Charging Patients for Copies of Their Records: OCR Guidance

Similar documents
Individuals Right under HIPAA to Access their Health Information 45 CFR

Individuals Right under HIPAA to Access their Health Information 45 CFR

Patient Right of Access/ Compliant and Patient-Centered ROI

Individual and Third-Party Access to Medical Records

Individuals Right under HIPAA to Access their Health Information 45 CFR

The Revolution Will Be Worn on Your Wrist (Part 2) Deven McGraw Deputy Director, Health Information Privacy HHS Office for Civil Rights

To: Our Clients and Friends January 25, 2013

True or False? HIPAA Update: Avoiding Penalties. Preliminaries. Kim C. Stanger IHCA (7/15)

RIGHT TO ACCESS AND SECURITY RISK ANALYSIS. K a t h r y n A y e r s W i c k e n h a u s e r, M B A, C H P C, C H T S

Fees for Copies of Medical Records TMA Office of the General Counsel

Omnibus Components. Not in Omnibus. HIPAA/HITECH Omnibus Final Rule

HIPAA Update. Jamie Sorley U.S. Department of Health and Human Services Office for Civil Rights

Business Associate Agreement For Protected Healthcare Information

Highlights of the Omnibus HIPAA/HITECH Final Rule

GUIDE TO PATIENT PRIVACY AND SECURITY RULES

Legal and Privacy Implications of the HIPAA Final Omnibus Rule

HIPAA Privacy: PHI Disclosure Accounting (Changes) and Access Report (New)

Check Your Physician Contracts

Privacy and Security: To HIPAA and Beyond

Texas Health and Safety Code, Chapter 181 Medical Records Privacy Law, HB 300

Last Approval Date: April 2017

Conduct of covered entity or business associate. Did not know and, by exercising reasonable diligence, would not have known of the violation

HIPAA Privacy and Security Rules

Determining Whether You Are a Business Associate

Beware Excluded Individuals and Entities

HIPAA Privacy and Security Rules: Overview and Update HIPAA. Health Insurance Portability and Accountability Act ( HIPAA )

Coping with, and Taking Advantage of, HIPAA s New Rules!! Deven McGraw Director, Health Privacy Project April 19, 2013!

8/14/2013. HIPAA Privacy & Security 2013 Omnibus Final Rule update. Highlights from Final Rules January 25, 2013

HIPAA Compliance. PART I: HHS Final Omnibus HIPAA Rules

MEMORANDUM. Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know

Rule. Research Changes to the Privacy Rule and GINA. Heather Pierce, JD, MPH Senior Director and Regulatory Counsel, Scientific Affairs

HIPAA 2014: Recent Changes from HITECH and the Omnibus Rule. Association of Corporate Counsel Houston Chapter October 14, 2014.

Georgia Health Information Network, Inc. Georgia ConnectedCare Policies

The HIPAA/HITECH Final Rule: Time to Get More Serious About Compliance. Patricia A. Markus, Esq.

Preparing for a HIPAA Audit & Hot Topics in Health Care Reform

HIPAA OMNIBUS RULE. The rule makes it easier for parents and others to give permission to share proof of a child s immunization with a school

1.) The Privacy Rule (Part 164, Subpart E)

Calif. Consumer Privacy Act: 6 Considerations For Banks

HHS, Office for Civil Rights. IAPP October 11, 2012

LEGAL ISSUES IN HEALTH IT SECURITY

Business Associate Agreement

HIPAA Training. HOPE Health Facility Administrators June 2013 Isaac Willett and Jason Schnabel

The wait is over HHS releases final omnibus HIPAA privacy and security regulations

HIPAA AND YOU 2017 G E R A L D E MELTZER, MD MSHA

INDEPENDENCE BLUE CROSS LONG TERM CARE PROGRAM NOTICE OF PRIVACY PRACTICES

AMWELL GROUP PRACTICE AGREEMENT

HIPAA: Final Omnibus Rule is Here Arizona Society for Healthcare Risk Managers November 15, 2013

Privacy & Security in 2011

2016 Business Associate Workforce Member HIPAA Training Handbook

HEALTHCARE BREACH TRIAGE

THE CITY AND COUNTY OF SAN FRANCISCO SECTION 125 CAFETERIA PLAN HIPAA PRIVACY POLICIES & PROCEDURES

Getting a Grip on HIPAA

HIPAA & The Medical Practice

HIPAA Information. Who does HIPAA apply to? What are Sync.com s responsibilities? What is a Business Associate?

HIPAA Compliance Guide

BUSINESS ASSOCIATE AGREEMENT

[Carrier name] FIDUCIARY LIABILITY COVERAGE ENHANCEMENTS ENDORSEMENT (EP PORTFOLIO)

4/5/2013 I. BACKGROUND HIPAA OMNIBUS FINAL RULE. Background. Webinar Series Part II Research and Marketing April 9, 2013

Long-Awaited HITECH Final Rule: Addressing the Impact on Operations of Covered Entities and Business Associates

Saturday, April 28 Medical Ethics: HIPAA Privacy and Security Rules

Health Insurance Portability and Accountability Act (HIPAA) Terms and Conditions For Business Associates

SUBCONTRACTOR BUSINESS ASSOCIATE AGREEMENT

Changes to HIPAA Under the Omnibus Final Rule

Chrisann Lemery, MS, RHIA, CHPS, FAHIMA Director of Compliance & Audit MercyCare Insurance

HIPAA BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATES AND SUBCONTRACTORS

The American Recovery and Reinvestment Act of 2009: Health Information Privacy and Security Provisions Here We Go Again

Health Law Diagnosis

HIPAA in the Digital Age. Anisa Kelley and Rachel Procopio Maryan Rawls Law Group Fairfax, Virginia

Notice of Privacy Practices Linn County Employee Health Care and Health Related Benefits Programs

SENATE BILL 954 CHAPTER. Medical Records HIPAA Consistency Act of 2012 Enhancement or Coordination of Patient Care

503 SURVIVING A HIPAA BREACH INVESTIGATION

HIPAA PRIVACY AND SECURITY AWARENESS

1 Security 101 for Covered Entities

Long-Awaited HITECH Final Rule: Addressing the Impact on Operations of Covered Entities and Business Associates

ACCESS TO ELECTRONIC HEALTH RECORDS AGREEMENT WITH THE DOCTORS CLINIC, PART OF FRANCISCAN MEDICAL GROUP

HIPAA Background and History

Business Associate Agreement

Key Legal Issues in EMR, EMR Subsidy and HIPAA and Privacy Click Issues to edit Master title style

Federal Reserve Bank of San Francisco. Information Availability Policy

(AMA Council on Ethical and Judicial Affairs, Code of Medical Ethics, 7.05 Retention of Medical Records, ed.)

2011 Miller Johnson. All rights reserved. 1. HIPAA Compliance: Privacy and Security Changes under HITECH HITECH. What is HITECH? Mary V.

Membership Contract. Juliet K. Mavromatis MD, FACP and Phyllis S. Tong, MD, FACP

Management Alert Final HIPAA Regulations Issued

North Shore LIJ Health System, Inc. Facility Name. CATEGORY: Effective Date: 8/15/13

HIPAA PRIVACY AND SECURITY RULES APPLY TO YOU! ARE YOU COMPLYING? RHODE ISLAND INTERLOCAL TRUST LINN F. FREEDMAN, ESQ. JANUARY 29, 2015.

Limited Data Set Data Use Agreement For Research

2013 HIPAA Omnibus Regulations: New Rules for Healthcare Providers and Collections Partners

HIPAA Omnibus Rule. Critical Changes for Providers Presented by Susan A. Miller, JD. Hosted by

Preparing to Comply With the HITECH Final Rule Tuesday, March 19, 2013

Wyoming Medicaid EDI Application

HIPAA Enforcement Under the HITECH Act; The Gloves Come Off

UNIVERSITY POLICY. Access of Individuals to Their Protected Health Information. Adopted: 01/23/2003 Reviewed: 3/11/2016

HIPAA THE NEW RULES. Highlights of the major changes under the Omnibus Rule

AGREEMENT FOR ACCESS TO PROTECTED HEALTH INFORMATION

The Impact of Final Omnibus HIPAA/HITECH Rules. Presented by Eileen Coyne Clark Niki McCoy September 19, 2013

HITECH/HIPAA (privacy) 2013 Omnibus Final Rule Rita Bowen Senior Vice President of HIM and Privacy Officer HealthPort

North Carolina Department of Commerce Division of Employment Security FISCAL NOTE

O n Jan. 25, the Office for Civil Rights (OCR) of the. Privacy and Security Law Report

Negotiating Business Associate Agreements

SATINSKY CONSULTING, LLC FINAL OMNIBUS HIPAA PRIVACY AND SECURITY RULE

Transcription:

Charging Patients for Copies of Their Records: OCR Guidance Publication 5/23/2016 Kim Stanger Partner 208.383.3913 Boise kcstanger@hollandhart.com HIPAA generally gives patients or their personal representative the right to access or obtain copies of the patient's protected health information ("PHI") in their designated record set 1, and limits the amount that providers may charge patients for PHI to a reasonable cost-based fee. (45 CFR 164.524). In February 2016, the OCR issued guidance ("Guidance") which clarifies allowable fees and identifies additional actions providers should take when charging fees. The OCR's Guidance may be accessed here. Allowable Charges. The OCR confirmed that a provider may only charge the patient or personal representative for the following: 1. Labor for copying the requested PHI, whether in paper or electronic form. This includes only the labor for actually creating and delivering the paper or electronic copy in the form and format requested or agreed upon by the patient once the responsive information has been identified, retrieved, collected, compiled and/or collated. For example, allowable costs may include photocopying paper PHI; scanning paper PHI into an electronic format; converting electronic PHI in one format to the format requested by or agreed to by the patient; creating and executing a mailing or e-mail with the responsive PHI; and/or uploading, downloading, attaching, burning, or otherwise transferring electronic PHI from a provider's system to portable media, e-mail, app, personal health record, web-based portal (where the PHI is not already maintained in or accessible through the portal), or other manner of delivery of the PHI. (See also 78 FR 5636). Labor for copying does not include costs associated with reviewing the patient's request; searching for, reviewing, retrieving, segregating, collecting, compiling, or otherwise preparing the responsive information for copying; verifying that only information about the requested patient is included; complying with HIPAA; updating or maintaining record systems; etc. (See also 78 FR 5636). Likewise, it does not include administrative or other costs associated with outsourcing record functions to business associates or others beyond the business associate's labor costs described above. 2. Supplies for creating the paper copy or electronic media. For paper copies, this would include items such as paper and toner. If the patient requests that an electronic copy be provided on portable media, it includes the cost of the electronic media, e.g., a CD or USB drive. A provider may not require a patient to purchase portable electronic media if, for example, the patient prefers to have the PHI e-mailed or a hard copy mailed to the patient. A provider is not required to obtain new technology to respond to a particular patient's request, so the cost of such equipment would not be an allowable cost of supplies. (78 FR 5636).

3. Postage. If a patient has requested that a copy, electronic media, summary or explanation of the PHI be mailed or delivered through a courier, the provider may charge postage. (78 FR 5636). 4. Preparing an explanation or summary of the PHI. If a patient agrees in advance to both (1) receive an explanation or summary of the PHI instead of copies of the actual records, and (2) the fees to be charged for the explanation or summary, the provider may charge for its costs in preparing the explanation or summary. Although providers may charge the foregoing costs, the OCR Guidance concludes that providers "should" provide copies free of charge, i.e., providers are encouraged to provide PHI without charge, but are not subject to penalties if they elect to charge a reasonable cost-based fee as outlined above. Calculating Costs. Per the OCR, providers may calculate the costs in three ways: 1. Actual Costs. A provider may calculate and document its actual costs in responding to a request so long as it limits its fees to the allowable costs discussed above, including reasonable labor rates that are appropriate for the task. For example, a provider may time how long it takes for an appropriately skilled employee or business associate to make and send the copy in the form and format and manner requested or agreed to by the patient, and multiply the time by the reasonable hourly rate of the person copying and sending the PHI. The reasonableness of the hourly rate will depend on the level of skill needed to create and transmit the copy in the manner requested or agreed to by the patient (e.g., administrative level labor to make and mail a paper copy versus more technical skill needed to convert and transmit the PHI in a particular electronic format). The provider may also add on the allowable cost of supplies and postage. Providers who track actual costs must still be prepared to inform patients in advance of the approximate fee for the copies. Of course, tracking actual time and costs can be burdensome in routine disclosures. 2. Average Costs. In lieu of calculating actual costs for each request, providers may develop a schedule of costs based on average, reasonable labor costs to fulfill standard types of access requests, plus the cost of applicable, allowable supplies. The standard rate may be calculated and charged as a per page fee only in cases where the PHI requested is maintained in paper form and the patient requests a paper copy of the PHI or asks that the paper PHI be scanned into an electronic format. Per page fees are not permitted for paper or electronic copies of PHI maintained electronically. The OCR warned that per page fees for copies of PHI maintained electronically likely do not reflect the actual costs associated with the response. 3. Flat Fee for Electronic Records. A provider may charge a flat fee for all standard requests for electronic copies of PHI maintained electronically, provided the fee does not exceed $6.50, inclusive of all labor, supplies, and any applicable postage.

Accessing Records. Patients have a right to inspect their records in addition to or in lieu of obtaining copies. (45 CFR 164.524). If a patient chooses to inspect his or her records instead of obtaining a copy, providers may not charge the patient a fee. In its Guidance, the OCR states that providers should have reasonable procedures to enable individuals to inspect their records, either through certified EHR technology or otherwise. Also, the provider may not prohibit or charge the patient who, e.g., uses his or her smartphone or other device to take pictures of or capture their PHI. The provider may adopt policies that protect against inadvertent disclosure of other patients' PHI or otherwise disrupts operations. The provider is not required to allow the patient to connect his or her own device to the provider's system. Emailing Records. The Guidance affirms that patients generally have a right to have PHI e-mailed to the patient upon request, thereby avoiding the cost of supplies; however, providers may still charge for the labor associated with creating and e-mailing the records. If the provider is to e- mail PHI to the patient over an unsecure network, the provider should advise the patient that the information may be subject to access by third parties. (See 78 FR 5634). A provider may not charge a patient a fee to access PHI that is available through the provider's EHR technology which has been certified as being capable of making the PHI accessible, e.g., by using the view, download and transmit functionality of the certified technology. In such cases, the OCR presumes that there are no associated labor or supply costs. Notice to the Patient. If a provider intends to charge an allowable fee, the provider must inform the patient in advance of the approximate fee that may be charged. Because the permissible fee will vary based on the form and format and manner of access requested or agreed to by the patient, the OCR requires that the provider inform the patient of the associated fees impacting the form or format of production at the time such details are being negotiated or arranged. Although not required by the HIPAA Privacy Rule, the OCR encourages providers to post on their web sites or otherwise make available to patients an approximate fee schedule for regular types of access requests. In addition, if requested by a patient, a provider should give the patient a breakdown of the charges for labor, supplies, and postage, if applicable, that make up the total fee charged. According to the OCR, this information would likely be requested in any action by the OCR in enforcing the patient's right of access, so entities will benefit from having this information readily available. Disclosures to Third Parties. The amount a covered entity may charge for disclosures to third parties depends on who requests the copies. 1. Disclosures at the Request of the Patient. If a patient requests that a provider transmit a copy of PHI directly to a third party, the provider must generally do so. (45 CFR 164.524(c)(3)(ii)). The limits on charges discussed above apply to such requests: the provider may only charge the patient, or, presumably, the third party, an allowable cost-based fee for copying and transmitting the records. This rule applies regardless of whether the provider received the request directly from the patient or the patient's personal representative, or the third party forwarded the patient's

request to the provider. Thus, it would appear that attorneys, insurers, or other third parties who request records may cap the charges that a provider would normally impose by having the patient instruct the provider to transfer the records directly to the third party. The patient's request to transmit PHI to a third party must be in writing, signed by the patient, and clearly identify the designated recipient and address to which the PHI should be sent. (45 CFR 164.524(c)(3)(ii)). In such cases, a formal HIPAA authorization containing the elements in 45 CFR 164.508 is not required. 2. Disclosures at the Request of a Third Party. In contrast, where a third party initiates the request for PHI for his or her own purposes, either through a HIPAA authorization, subpoena, or another HIPAA exception, the cap on charges to the patient do not apply. At times, it may be difficult for a provider to determine whether the request is initiated by the patient or the third party, especially when the third party uses a HIPAA authorization form to convey the patient's request. In such cases, the provider may need to clarify with the patient whether the production is at the patient's request. Also, recall that HIPAA generally prohibits selling PHI, which may include charging a third party too much for copies of the records. (See 45 CFR 164.502(a)(5)(ii)). Unless a provider fits within certain exceptions, the provider may either: (i) charge a third party only a reasonable cost-based fee to cover the cost to prepare and transmit the PHI, or (ii) obtain a HIPAA authorization containing the required disclosures regarding the sale of PHI. (See id.; see also id. at 164.508(a)(4)). The Omnibus Rule commentary confirms that a "reasonable cost-based fee" in this context is broader than in requests by individuals, and includes: both direct and indirect costs, including labor, materials, and supplies for generating, storing, retrieving, and transmitting the protected health information; labor and supplies to ensure the protected health information is disclosed in a permissible manner; as well as related capital and overhead costs. However, fees charged to incur a profit from the disclosure of protected health information are not allowed. (78 FR 5607). It would also include "costs that are in compliance with a fee schedule provided by State law or otherwise expressly permitted by other applicable law." (Id.). Aside from HIPAA, there may be other state or federal laws or rules that limit charges for such third-party requests. For example, court rules may allow a witness to recover "reasonable fees" for producing records. Effect of Other Laws. HIPAA preempts state laws that would otherwise allow a provider to charge fees in excess of those allowed by HIPAA, or charge for items not allowed by HIPAA, e.g., the cost of search, retrieval or review. On the other hand, to the extent a state or federal law places more restrictive limits on charges, then providers must comply with the more restrictive state law. (45 CFR 160.202 and 160.203; see also 78 FR 5636). For example, Idaho's workers compensation regulations require providers to provide the first copy of medical reports to the payor and claimants at no charge. (IDAPA 17.02.04.322). Conclusion. The OIG Guidance contains significant changes or clarifications to the HIPAA Privacy Rules governing patient access to PHI

and charges for such records. If you have not done so, you should review your policies and practices to ensure compliance with the new OIG Guidance. 1 "Designated" record set means: 1. A group of records maintained by or for a covered entity that is: i. The medical records and billing records about patients maintained by or for a covered health care provider; ii. The enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or iii. Used, in whole or in part, by or for the covered entity to make decisions about patients. 2. For purposes of this paragraph, the term record means any item, collection, or grouping of information that includes protected health information and is maintained, collected, used, or disseminated by or for a covered entity. (45 CFR 164.501) For questions regarding this update, please contact: Kim C. Stanger Holland & Hart, 800 W Main Street, Suite 1750, Boise, ID 83702 email: kcstanger@hollandhart.com, phone: 208-383-3913 This news update is designed to provide general information on pertinent legal topics. The statements made are provided for educational purposes only. They do not constitute legal advice nor do they necessarily reflect the views of Holland & Hart LLP or any of its attorneys other than the author. This news update is not intended to create an attorney-client relationship between you and Holland & Hart LLP. If you have specific questions as to the application of the law to your activities, you should seek the advice of your legal counsel.

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback