A patient requests a copy of her medical record, and the hospital charges the per-page amount permitted under state law. Does this violate HIPAA? It may.

In the spring of 2016, the Office of Civil Rights (OCR) within the U.S. Department of Health and Human Services, the agency that enforces HIPAA, issued a new guidance document on individuals’ right to access their health information under HIPAA (“Access Guidance”).   The Access Guidance reminds covered entities that state laws that provide individuals with a greater right of access (for example, where the state law requires that access be given within a shorter time frame than that required by HIPAA, or allows individuals a free copy of medical records) preempt HIPAA, but state laws that are contrary to HIPAA’s access rights (such as where the state law prohibits disclosure to an individual of certain health information, like test reports) are preempted by HIPAA.

For New Jersey physicians, for example, this means they may not automatically charge $1.00 per page or $100.00 for the a copy of the entire medical record, whatever is less, despite the fact that the New Jersey Board of Medical Examiners (“BME”) expressly permits these charges.  In fact, according to the Access Guidance, physicians should not charge “per page” fees at all unless they maintain medical records in paper form only.  New Jersey physicians also may not charge the “administrative fee” of the lesser of $10.00 or 10% of the cost of reproducing x-rays and other documents that cannot be reproduced by ordinary copying machines.  Instead, a New Jersey physician may charge only the lesser of the charges permitted by the BME or those permitted under HIPAA, as described below.

HIPAA limits the amount that covered entities may charge a patient (or third party) requesting access to medical records to only a “reasonable, cost-based fee to provide the individual (or the individual’s personal representative) with a copy” of the record.  Only the following may be charged:   

(1) the reasonable cost of labor for creating and delivering the electronic or paper copy in the form and format requested or agreed upon by the individual, but not costs associated with reviewing the request, searching for or retrieving the records, and segregating or “otherwise preparing” the record for copying;  

(2) the cost of supplies for creating the paper copy (e.g., paper, toner) or electronic media (e.g., CD or USB drive) if the individual requests the records in portable electronic media; and  

(3) actual postage costs, when the individual requests mailing. 

The fee may also include the reasonable cost of labor to prepare an explanation or summary of the record, but only if the individual, in advance, chooses to receive and explanation or summary AND agrees to the fee to be charged for the explanation or the summary.   

A provider may calculate its actual labor costs each time an individual requests access, or may develop a schedule of costs for labor based on the average (and HIPAA-permitted types of) labor costs incurred in fulfilling standard types of access requests.  However, a provider is NOT permitted to charge an average labor cost as a per-page fee unless the medical record is: (1) maintained in paper form; and (2) the individual requests a paper copy or asks that the paper record be scanned into an electronic format.  Thus, under HIPAA, a per-page fee is not permitted for medical records that are maintained electronically.  As stated in the Access Guidance, “OCR does not consider per page fees for copies of … [protected health information] maintained electronically to be reasonable” for purposes of complying with the HIPAA rules.   

A provider may also decide to charge a flat fee of up to $6.50 (inclusive of labor, supplies, and any applicable postage) for requests for electronic copies of medical records maintained electronically.    OCR explains that the $6.50 is not a maximum, simply an alternative that may be used if the provider does not want to go through the process of calculating actual or average allowable costs for requests for electronic copies. 

OCR has identified compliance with “individual access rights” as one of seven areas of focus in the HIPAA audits of covered entities and business associates currently underway, signaling its concern that physicians and other covered entities may be violating HIPAA in this respect.  All covered entities should, therefore, calculate what HIPAA permits them to charge when copies of medical records are requested by an individual (or someone acting at the direction of or as a personal representative of an individual), compare that amount to the applicable state law charge limits, and make sure that only the lesser of the two amounts is charged.


Copyright: / 123RF Stock Photo
Copyright: / 123RF Stock Photo

This post, written by my colleague Elizabeth Hampton, originally appeared on Garden State Gavel, a new blog focusing on New Jersey litigation topics.

Fraud is on the rise in every industry and the lengths that some people will go to make money by “gaming” the system is both fascinating and alarming.  Look for some of these stories in this regular feature designed to inform you of the latest fraud trends and provide practice tips to safeguard your business from unwelcome intruders.

Steps to Fraud- Proof Your  Professional Practice

Fraud is an increasingly lucrative “ business” that weaves its web of deception through corporations, religious and educational institutions, and the provision of health care. The recent data breaches a la Target and Sony are just some of the more highly publicized examples of the breadth of this problem for businesses and their customers.

But did you know that the healthcare industry tops the charts of data breaches and fraud costs?    In fact, The Economist (31 May, 2014) suggests that healthcare fraud in this country contributes to $272 billion dollars in incremental costs to the system.

Health records are like gold to fraudsters because they often contain financial information, insurance numbers and personal data that can be used to obtain drugs or other benefits.  Converting this information in order to submit false healthcare claims has been a regular practice for some scammers.

As government and private insurers have stepped up their fraud detection models, medical providers likewise need to review their policies and step up their own monitoring to protect their practice from potential data breaches and fraud claims.

Have you considered whether your business is at risk for a data breach? Are you taking steps to “fraud- proof” your health care practice?  Consider the following:

1. Perform a “Check- up.”  Every practice needs one. Conduct a random review of your patient files to ensure that all information is appropriately filed and that the files are complete.  Have your patients completed intake forms? Is there proper documentation of an accident or injury?  How is the health information protected from improper disclosure?

2. Review Protocols. When was the last time you reviewed your policies? Have they been updated to comport with new HIPAA standards? Do you understand what the standards mean for you and your employees?

3. Billing. Make sure that your billing is done correctly and that those who have been entrusted to perform this function are on top of things. Have there been trends in collection? Have insurers rejected claims? Find out why.

4. Employees. Do not assume that your employees are aware of the dire consequences associated with the improper disclosure of health care information.  Educate them and set a high bar for security of this information.

Stay tuned for more fraud stories and ways that you can prevent it from damaging your business.

New Jersey Governor Chris Christie signed a bill (S.562) into law on January 9, 2015 that will impose a standard more stringent than HIPAA on health insurance carriers authorized (i.e., licensed) to issue health benefits plans in New Jersey.  Effective August 1, 2015, such carriers will be required to secure computerized records that include certain personal information by encryption (or by any other method or technology rendering the information unreadable, undecipherable, or otherwise unusable by an unauthorized person).  “Personal information” requiring encryption includes an individual’s first name or first initial and last name when linked with any one or more of the following data elements:

*          Social security number

*          Driver’s license number or State identification card number

*          Address


*          Individually identifiable health information as defined under HIPAA

Notably, the encryption requirement applies only to “end user computer systems” and “computerized records transmitted across public networks”, as those terms are defined in the law.  “End user computer systems” are defined as computer systems “designed to allow end users to access computerized information, computer software, computer programs, or computer networks” and include “desktop computers, laptop computers, tables or other mobile devices, or removable media.”

The law is more stringent than HIPAA not only because it requires encryption, but because it applies to personal data that is more rudimentary than the type of data that constitutes protected health information (PHI) under HIPAA.  For example, under the new law, if a health insurance carrier compiles or maintains a computerized record that contains an individual’s first initial, last name, and address (and this information is not publicly available in a directory listing to which the individual has consented, which effectively excludes the information from the law’s definition of a “record”), the encryption requirement would apply even if the individual is not covered (insured) by the carrier.  A health insurance carrier subject to this new law that is building a mailing list of prospective customers or otherwise collecting information about individuals who are not plan members or insureds will need to make sure its encryption capabilities encompass not only existing or future members’ PHI, but any and all “personal information” that is compiled or maintained.

In accordance with the 90-day deadline established for an operating plan to be submitted to Congress on expenditures related to the $2 Billion Dollars appropriated under the American Recovery and Reinvestment Act ("ARRA") relating to health information technology ("HIT"), the Office of the National Coordinator ("ONC") has submitted its proposed ARRA Implementation Plan to Congress. The Plan’s proposed Funding Table is as follows:

Total Appropriated

(Dollars in Millions)

Privacy and Security*

$ 24.285

National Institute of Standards and Technology (NIST)


Regional HIT Exchange




Total towards HIT

$ 2,000.000

* Includes 9.5 Million for audits by OCR and CMS.

Of particular interest to many should be the Privacy and Security Spend Plan section.  It specifies that over $24 Million of the federal dollars made available through ARRA would be spent on activities such as enhancing enforcement. More specifically, the Plan indicates that the ARRA funding "will enable the Centers for Medicare and Medicaid Services (CMS) and the Office for Civil Rights (OCR) to carry out mandated audits, make modifications in their case and document management systems, and train State Attorneys General on their new enforcement role."   The Plan even aims to have State Attorneys General trained and ready to enforce HIPAA and HITECH by the end of the Third Quarter of 2009, or around September 2009!  If completed according to schedule, then the federal government could have a bastion of new HIPAA/HITECH enforcement soilders on the ground and ready when the interm final regulations for implementing breach notification for covered entities and business associates are released on August 18, 2009. 

For a copy of the entire Plan, visit HHS’ Recovery Website.

On December 15, 2008, the Division of Consumer Affairs ("DCA") published its Notice of Pre-Proposed Rule for "Identity Theft, Written Security Programs and Violations."  Comments to the Pre-Proposed Rule are due February 13, 2009.

The pre-proposed Subchapter 3 seeks to require every business and every public entity to implement a comprehensive written information security "program" that includes administrative, technical and physical safeguards for the protection of individuals’ social security numbers, driver’s license numbers, state identification card numbers, or an account or credit or debit card number in combination with a required code or means of access that account (defined as "Personal Information").   Also "pre-proposed" are specific procedures for handling security breach incidents, including when and what agencies and individuals must be notified, and what information must be included in that notification.  

The original draft of Subchapter 3 was pulled when the regulations proposed pursuant to the Identity Theft Prevention Act were adopted last year on April 7, 2008 due to numerous comments submitted in opposition that original draft.   You can keep an eye out for the next draft to follow this "pre-proposed" version of Subchapter 3 on the NJ Division of Consumers website.

The National Health Information Network (NHIN) may get information moving as early as the first quarter of 2009.  In its December 16th Press Release, the Social Security Administration (SSA) indicates that it will begin receiving medical records for some disability applicants via the "MedVirginia" health information exchange (HIE) based in Richmond.  

SSA and MedVirginia were also among several federal agencies and HIEs that participated in demonstrations of the national network during the 3rd annual NHIN Forum in Washington D.C., which took place this December 15-16.  Other federal agencies that are participating in the NHIN Trial Implementation include Centers for Disease Control (CDC), Veterans Administration (VA), Department of Defense (DOD) and Indian Health Service.  There are also several other state HIEs that are actively participating in the NHIN Trial Implementation, including HIE networks from Indiana, North Carolina, Ohio, Delaware, West Virginia. 

As I’ve posted before, New Jersey is actively working on developing its own state-wide HIE.  The New Jersey Health Information Technology (NJ HIT) Commission is charged with approving the plan for the creation of an infrastructure to move health information, in a confidential and secure manner, among participants in a state-wide RHIO.  On December 4, 2008, I participated in the first meeting of the NJ HIT Commission, which was both inspiring and daunting at the same time, with respect to the road that lies ahead.  Yet, I look forward to working together with the other Commission members during a time of potentially revolutionary changes to health care delivery in this State, and nationally.

Assemblyman Herb Conaway introduced legislation (A 3368) today that would establish an electronic Health Information Technology ("e-HIT") Fund to be used to implement the objectives of the Statewide health information technology plan.  The Bill proposes that beginning April 1, 2009, and on a quarterly basis thereafter, each health care payer will pay a "technology reinvestment fee" into the e-HIT fund in an amount equal to 0.199% of one percent of all health care benefits claims paid by the payer for its New Jersey covered persons.  Payers that fail to pay the technology reinvestment fee would be subject to penalties

Not all health benefit plans will be subject to the fee, however.  The Bill excludes the following types of plans from having to pay the technology reinvestment fee:

  • Accident only
  • Credit
  • Disability
  • Long-term care
  • Workers’ compensation
  • Automobile medical payment insurance
  • PIP
  • Hospital confinement indemnity coverage
  • Medicaid
  • the New Jersey FamilyCare Program, and
  • any other State health care assistance program financed in whole or in part through a federal program, unless authorized by federal law and approved by the State.

Some have expressed concern that although private payers would bear the cost of the fee, significant savings that result from the implementation of a State-wide health information exchange would inure to excluded plans. 

Sustaining a RHIO once federal government HIT funding sources are no longer available is an issue that has led to the demise of dozens of RHIOs in previous years.  Congressman Conaway’s Bill attempts to address this issue.

Health Data Management reported yesterday that Horizon Blue Cross Blue Shield of New Jersey will commit up to $500,000 to help select hospitals in its New Jersey network adopt electronic medication history technology.  This would give physicians real-time medication histories when patients check into a hospital or emergency department.  Under the program, Horizon will pay for 85% of the costs of the technology up to $40,000 for each hospital.  Horizon expects up to eight hospitals to join its subsidy program by the end of the year.

I would assume that the Horizon’s subsidy program for hospitals would need to comply with the requirements under the EHR safeharbor to assure that the arrangement is not found as potentially violating the federal Anti-kickback Statute.  Under the safeharbor, a health plan is a protected donor, and a hospital a protected recipient, but several additional requirements must be met in addition to the hospital paying for 15% of the cost of the technology.  It does not appear that the subsidy program would need to meet the equivalent Stark Exception where the recipients of the technology will be limited to hospitals, and so the Stark prohibition on physicians’ self-referrals should not be triggered. 

More information on Horizon’s subsidy program, see drfirst.com and horizonblue.com.

In a June 10 HHS News Release, Secretary Mike Leavitt named the 12 communities that will participate in a 5-year national Medicare demonstration project that provides incentive payments to physicians for using certified electronic health records (EHR) to improve the quality of patient care (the "EHR Demo Project").  The communities selected to work with the CMS on the EHR Demo Project are:

  • Alabama
  • Delaware
  • Jacksonville, FL (multi-county)
  • Georgia
  • Maine
  • Louisiana
  • Maryland/Washington, DC
  • Oklahoma
  • Pittsburgh, PA (multi-county)
  • South Dakota (multi-state)
  • Virginia
  • Madison, WI (multi-county)

Over the five-year span of the project, total financial incentives and bonus payments provided to participating physician practices may be up to $58,000 per physician or $290,000 per practice.  Secretary Leavitt states:

"The use of electronic health records, and of health information technology as a whole, has the ability to transform the way health care is delivered in our nation [and] we believe that EHRs can help physicians deliver better, more efficient care for their patients, in part by reducing medical errors. This project is designed to demonstrate these benefits and help increase the use of this technology in practices where adoption has been the slowest at the individual physician and small practice level."

Although in some respects it is disappointing that New Jersey was not among the communities selected to be a part of the EHR Demo Project, perhaps it is an indication that physicians in this state are ahead of the curve with EHR adoption.  If this is indeed the case, New Jersey may already be well on its way to improving patient care and reducing health care delivery costs through the use of technology ….. making it a "winner" too. 


May 23 is the compliance date for the National Provider Identifier (NPI) to be used exclusively for electronic health care claims under HIPAA.  Providers who do not use their assigned NPI after this date may find health insurers starting to reject and return electronic claims.  Although millions of NPI numbers have been issued, it is unclear how may providers are in compliance.  As a result, the next several weeks-to-months are likely to be bumpy as providers begin to find that claims they believe are compliant are rejected.  Some commentators have predicted that if the industry experiences severe problems starting over the Memorial Day Weekend, CMS might relax the deadline.  Health Data Management noted, however, that providers that get too many claim rejections may resubmit the claims on paper. That will enable providers to get paid, but slow the process considerably and adversely affect cash flow.