- The Office for Civil Rights (OCR) released new HIPAA guidance to reiterate key points for individuals’ right of access when it comes to their own health information. OCR also clarified what is considered to be an appropriate fee for making copies of patients’ individual health records.
OCR Director Jocelyn Samuels explained in a blog post that “every individual should be able to easily exercise their right to access their health information,” as this ensures that everyone can be completely engaged in their own healthcare.
The HIPAA Privacy Rule has always allowed individuals to access their own health records, she added, but this is not always fully understood. Through a new set of FAQs, OCR hopes to address common issues, such as the fees individuals may be charged and if they want to send their information to a third party.
“HIPAA’s right of access is critical to enabling individuals to take ownership of their health and well-being – but this core right is rendered meaningless when individuals cannot afford to pay the fees,” Samuels wrote. “These new FAQs clarify that individuals can be charged only a reasonable, cost-based fee for the labor and supplies associated with making the copy, whether on paper or in electronic form.”
One of the first points addressed in the FAQ is individuals being charged for copies of their PHI.
According to OCR, while this is allowed under HIPAA regulations - the fee may include only the cost of certain labor, supplies, and postage - covered entities should provide the copies free of charge.
While covered entities should forgo fees for all individuals, not charging fees for access is particularly vital in cases where the financial situation of an individual requesting access would make it difficult or impossible for the individual to afford the fee. Providing individuals with access to their health information is a necessary component of delivering and paying for health care. We will continue to monitor whether the fees that are being charged to individuals are creating barriers to this access, will take enforcement action where necessary, and will reassess as necessary the provisions in the Privacy Rule that permit these fees to be charged.
OCR also explained that there are limits on the fees that can be charged when an individual tells a covered entity to send his or her PHI directly to a third party. For example, covered entities are prohibited from charging more than a “reasonable, cost-based fee” for the copy, regardless of whether the PHI is going to the individual or directly to a third party.
“We note that a covered entity (or a business associate) may not circumvent the access fee limitations by treating individual requests for access like other HIPAA disclosures – such as by having an individual fill out a HIPAA authorization when the individual requests access to her PHI (including to direct a copy of the PHI to a third party),” stated OCR.
This is important because a HIPAA authorization “requests more information than is necessary or that may not be relevant for individuals to exercise their access rights.” Therefore, requiring such an authorization may be creating unnecessary obstacles for an individual to access his or her PHI.
The OCR guidance also discusses several other specific scenarios that may arise when individuals request access to their PHI, whether for themselves or to be sent to a third party. Areas such as who has liability should a data breach occur while PHI is in transit and whether there are any exceptions for information to be sent to a third party.
“Like the Access fact sheet and FAQs released last month, this second guidance is aimed primarily at providers, hospitals, and health plans required to comply with the HIPAA Privacy Rule,” Samuels states in the blog post. “We continue to work with our colleagues to produce consumer-friendly resources, including sample communications tools, to encourage patients to access their health information.”