Through a series of releases in the first half of 2016, HHS Office for Civil Rights (“OCR”) issued guidance on the individual right of access to protected health information (“PHI”) provided under HIPAA. One topic with significant potential impact is the fee limit for providing copies of PHI and when that limit applies. Although the OCR guidance is not binding law, it gives insight into OCR’s stance on this element of HIPAA, including the position OCR likely will take in responding to complaints on this issue. To minimize risk, covered entities and business associates should become familiar with HIPAA’s requirements and restrictions related to the individual right of access and consider revising their HIPAA policies and procedures to align with OCR’s recent guidance.
Background: Limitation on Fees
The HIPAA Privacy Rule provides individuals with a right to access and obtain a copy of their PHI maintained in a designated record set, with limited exceptions (the “Right of Access”). HIPAA generally requires that a covered entity or business associate (collectively, “CE/BA”) act on a Right of Access request within 30 days, and limits the fees that the CE/BA may charge to fulfill the request. In the recent guidance, OCR has clearly indicated its position that fees charged by a CE/BA must not create a barrier to an individual’s Right of Access, going so far as to suggest that a CE/BA “should provide individuals who request access to their information with copies of their PHI free of charge” and stating that OCR will “take enforcement action where necessary” if it determines that fees are creating barriers to access.
How to Calculate Permitted Fees
The OCR guidance also describes how permissible fees may be calculated. Specifically, OCR has elaborated both on the formulas that may be used and on what costs may be included in the calculations.
Per OCR, fees may be calculated in one of three ways, and which options are available depends in part on the format in which the records are maintained and requested:
- Actual Cost: CE/BAs have the option to calculate the actual cost for each request, regardless of the form or format in which the records are stored or requested. The actual cost must be “reasonable” and may include only the actual labor required to fulfill the request (discussed below), combined with supply and postage costs, if applicable.
- Flat Fee: A CE/BA may charge a flat fee of a maximum of $6.50 “for all requests for electronic copies of PHI maintained electronically. . . inclusive of all labor, supplies, and any applicable postage.”
- Average Cost: CE/BAs may also develop a fee schedule based on the “average labor costs to fulfill standard types of access requests” (again limited to the permitted activities discussed below), combined with applicable supply and postage costs. However, and of special note, OCR has expressly said that “[p]er page fees are not permitted for paper or electronic copies of PHI maintained electronically,” even if permitted by state law.
In addition to specifying the method of calculation, OCR limits what may be included as a “labor cost” in calculating charges for copies of PHI provided under the Right of Access. Specifically, OCR has said that the labor that may be counted toward calculating a fee includes “only labor for creating and delivering the electronic or paper copy in the form and format requested or agreed upon by the individual, once the PHI that is responsive to the request has been identified, retrieved or collected, compiled and/or collated, and is ready to be copied.” This means that the “fee may not include costs associated with verification; documentation; searching for and retrieving the PHI; maintaining systems; recouping capital for data access, storage, or infrastructure; or other costs not listed above even if such costs are authorized by State law.”
When Fee Limits Apply
One of the most challenging aspects of applying the OCR guidance in actual practice may be determining when the fee limits apply. OCR has indicated that “[the fee] limitation applies regardless of whether the individual has requested that the copy of PHI be sent to herself, or has directed that the CE/BA send the copy directly to a third party designated by the individual (and it doesn’t matter who the third party is).” While perhaps simple enough in isolation, OCR goes on:
This is true regardless of whether the access request was submitted to the [CE/BA] by the individual directly or forwarded to the [CE/BA] by a third party on behalf and at the direction of the individual (such as by an app being used by the individual). . . . In contrast, third parties often will directly request PHI from a [CE/BA] and submit a written HIPAA authorization from the individual (or rely on another permission in the Privacy Rule) for that disclosure. Where the third party is initiating a request for PHI on its own behalf, with the individual’s HIPAA authorization (or pursuant to another permissible disclosure provision in the Privacy Rule), the access fee limitations do not apply.
However, as described above, where the third party is forwarding – on behalf and at the direction of the individual – the individual’s access request for a [CE/BA] to direct a copy of the individual’s PHI to the third party, the fee limitations apply.
Thus, the OCR guidance blurs the lines between a Right of Access Request and a HIPAA Authorization. The guidance appears to differentiate the two concepts by focusing on the origin of the request for PHI—i.e., whether the third party initiated the request on its own behalf or whether the individual initiated the request. However, this does little to help a CE/BA respond to an ambiguous third-party request. HHS-OCR acknowledges that CE/BAs may find this distinction difficult to make but offers little guidance to CE/BAs tasked with distinguishing actual requests:
Where it is unclear to a [CE/BA], based on the form of a request sent by a third party, whether the request is an access request initiated by the individual or merely a HIPAA authorization by the individual to disclose PHI to the third party, the entity may clarify with the individual whether the request was a direction from the individual or a request from the third party. OCR is open to engaging with the community on ways that technology could easily convey this information.
This clarification would be in addition to the already-required verification of the identity and authority of a requestor where the “identity or any such authority of such person is not known to the [CE/BA].”
CE/BAs may think that defaulting to an Authorization for every release of PHI, whether to or from a third party or the individual, would solve the issue. Indeed, it is not uncommon for CE/BAs to take this approach, especially since HIPAA provides that, “when an individual initiates the authorization,” the required statement of purpose in the Authorization may be fulfilled by stating that the purpose is “at the request of the individual.” However, the OCR guidance eliminates this approach as a policy option:
As explained elsewhere in the guidance, a HIPAA authorization is not required for individuals to request access to their PHI, including to direct a copy to a third party – and because a HIPAA authorization requests more information than is necessary or that may not be relevant for individuals to exercise their access rights, requiring execution of a HIPAA authorization may create impermissible obstacles to the exercise of this right.
What OCR fails to consider, or perhaps disregards, is the financial and operational burden on a CE/BA that can attend the production of extensive copy requests, especially when the copy is (in reality) being requested for a third party. CE/BAs may find that the fee options delineated by OCR fall far short of covering the real cost that they (or their copy vendors) face in fulfilling such a request. While OCR specified that a CE/BA “may not circumvent the access fee limitations by treating individual requests for access like other HIPAA disclosures,” OCR did not offer similar protection for CE/BAs in the reverse scenario: i.e., when a third party should submit an Authorization but instead instructs an individual to make a Right of Access request directing the PHI to the third party. CE/BAs are likely to have little recourse when presented with such requests, and this type of manipulation of the request process can result in further financial and resource strain on already-burdened health care providers.
Suggested Policy & Procedure Revisions
To improve the ability to appropriately respond to requests for PHI, CE/BAs should consider the following revisions to their HIPAA policies and procedures:
- Implement a strong verification policy. CE/BAs should include provisions in their verification procedures that provide for determining the genesis of a request in addition to ensuring a clear understanding of the identities and authority of both the requestor and the recipient so that the CE/BA may apply the correct approach to processing the request.
- Revise policy on authorizations. CE/BAs should remove policy and procedure provisions that require an Authorization for every disclosure and instead assess each request as it arrives to determine the appropriate response. They should also limit the requirements they impose to fulfill a Right of Access request where the PHI is directed to a third party to simply that the request be “in writing, signed by the individual, and clearly identify the designated person and where to send the copy of [the PHI].”
- Review fee structure and revise if necessary. CE/BAs should review the fee structure that they are applying to Right of Access requests, especially in light of the limits on permitted labor costs and per-page fees for copies of PHI maintained electronically. CE/BAs should specify how fees are calculated, what labor may (and may not) be included, and ensure that fee calculations appropriately take into consideration the form and format of both the stored PHI and the requested copy.
The OCR guidance released over the course of the year has grown and evolved and may yet be further revised or refined. Although we have not yet seen OCR enforcement actions taken in response to complaints on fees, complaints of non-compliance have been filed with OCR on this topic. Perhaps the greatest risk to a CE/BA is of a complaint drawing attention to the CE/BA’s HIPAA compliance more broadly. To minimize risks, CE/BA’s should consider revising their policies and procedures—and implementing them in daily practice—to guard against potential complaints, investigations, and penalties for noncompliance.
To review the entire document and formatting for this alert (e.g., footnotes), please access the original below: