On February 25, 2016, the Office of Civil Rights (OCR) released a set of FAQs directed at healthcare providers and plans that are required to comply with the HIPAA Privacy Rule (the Privacy Rule). The guidance emphasizes that any fees charged for access to or copies of patient information must be “reasonable and cost-based” and specifically addresses what this means in terms of labor and supplies. Healthcare entities should be aware of the new guidance and ensure that any fees charged for copies of records are “reasonable and cost-based” even if state law permits a higher charge.

The Privacy Rule confers certain rights on individuals, including the right to access their protected health information (PHI), and permits a covered entity to impose a reasonable, cost-based fee to provide the individual with a copy of his or her PHI. This fee may include only the cost of labor for copying the PHI, supplies for creating the paper copy or electronic media (if the individual requests an electronic copy on portable media), postage (when the individual has requested that the PHI be mailed) and labor to prepare an explanation or summary of the PHI (if the individual in advance both chooses to receive the explanation or summary and agrees to the fee associated with the preparation). The fee may not include costs associated with verification of the requestor, documentation, search and retrieval, maintenance, storage or other costs.

The guidance clarifies that labor for copying only includes labor for creating and delivering the electronic or paper copy in the form or format requested or agreed upon by the individual. Labor for copying does not include costs associated with reviewing the request for access or search or retrieval, or segregating or otherwise preparing the PHI that is responsive to the request. The guidance explains that supplies include the costs for creating the paper copy of the PHI such as paper and toner or the cost of the electronic media such as a CD or USB drive. The OCR further notes that a covered entity may not require an individual to purchase portable media and that individuals have the right to have their PHI emailed or mailed upon request.

Going one step further, in the FAQ, OCR encourages covered entities to provide access free of charge, particularly for those individuals of limited means. OCR explains that where an individual requests or agrees to access his or her PHI through the provider’s electronic health record technology, health care providers may not charge a fee. OCR guidance also prohibits covered entities from passing on to individuals the costs of outsourcing the copying of PHI to business associates. OCR notes that many states with authorized fee structures have not updated their laws to account for the increased efficiencies that exist when creating copies of PHI that is stored electronically. To the extent state laws allow covered entities to charge more than is permitted under HIPAA, they impede an individual’s access to his or her PHI.

The guidance provides three methods by which a covered entity may calculate the “reasonable, cost-based fee” for copies of PHI:

  1. Actual costs: A covered entity may calculate actual labor costs to fulfill the request, as long as the labor included is only for copying and the labor rates used are reasonable for such activity.
  2. Average costs: A covered entity can develop a schedule of costs for labor based on average labor costs to fulfill standard types of access requests so long as they are permitted by the Privacy Rule and are reasonable. Per page fees are not permitted for paper or electronic copies of PHI maintained electronically.
  3. Flat fee for electronic copies of PHI maintained electronically: A covered entity may charge individuals a flat fee for all standard requests for electronic copies of PHI maintained electronically, provided that the fee does not exceed $6.50, inclusive of all labor, supplies, and any applicable postage. This fee cap is new and is not mentioned in the HIPAA Privacy Rule.

OCR promises to monitor how the fees covered entities charge affect individuals’ right to access and to take enforcement action where necessary. Moreover, OCR may reassess the Privacy Rule provisions that permit fees to be charged in the first place. Healthcare providers and plans should examine their policies on medical record copying and access, including their HIPAA policies, to confirm that they conform to the OCR’s directives and if not, they should revise them accordingly.