Healthcare providers are constantly receiving requests for copies of patient medical records. Some requests come by way of the patient exercising his/her right to access his/her medical records, some come by way of patient authorization, and some come by way of another method (e.g., request from another treating provider). The Office of Civil Rights ("OCR"), the federal entity overseeing HIPAA compliance, has recently made patient requests for records a priority in terms of enforcement and guidance. For example, OCR published extensive guidance on a patient's right to access records, the form and format for responding to such requests, and the fees that can be charged for a response to such request. Thus, now is a good time for a refresher on a patient's right to access records and a healthcare provider's obligations in responding.
Form of Request:
Under HIPAA, a patient has the right to access his/her medical information--with a few exceptions, (e.g., psychotherapy notes). A patient wanting to exercise his/her right to access their medical records can do so in two ways: (1) the patient can request that copies of the records be sent to the patient directly (or inspected by the patient); or (2) the patient can request in writing that his/her records be sent to a designated third-party (this designation must be signed by the patient and clearly identify the designated person and where to send the records).
Timeframe For Response:
When the patient exercises his/her right to copy medical records, the records must be provided to the patient within 30 days of the request. If the request is denied, the denial notice must be sent within the 30-day period. If the 30-day period cannot be achieved, the patient must be notified of the delay within the initial 30-day period and the provider will be allowed an additional 30 days in which to respond to the request. Only one 30-day extension is permitted.
Form of Response:
The patient must be provided with access in the form or format requested, if the information is readily producible in such form and format. If not, the patient must be provided the information in a readable hard copy form or other form agreed to by the parties.
If the request is for an electronic copy of the information, the patient must be provided the information in the electronic form and format requested if it is readily producible in such electronic form and format, and if not, in an electronic format agreed to by the parties. Paper copies may only be provided if the patient declines to accept any of the electronic formats readily producible.
Fees for Response:
When the patient exercises his/her right to copy medical records, the fees charged must be a reasonable, cost-based fee consistent with both state and federal law. Because the state law provisions and the HIPAA provisions differ, this is where we see many providers in Alabama fall short in terms of compliance. Many providers are complying with the state law provisions, which allow a flat search fee and a per page fee, but are failing to comply with the more stringent federal law provisions, which do not allow a search fee and only allow a per page fee under certain circumstances.
The fee that may be charged to patients under HIPAA for copies of medical records may only include the following:
- Labor costs for copying the records to only include the labor associated with creating and delivering the copy in the form and format requested once the information has been identified, retrieved, and compiled;
- Postage if records are requested to be mailed; and
- Supply costs, including costs for electronic media if the patient requests that an electronic copy be included on portable media.
Alternatively, a flat fee for an electronic copy of the records may be charged, as long as the flat fee does not exceed $6.50, including labor, supplies, and postage.
Under either scenario, the fee charged may not include costs associated with reviewing the request, verifying the information, documenting the request, searching for and retrieving the records, reviewing the records, compiling the response, maintaining systems, or recouping capital for data access/storage/or infrastructure. Importantly, HIPAA does not allow you to charge a flat search fee.
With regard to the labor costs that can be charged under HIPAA, there are two ways in which the costs can be calculated:
- Actual costs incurred to fulfill the request. An example of the actual costs would be the time it takes for an employee to copy the records multiplied by the employee's reasonable hourly rate.
- Average costs based on the average labor associated with a specific type of request. This can be calculated as a per page fee only if the information is maintained in paper form and the request is for a paper or scanned copy of the records. Under HIPAA, per page average costs are not allowed for paper or electronic copies of information maintained electronically, even though such is allowed under state law.
Thus, the next time you receive a request for medical records, review the request carefully to determine the type of request being made, and if it is a request by a patient to access records, make sure that any response complies with the guidelines stated above.
Kelli Fleming is a Partner with Burr & Forman LLP practicing within the firm's Birmingham office. Kelli practices exclusively within the firm's Health Care Industry Practice Group.