FAQs About HIPAA and the Right of Access, Part one

As we recently wrote, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) has a Privacy Rule and a Security Rule – among many other rules. These rules govern the issues of privacy of medical health records and the transfer of electronic health information.

To help ensure that patient’s rights are protected, HIPAA requires that patients have the right to inspect their protected health information (PHI) and obtain a copy of their PHI. There are also precise rules on how the PHI must be kept.

The HHS Office for Civil Rights (OCR) issued guidance on this Right of Access -in 45 CFR § 164.524.

Some of the issues we previously discussed included:

• Which entities are considered covered entities?
• What are designated record sets?
• What information should be included in the right of access?
• What information is not part of the right of access?
• What is the role of a personal representative?
• How does a patient make the requests for access?
• Verification
• Unreasonable measures
• How should access be provided?
• What are the right of access time requirements?
• What are the permissible fees for the PHI?

FAQS about the HIPAA’s Access Right

The US Department of Health and Human Services has a long list of questions and answers about the right of access. Many of these FAQs provide more in-depth answers to the questions we previously reviewed. It’s important to understand these in-depth issues because ALL the patients in a healthcare practice can exercise the right of access.

Fees That Can Be Charged to Individuals for Copies of their PHI

What labor costs may a covered entity include in the fee that may be charged to individuals to provide the individuals with a copy of their PHI?

First, the fees for just one patient may not be that much. However, if the fee is multiplied by hundreds or thousands of patients each year, the fees can cost a medical practice a fortune. So, it’s important to have the proper protocols in place.

Covered entities can charge reasonable labor costs only in the following cases:

• For copying the PHI which the patient requests – whether the form is paper or electronic
• For preparing a summary or explanation of the PHI – if the patient, in advance, opts to receive a summary or explanation – AND – agrees to the fee being charged.

Labor costs only include the labor for delivering the paper/electronic copy in the form/format the patient requests – once the PHI has been retrieved. Examples of permissible labor include:

• “Photocopying a paper PHI.”
• “Scanning a paper PHI into an electronic format.”
• “Converting electronic information in one format to the format requested by or agreed to by the individual.”
• “Creating and executing a mailing or e-mail with the responsive PHI.”
• Transferring the PHI to a web-based portal, or other listed media.

The US HHS expects that labor costs will diminish as technology advances.

Labor generally doesn’t include:

• Reviewing the access request
• Searching for the designated records and PHI

Must a covered entity inform individuals in advance of any fees that may be charged when the individuals request a copy of their PHI?

Yes. If a covered entity intends to charge a fee (the fee permitted under the HIPAA rules), the covered entity must tell the individual (typically, the patient) the amount of the fee – in advance. The fee will vary depending on the type of format requested – electronic record, paper, etc. A failure to disclose the fee in advance is considered an “unreasonable measure,” which may prevent the individual’s right of access.

Covered entities should post on their website the fee schedule or make the fee schedule available in other ways. If an individual requests an expense breakdown, covered entities should also provide a breakdown of the charges into – supplies, labor, and postage.

What happens if a state law requires that a health provider give individuals a free copy of their medical information? How does this mesh with the HIPAA rules which permit the health providers to charge a fee?

The health care provider must comply with the state law. “HIPAA does not override those State laws that provide individuals with greater rights of access to their health information than the HIPAA Privacy Rule does. See 45 CFR 160.202 and 160.203.”

Can an individual be charged a fee if the individual requests only to inspect her PHI at the covered entity (i.e., does not request that the covered entity produce a copy of the PHI)?

No. The right of a covered entity to charge a fee only applies when the individual making the request is going to receive a copy of his/her PHI. The fee requirement does not apply where the individual is only just viewing and inspecting the PHI. The HIPAA Privacy Rule requires that the individual has the right to review their PHI – in a designated record set. If the patient/individual just wants to review and inspect their PHI – the health covered entity must arrange a convenient time and place.

“For example, covered entities could use the capabilities of Certified EHR Technology (CEHRT) to enable individuals to inspect their PHI, if the individuals agree to the use of this functionality.”

The covered entity also cannot charge a fee if the individual, while inspecting the record:

• Takes notes
• Takes pictures with a smartphone or other device
• Uses other methods to capture the PHID information

However, the covered entity may establish reasonable policies and safeguards regarding the capture of information – so that the capture doesn’t disrupt the covered entity’s business.

The Right to Have PHI Sent Directly to a Designated Third Party

Can an individual, through the HIPAA right of access, have his or her health care provider or health plan send the individual’s PHI to a third party?

Yes. The request must be in writing and signed by the individual/patient. The writing should “clearly identify the designated person or entity and where to send the PHI. See 45 CFR 164.524(c)(3)(ii).”

The covered can accept an electronic written request (such as a pdf of scanned image), a request through a web portal that includes an electronic signature, a fax, or a mailed copy of a signed request.

Once it’s clear that the request is valid, the same PHI requirements apply.

The same requirements for providing the PHI to the third party apply – such as fee requirements, time limits, the prohibition against imposing unreasonable measures, and form/format requirements.

The US HSS provides a few examples:

 “A patient requests in writing that the hospital where she recently underwent a surgical procedure use its Certified EHR Technology (CEHRT) to send her discharge summary to her primary care physician, or to her own personal health record, and she supplies the corresponding Direct address (an electronic address for securely exchanging health information using the Direct technical standard).”

“A patient sends a written request to his long-time physician asking the physician to download a copy of the PHI from his electronic medical record, and e-mail it in encrypted form to XYZ Research Institution, at [email protected], so XYZ Research Institution can use his health information for research purposes.”

A pregnant woman requests that her ob-gyn digitally send the records of her latest pre-natal visit – to a new self-care pregnancy app – on her smart phone. This request is permissible provides that ob-gyn has the capability to make the transmission and there is not an unacceptable security risk.

Are there any limits/exceptions to the right of an individual to request a PHI request to a third-party?

Generally, a patient’s right of access extends to a designated third party. Therefore, the covered entity (such as a health provider) must:

• Comply with the PHI request for a designated record set
• Comply within 30 days of the request
• Provide the PHI “in the form and format and manner of access requested by the individual if it is ‘readily producible’ in that manner”
• Understand that a reasonable, cost-based fee charge is permissible

The same ‘limited grounds for denial of access’ also apply. “Thus, for example, a covered entity may deny an individual’s request to send PHI to a designated third party when the request is for psychotherapy notes or PHI for which a licensed health care professional has determined, exercising professional judgment, that the access requested is reasonably likely to endanger the life or physical safety of the individual or another person.”

“Disagreement with the individual about the worthiness of the third party as a recipient of PHI, or even concerns about what the third party might do with the PHI (except for the express reasons listed in the Privacy Rule, such as in cases where life or physical safety is threatened), are not acceptable reasons to deny an individual’s request.”.

Can an individual’s personal representative, through the HIPAA right of access, have the individual’s health care provider or health plan send the individual’s PHI to a third party?

Yes. A personal representative, normally a person with authority under state law to make health care decisions for the individual) has the right to:

• Receive a copy of the PHI regarding a designated record set
• Direct that that the covered entity send the PHI to another entity or person – on request “consistent with the scope of such representation and the requirements of 45 CFR 164.524.”

The personal representative can also request that the PHI be sent to a third party subject to the timeliness, form and format, fee, and other requirements.

What is the liability of a covered entity in responding to an individual’s access request to send the individual’s PHI to a third party?

A covered entity such as a health provider can rely on the written information an individual such as a patient provides about the identity of a designated person – “and where to send the PHI for purposes of verification of the designated third party as an authorized recipient.”

Still, the covered entity must use reasonable safeguards such as taking reasonable steps to verify the identity of the person making the access request. As an example:

“While a covered entity is not required to confirm that the individual provided the correct e-mail address of the third party, the covered entity is required to have reasonable procedures to ensure that it correctly enters the provided e-mail address into the covered entity’s system.”

Covered entities must:

• Safeguard the information that is sent
• Understand the entities are responsible for any breach notifications
• Understand the entities may be liable for PHI disclosures that are impermissible.

Some exceptions may apply if the individual who made the request under the security risks involved.

A covered entity is not responsible for what the designated third party does with the PHI once it’s received “as directed by the individual in the access request.”

The HHS FAQs confirm the broad scope of the HIPAA right of access rule. Generally, the healthcare provider must understand that the requests for PHI will often be sent to other healthcare entities and that personal representatives may submit the request on behalf of the patient. The information that should be provided essentially includes all the information needed to provide quality healthcare to the patient.

Doctors and medical practices should contact Cohen Healthcare Law Group, PC for legal advice on HIPAA right of privacy and right of access issues. Our experienced healthcare attorneys help healthcare providers establish HIPAA compliance protocols.