By Suze Shaffer
February 15, 2020
Many covered entities struggle to understand what is “right of access” for individuals. Under HIPAA and the Omnibus Rule, a patient has the “right” to request a copy of their medical record in the format of their choice (if available). What this means is, a medical provider is not required to purchase special equipment or software to meet these requests. With that said, if a patient requests a CD or DVD of their medical records and you do not have a DVD drive, you would not necessarily be required to purchase one. Keep in mind, DVD drives are only about $25 and it would not be unreasonable for a practice to purchase one. Of course, the ideal situation would be to direct the patient to your EHR portal and download it themselves. However, you can’t require them to do so.
When a patient requests the right to access their PHI (protected health information), be sure to have the patient sign a written request and make note of the date. A provider has 30 days to supply the patient with this information. To extend the time, the covered entity must, within the initial 30 days, inform the individual in writing of the reasons for the delay and the date by which the covered entity will provide access. Keep in mind, only one extension is permitted per access request.
The next area of confusion is the fee limitation. Copying fees for medical records are set by individual states and typically refer to the cost of labor, printing, and delivery of paper or electronic data. The labor fee does not permit the provider to charge for the preparation of the data but labor costs could include skilled technical staff time spent to create and copy the electronic file, such as compiling, extracting, scanning and burning [PHI] to media.
The Flat Fee rate option is not cap, merely an option rather than calculating the actual cost of labor and printing. Many providers are utilizing this method since it is easier than calculating the actual costs.
On January 23, 2020, a federal court vacated the “third-party directive” within the individual right of access “insofar as it expands the HITECH Act’s third-party directive beyond requests for a copy of an electronic health record with respect to PHI (protected health information) in an electronic format.” Additionally, the fee limitation set forth at 45 C.F.R. § 164.524(c)(4) will apply only to a patient’s request for access to their own records, and does not apply to a patient’s request to transmit records to a third party.
https://www.hhs.gov/hipaa/court-order-right-of-access/index.html
If you would like to read the Memorandum Opinion from the United States District Court in the case Ciox Health LLC vs Alex Azar:
https://ecf.dcd.uscourts.gov/cgi-bin/show_public_doc?2018cv0040-51
We hope this will help clear up any misconceptions when it comes to a patient’s right to access their medical information.
If you would like more information, contact us at 877.659.2467 or complete the contact us form.
“Simplifying HIPAA through Partnership, Education, and Support”
