A patient requests a copy of her medical record, and the hospital charges the per-page amount permitted under state law. Does this violate HIPAA? It may.
In the spring of 2016, the Office of Civil Rights (OCR) within the U.S. Department of Health and Human Services, the agency that enforces HIPAA, issued a new guidance document on individuals’ right to access their health information under HIPAA (“Access Guidance”). The Access Guidance reminds covered entities that state laws that provide individuals with a greater right of access (for example, where the state law requires that access be given within a shorter time frame than that required by HIPAA, or allows individuals a free copy of medical records) preempt HIPAA, but state laws that are contrary to HIPAA’s access rights (such as where the state law prohibits disclosure to an individual of certain health information, like test reports) are preempted by HIPAA.
For New Jersey physicians, for example, this means they may not automatically charge $1.00 per page or $100.00 for the a copy of the entire medical record, whatever is less, despite the fact that the New Jersey Board of Medical Examiners (“BME”) expressly permits these charges. In fact, according to the Access Guidance, physicians should not charge “per page” fees at all unless they maintain medical records in paper form only. New Jersey physicians also may not charge the “administrative fee” of the lesser of $10.00 or 10% of the cost of reproducing x-rays and other documents that cannot be reproduced by ordinary copying machines. Instead, a New Jersey physician may charge only the lesser of the charges permitted by the BME or those permitted under HIPAA, as described below.
HIPAA limits the amount that covered entities may charge a patient (or third party) requesting access to medical records to only a “reasonable, cost-based fee to provide the individual (or the individual’s personal representative) with a copy” of the record. Only the following may be charged:
(1) the reasonable cost of labor for creating and delivering the electronic or paper copy in the form and format requested or agreed upon by the individual, but not costs associated with reviewing the request, searching for or retrieving the records, and segregating or “otherwise preparing” the record for copying;
(2) the cost of supplies for creating the paper copy (e.g., paper, toner) or electronic media (e.g., CD or USB drive) if the individual requests the records in portable electronic media; and
(3) actual postage costs, when the individual requests mailing.
The fee may also include the reasonable cost of labor to prepare an explanation or summary of the record, but only if the individual, in advance, chooses to receive and explanation or summary AND agrees to the fee to be charged for the explanation or the summary.
A provider may calculate its actual labor costs each time an individual requests access, or may develop a schedule of costs for labor based on the average (and HIPAA-permitted types of) labor costs incurred in fulfilling standard types of access requests. However, a provider is NOT permitted to charge an average labor cost as a per-page fee unless the medical record is: (1) maintained in paper form; and (2) the individual requests a paper copy or asks that the paper record be scanned into an electronic format. Thus, under HIPAA, a per-page fee is not permitted for medical records that are maintained electronically. As stated in the Access Guidance, “OCR does not consider per page fees for copies of … [protected health information] maintained electronically to be reasonable” for purposes of complying with the HIPAA rules.
A provider may also decide to charge a flat fee of up to $6.50 (inclusive of labor, supplies, and any applicable postage) for requests for electronic copies of medical records maintained electronically. OCR explains that the $6.50 is not a maximum, simply an alternative that may be used if the provider does not want to go through the process of calculating actual or average allowable costs for requests for electronic copies.
OCR has identified compliance with “individual access rights” as one of seven areas of focus in the HIPAA audits of covered entities and business associates currently underway, signaling its concern that physicians and other covered entities may be violating HIPAA in this respect. All covered entities should, therefore, calculate what HIPAA permits them to charge when copies of medical records are requested by an individual (or someone acting at the direction of or as a personal representative of an individual), compare that amount to the applicable state law charge limits, and make sure that only the lesser of the two amounts is charged.