule, an individual may request access to their medical record, including receiving a copy. However, the right to access is not absolute. A provider can deny access to psychotherapy notes and information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative proceeding. If an individual gets past these hurdles, then the Privacy Rules allows a copy to be requested in a form and format identified by the individual. Specifically, if the provider maintains the medical record electronically, then the record must be provided in an electronic format as well, if so requested.
That is all well and good, but a major sticking point has become the fee that can be charged for the copy. The Privacy Rule does explicitly allow a fee to be charged, but it must be a reasonable, cost-based fee. The Privacy Rule identifies the following four factors as what may be included in the fee: (i) labor for copying the medical record, (ii) supplies, whether paper or electronic, for creating the copy, (iii) postage, and (iv) preparing an explanation or summary, if requested by the individual. Only those four elements are permissible under HIPAA. That would seem to settle the issue, but complaints are widespread about fees that get charged.
To alleviate the issue, the Office for Civil Rights at the federal Department fo Health and Human Services tried to clarify the matter through an FAQ. The FAQ was initially released in January, but confusion resulted in an updated being posted on May 23rd. When reading OCR’s position, OCR suggests that as medical records become increasingly electronic the fee for a copy should keep decreasing. If the medical record is electronic, then preparing a copy would theoretically require a minimal amount of effort. OCR explicitly states in the FAQ that even though a fee is permissible, “covered entities should provide individuals who request access to their information with copies of their PHI free of charge.” That is an ideal goal, but unlikely to occur, at least for now.
So if a fee can be charged, what is reasonable? The answer depends on how the covered entity wants to calculate the permissible costs. OCR offered the ability for a flat fee to be charged, but stated that that fee could not exceed $6.50. The $6.50 is only a cap when a flat fee is charged, though. If a covered entity wants to calculate per request, then the fee could be higher. The key to determining a permissible fee is not including costs that HIPAA does not allow. Those costs include the cost of reviewing the request, searching for and retrieving the requested information, and preparing a summary if not so requested.
Lastly, what happens if state law allows a different fee to be charged? Determining what fee can be imposed will turn upon which law results in the lesser fee. HIPAA, as a federal law, is the law of the land. If state law allows a cost that is the same or less than HIPAA, then the state law will control. BY contrast, if state law tries to enable a covered entity to include costs not allowed by HIPAA, then the state law would be overridden. This is seemingly simple, but there are as many variations as there are states when it comes to what fees can be charged from the state perspective.
As with many things in healthcare and where regulations come into play, the rules of the game are not necessarily clear. A seemingly simple matter can become convoluted. However, those issues can be addressed by reviewing the applicable regulations and introducing some common sense.
About the author: Matthew Fisher is the chair of the Health Law Group at Mirick, O’Connell, DeMallie & Lougee, LLP, in Worcester, MA. Matt advises his clients in all aspects of healthcare regulatory compliance, including HIPAA, the Stark Law and the Anti-Kickback Statute. This article was originally published on Mirick O’Connell’s Health Law Blog and is republished here with permission.